PHP libgd 整数溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1204746 漏洞类型 数字错误
发布时间 2002-02-03 更新时间 2007-10-25
CVE编号 CVE-2007-3996 CNNVD-ID CNNVD-200709-015
漏洞平台 N/A CVSS评分 6.8
|漏洞来源
https://cxsecurity.com/issue/WLB-2007090020
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200709-015
|漏洞详情
PHP是广泛使用的通用目的脚本语言,特别适合于Web开发,可嵌入到HTML中。PHP的libgd中存在多个整数溢出漏洞。如果远程攻击者向gdImageCopyResized函数传送了很大的srcW或srcH值的话,或向gdImageCreate或gdImageCreateTrueColor函数传送了很大的sy(高度)或sx(宽度)值的话,就可以导致拒绝服务或执行任意指令。
|漏洞EXP
PHP ImageCopyResized/ImageCopyResampled Integer Overflow

Affected Products:
<= PHP 5.2.3

Authors:
Mattias Bengtsson <mattias@secweb.se>
Philip Olausson <po@secweb.se>

Reported:
2007-06-05

Released:
2007-08-30

CVE:
CVE-2007-3996

Issue:

Two integer overflows exists in PHP's implementation of libgd. Remote exploitation of this overflow may under some circumstances allow execution of arbitrary code.

Description:

PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. libgd is used for dynamic creation of images.

Details:

The overflow is located in the function gdImageCopyResized(). Which are used within the PHP code and can also be reached from PHP using imagecopyresized() or imagecopyresampled().

...

stx = (int *) gdMalloc (sizeof (int) * srcW);
sty = (int *) gdMalloc (sizeof (int) * srcH);

...

for (i = 0; (i < srcW); i++) {
	stx[i] = dstW * (i+1) / srcW - dstW * i / srcW ;
}
for (i = 0; (i < srcH); i++) {
	sty[i] = dstH * (i+1) / srcH - dstH * i / srcH ;
}

...
	

Passing a high value of srcW or srcH results in a integer overflow when allocating the buffer for stx and sty. The for-loops occuring after the allocation will then try to write a big amout of data that will result in a crash or possible execution of arbitrary code.

If a web application use this function for resizing images that could be uploaded remotely, the overflow can be triggered by a specially crafted image file.

Proof Of Concepts:

<?php

imagecopyresized(imagecreatetruecolor(0x7fffffff, 120),
                imagecreatetruecolor(120, 120),
                0, 0, 0, 0, 0x7fffffff, 120, 120, 120);

?>

Impact:

Due to the fact that this vulnerability can be triggered remotely the impact should be considered high.

Solution:

Upgrade to PHP 5.2.4
|参考资料

来源:www.php.net
链接:http://www.php.net/ChangeLog-5.php#5.2.4
来源:MISC
链接:http://secweb.se/en/advisories/php-imagecopyresized-integer-overflow/
来源:SECUNIA
名称:26642
链接:http://secunia.com/advisories/26642
来源:www.php.net
链接:http://www.php.net/releases/5_2_4.php
来源:DEBIAN
名称:DSA-1613
链接:http://www.debian.org/security/2008/dsa-1613
来源:MISC
链接:http://secweb.se/en/advisories/php-imagecreatetruecolor-integer-overflow/
来源:SECUNIA
名称:31168
链接:http://secunia.com/advisories/31168
来源:FEDORA
名称:FEDORA-2007-709
链接:https://www.redhat.com/archives/fedora-package-announce/2007-September/msg00354.html
来源:issues.rpath.com
链接:https://issues.rpath.com/browse/RPL-1702
来源:issues.rpath.com
链接:https://issues.rpath.com/browse/RPL-1693
来源:XF
名称:php-gdimagecopyresized-bo(36383)
链接:http://xforce.iss.net/xforce/xfdb/36383
来源:XF
名称:php-gdimagecreate-bo(36382)
链接:http://xforce.iss.net/xforce/xfdb/36382
来源:UBUNTU
名称:USN-557-1
链接:http://www.ubuntu.com/usn/usn-557-1
来源:TRUSTIX
名称:2007-0026
链接:http://www.trustix.org/errata/2