Buffer Over flow when parsing tar/zip/phar in phar_set

Buffer Over flow when parsing tar/zip/phar in phar_set_inode

Sec Bug #69441	Buffer Over flow when parsing tar/zip/phar in phar_set_inode
Submitted:	2015-04-14 05:35 UTC	Modified:	2015-04-17 20:55 UTC
From:	emmanuel dot law at gmail dot com	Assigned:	stas (profile)
Status:	Closed	Package:	PHAR related
PHP Version:	5.6.8RC1	OS:	*
Private report:	No	CVE-ID:	2015-3329

[2015-04-14 05:35 UTC] emmanuel dot law at gmail dot com

Description:
------------
There is a buffer over flow vulnerability when parsing tar/zip/phar via the PHAR & PHARData class. The vulnerability is in phar_set_inode() @  phar_internal.h:535.

A buffer is allocated at @  phar_internal.h:536
char tmp[MAXPATHLEN];

On my 64bits ubuntu, MAXPATHLEN = 0x1000

The vulnerability is triggered further down @  phar_internal.h:540
	tmp_len = entry->filename_len + entry->phar->fname_len;
	memcpy(tmp, entry->phar->fname, entry->phar->fname_len);
	memcpy(tmp + entry->phar->fname_len, entry->filename, entry->filename_len); 


There is no validation that tmp_len is smaller then MAXPATHLEN.  Both entry->filename_len & entry->phar->fname_len are obtained directly from the file and thus controllable by an attacker. This results in a buffer-over-flow vulnerability in the subsequent memcopy.


There are multiple pathways to trigger this vulnerable point:
-Parsing Tar file
-Pharsing Phar file
-Pharsing Zip file


Test script:
---------------
I've created both a tar and zip archive that triggers this vulnerability:
https://www.dropbox.com/s/al8x6v7cv6yr72g/POC_BOF_Php_phar_set_inode.zip?dl=0

Test Environment:
-x64 ubuntu
./configure --enable-zip --enable-debug


Actual result:
--------------


Breakpoint 1, phar_set_inode (entry=0x7ffffffea030) at /home/elaw/php-5.6.8RC1/ext/phar/phar_internal.h:540
540             tmp_len = entry->filename_len + entry->phar->fname_len;

gdb-peda$ p sizeof(tmp)
$1 = 0x1000
gdb-peda$ p tmp_len
$2 = 0x102d

gdb-peda$ bt
#0  phar_set_inode (entry=0x7ffffffea030) at /home/elaw/php-5.6.8RC1/ext/phar/phar_internal.h:541
#1  0x000000000061db85 in phar_parse_zipfile (fp=0x7ffff7fbf610, fname=0x7ffff7fc00a0 "/home/elaw/php-5.6.8RC1/sapi/cli/POC_BOF.phar", fname_len=0x2d, alias=0x0, alias_len=0x0,
    pphar=0x7fffffffa8a8, error=0x7fffffffa8e8) at /home/elaw/php-5.6.8RC1/ext/phar/zip.c:638
#2  0x000000000063394f in phar_open_from_fp (fp=0x7ffff7fbf610, fname=0x7ffff7fc00a0 "/home/elaw/php-5.6.8RC1/sapi/cli/POC_BOF.phar", fname_len=0x2d, alias=0x0, alias_len=0x0,
    options=0x8, pphar=0x7fffffffa8a8, is_data=0x0, error=0x7fffffffa8e8) at /home/elaw/php-5.6.8RC1/ext/phar/phar.c:1703
#3  0x00000000006326f4 in phar_create_or_parse_filename (fname=0x7ffff7fc00a0 "/home/elaw/php-5.6.8RC1/sapi/cli/POC_BOF.phar", fname_len=0x2d, alias=0x0, alias_len=0x0,
    is_data=0x0, options=0x8, pphar=0x7fffffffa8a8, error=0x7fffffffa8e8) at /home/elaw/php-5.6.8RC1/ext/phar/phar.c:1346
#4  0x0000000000632602 in phar_open_or_create_filename (fname=0x7ffff7fbe4f8 "POC_BOF.phar", fname_len=0xc, alias=0x0, alias_len=0x0, is_data=0x0, options=0x8,
    pphar=0x7fffffffa8a8, error=0x7fffffffa8e8) at /home/elaw/php-5.6.8RC1/ext/phar/phar.c:1315
#5  0x000000000063e438 in zim_Phar___construct (ht=0x2, return_value=0x7ffff7fbf878, return_value_ptr=0x7ffff7f854b8, this_ptr=0x7ffff7fbec00, return_value_used=0x0)
    at /home/elaw/php-5.6.8RC1/ext/phar/phar_object.c:1189
#6  0x000000000084ef6a in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f858f0) at /home/elaw/php-5.6.8RC1/Zend/zend_vm_execute.h:558
#7  0x000000000084f741 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7ffff7f858f0) at /home/elaw/php-5.6.8RC1/Zend/zend_vm_execute.h:693
#8  0x000000000084e5d3 in execute_ex (execute_data=0x7ffff7f858f0) at /home/elaw/php-5.6.8RC1/Zend/zend_vm_execute.h:363
#9  0x000000000084e65c in zend_execute (op_array=0x7ffff7fbd0e0) at /home/elaw/php-5.6.8RC1/Zend/zend_vm_execute.h:388
#10 0x000000000080ae07 in zend_execute_scripts (type=0x8, retval=0x0, file_count=0x3) at /home/elaw/php-5.6.8RC1/Zend/zend.c:1341
#11 0x00000000007763a9 in php_execute_script (primary_file=0x7fffffffdfc0) at /home/elaw/php-5.6.8RC1/main/main.c:2597
#12 0x00000000008bcaee in do_cli (argc=0x2, argv=0xf97f00) at /home/elaw/php-5.6.8RC1/sapi/cli/php_cli.c:994
#13 0x00000000008bdbfb in main (argc=0x2, argv=0xf97f00) at /home/elaw/php-5.6.8RC1/sapi/cli/php_cli.c:1378
#14 0x00007ffff624eb45 in __libc_start_main (main=0x8bd55b <main>, argc=0x2, argv=0x7fffffffe348, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>,
    stack_end=0x7fffffffe338) at libc-start.c:287
#15 0x0000000000421719 in _start ()


Stopped reason: SIGSEGV
0x00000000deadbeef in ?? ()
gdb-peda$ p $rip
$1 = (void (*)()) 0xdeadbeef

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-04-14 07:21 UTC] stas@php.net

-Assigned To: +Assigned To: stas

[2015-04-14 07:29 UTC] stas@php.net

-Status: Assigned +Status: Closed

[2015-04-17 20:55 UTC] stas@php.net

-CVE-ID: +CVE-ID: 2015-3329