Memory Corruption in phar_parse_tarfile when entry filename starts with null
| Sec Bug #69453 | Memory Corruption in phar_parse_tarfile when entry filename starts with null | ||||
|---|---|---|---|---|---|
| Submitted: | 2015-04-14 22:15 UTC | Modified: | 2015-05-19 05:33 UTC | ||
| From: | emmanuel dot law at gmail dot com | Assigned: | laruence (profile) | ||
| Status: | Closed | Package: | PHAR related | ||
| PHP Version: | 5.6.8 | OS: | * | ||
| Private report: | No | CVE-ID: | 2015-4021 | ||
[2015-04-14 22:15 UTC] emmanuel dot law at gmail dot com
Description:
------------
This is a single byte memory corruption vulnerability. It is triggered when a tar entry->filename starts with a null byte.
At tar.c:430 entry.filename_len will be set to zero.
if (hdr->name[i] == '\0') {
break;
}
entry.filename_len = i;
This will result in an underflow in the array index at tar.437 :
if (entry.filename[entry.filename_len - 1] == '/') {
entry.filename[entry.filename_len - 1] = '\0';
entry.filename_len--;
}
Since entry.filename is pointing to a heap chunk (zend_mm_block), on a x86 machine, it has the potential to corrupt the heap chunk metadata.
on x64 machine, it has the potential to corrupt 1 byte at the offset entry.filename+0xFFFFFFFF
Test script:
---------------
POC here:
https://www.dropbox.com/s/dg8uit7533e8q8l/POC_1byte_corruption.zip?dl=0
$ ./php POC_FileName_Nullbyte_crash.php
Segmentation fault
Actual result:
--------------
gdb-peda$ frame
#0 phar_parse_tarfile (fp=0x7ffff7fbdfe0, fname=0x7ffff7fbeb20 "/home/elaw/php-5.6.7/sapi/cli/PHAR_TAR_GZ_FUZZING/WIP_POC__null_byte_filename.tar.phar", fname_len=0x56,
alias=0x0, alias_len=0x0, pphar=0x7fffffffa760, is_data=0x0, compression=0x0, error=0x7fffffffa8b8) at /home/elaw/php-5.6.8RC1/ext/phar/tar.c:437
437 if (entry.filename[entry.filename_len - 1] == '/') {
gdb-peda$ p entry.filename_len
$2 = 0x0
gdb-peda$ p entry.filename_len -1
$3 = 0xffffffff <<< integer underflow
gdb-peda$ bt
#0 phar_parse_tarfile (fp=0x7ffff7fbdfe0, fname=0x7ffff7fbeb20 "/home/elaw/php-5.6.7/sapi/cli/PHAR_TAR_GZ_FUZZING/WIP_POC__null_byte_filename.tar.phar", fname_len=0x56,
alias=0x0, alias_len=0x0, pphar=0x7fffffffa760, is_data=0x0, compression=0x0, error=0x7fffffffa8b8) at /home/elaw/php-5.6.8RC1/ext/phar/tar.c:437
#1 0x00000000006339d2 in phar_open_from_fp (fp=0x7ffff7fbdfe0, fname=0x7ffff7fbeb20 "/home/elaw/php-5.6.7/sapi/cli/PHAR_TAR_GZ_FUZZING/WIP_POC__null_byte_filename.tar.phar",
fname_len=0x56, alias=0x0, alias_len=0x0, options=0x8, pphar=0x7fffffffa760, is_data=0x0, error=0x7fffffffa8b8) at /home/elaw/php-5.6.8RC1/ext/phar/phar.c:1709
#2 0x00000000006326f4 in phar_create_or_parse_filename (fname=0x7ffff7fbeb20 "/home/elaw/php-5.6.7/sapi/cli/PHAR_TAR_GZ_FUZZING/WIP_POC__null_byte_filename.tar.phar",
fname_len=0x56, alias=0x0, alias_len=0x0, is_data=0x0, options=0x8, pphar=0x7fffffffa760, error=0x7fffffffa8b8) at /home/elaw/php-5.6.8RC1/ext/phar/phar.c:1346
#3 0x0000000000612018 in phar_open_or_create_tar (fname=0x7ffff7fbe688 "WIP_POC__null_byte_filename.tar.phar", fname_len=0x24, alias=0x0, alias_len=0x0, is_data=0x0, options=0x8,
pphar=0x7fffffffa878, error=0x7fffffffa8b8) at /home/elaw/php-5.6.8RC1/ext/phar/tar.c:130
#4 0x00000000006325d3 in phar_open_or_create_filename (fname=0x7ffff7fbe688 "WIP_POC__null_byte_filename.tar.phar", fname_len=0x24, alias=0x0, alias_len=0x0, is_data=0x0,
options=0x8, pphar=0x7fffffffa878, error=0x7fffffffa8b8) at /home/elaw/php-5.6.8RC1/ext/phar/phar.c:1312
#5 0x000000000063e438 in zim_Phar___construct (ht=0x2, return_value=0x7ffff7fbc350, return_value_ptr=0x7ffff7f854d0, this_ptr=0x7ffff7fbc440, return_value_used=0x0)
at /home/elaw/php-5.6.8RC1/ext/phar/phar_object.c:1189
Patches
Pull Requests
History
AllCommentsChangesGit/SVN commits
[2015-04-29 11:00 UTC] emmanuel dot law at gmail dot com
-PHP Version: 5.6.8RC1 +PHP Version: 5.6.8
[2015-04-29 11:00 UTC] emmanuel dot law at gmail dot com
[2015-05-12 19:40 UTC] stas@php.net
-Status: Open +Status: Closed
[2015-05-19 05:33 UTC] laruence@php.net
-Assigned To: +Assigned To: laruence -CVE-ID: +CVE-ID: 2015-4021