BACK

CREDIT

POC or EXPLOIT

REFERENCES






Wed, 07 Mar 2007

Summary

PHP 5 comes with the substr_compare() function that allows binary safe, optionally case insensitive, comparison of 2 strings from an offset, up to length characters.

Due to an integer overflow while performing sanity checks on the arguments it is possible to compare offsets far outside the allocated buffer . This allows reading memory behind PHP variables to retrieve sensitive information (like offsets, canaries,...).

Affected versions

Affected are PHP <= 5.2.1

Detailed information

The substr_compare() function performs exactly 2 sanity checks on the input parameters.

    if (offset < 0) {
        offset = s1_len + offset;
        offset = (offset < 0) ? 0 : offset;
    }

    if ((offset + len) > s1_len) {
        php_error_docref(NULL TSRMLS_CC, E_WARNING, "The start position cannot exceed ...");
        RETURN_FALSE;
    }

The first check ensures that a negative offset is considered relative to the end of the first input string and the second check ensures that offet and requested length do not exceed the buffer length.

However the second check does not take into account that the addition of two positive signed variables can result in a negative value when an integer overflow occurs. Therefore it is possible to access memory outside the buffer, as demonstrated in the attached exploit.

By comparing a ASCIIZ char and a ASCII 01 char with an offset outside the buffer and comparing the return values of substr_compare() it is possible to determine ASCII value of the byte outside the buffer. This allows creating an exact copy of the memory behind the variable in the first parameter of substr_compare()-

Proof of concept, exploit or instructions to reproduce

The attached exploit will leak the 4096 bytes following the variable $x and output them in a hexdump.

memdump
---------

00000000: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000010: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000020: 41 41 41 41 41 41 00 a7 ec be 5e 2d 00 00 00 35 AAAAAA....^-...5
00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000050: 00 00 00 8b ec be 5e 31 00 00 00 2d 00 00 00 00 ......^1...-....
00000060: 00 00 00 00 00 00 00 14 fb c1 b7 38 fb c1 b7 a8 ...........8....
00000070: 3e c2 b7 5c fa c1 b7 00 00 00 00 00 00 00 00 10 >..\............
00000080: 00 00 00 5b ed be 5e 1d 00 00 00 31 00 00 00 84 ...[..^....1....
...

Notes

This vulnerability will be used in future code execution exploits disclosed during this month to retrieve the necessary offsets directly from memory.