Sunday, December 21, 2008

[UNIX] PHP mbstring Buffer Overflow Vulnerability

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

PHP mbstring Buffer Overflow Vulnerability
------------------------------------------------------------------------


SUMMARY

PHP is "a scripting language extensively used in web application
development. The package contains a number of language extensions aside
from the language core".

A heap buffer overflow was found in mbstring extension that is bundled in
the standard distribution. mbstring extension provides a set of functions
for the manipulation of multibyte / Unicode strings.

The vulnerability occurs in the part of the encoding conversion facility
that decodes strings that contain HTML entities into Unicode strings. Due
to the decoder's incorrect handling of error conditions, the bounds check
for a heap-allocated buffer is effectively bypassed. An attacker can
exploit this vulnerability to transfer arbitrary data to a specific region
of the heap if he gains control over the input of the decoder.

DETAILS

Vulnerable Systems:
* PHP version 4.3.0 or newer

Immune Systems:
* PHP versions prior to 4.3.0
* PHP version 5.2.7
* PHP version 5.3 alpha 3

Details:
The following pieces are excerpts from the HTML-entity decoder code in
question (mbfilter_htmlent.c), where the decoder is implemented as a
callback function that is called against each characters of the input
string sequentially with a structure (mbfl_convert_filter) containing the
state of the decoder.

mbfl_convert_filter has a field named "output_function" that points to a
function to which the decoded data is passed on a per-character basis.
The function is supposed to return a negative value on error. It will
most likely fail if the argument is an Unicode value that is not
designated to any character.

In particular, since the signature of the output_function is int(*)(int,
void *) though the buffer is an array of unsigned char, every character
code that is greater than 127 gets passed to the function with its value
negated and leads to unconditional failure.

Impact:
Since mbstring functions make use of the facility in various places,
almost all of those can be considered vulnerable. The functions listed
below should be particularly noted according to their primary usage:
- mb_convert_encoding()
- mb_check_encoding()
- mb_convert_variables()
- mb_parse_str()

The following functions are supposed to be safe in their nature.
- mb_decode_numericentity() *
- mb_detect_encoding()
- mb_detect_order()
- mb_ereg()
- mb_ereg_match()
- mb_ereg_replace()
- mb_ereg_search()
- mb_ereg_search_pos()
- mb_ereg_search_regs()
- mb_ereg_search_init()
- mb_ereg_search_getregs()
- mb_ereg_search_getpos()
- mb_ereg_search_setpos()
- mb_ereg_set_options()
- mb_eregi()
- mb_eregi_replace()
- mb_get_info()
- mb_http_input()
- mb_http_output()
- mb_internal_encoding()
- mb_language()
- mb_list_encodings()
- mb_preferred_mime_name()
- mb_regex_encoding()
- mb_regex_set_options()
- mb_split()
- mb_substitute_character()

(*) Based on the different code while providing similar functionality.

Besides these scriptable functions, mbstring provides functionality that
automatically filters the form values given through a request URI or
POSTed content. Because browsers may send characters of the form data that
cannot be represented in the encoding used in the HTML document as HTML
entities, it should be no surprise that an user has a PHP installation
configured as
follows:
mbstring.encoding_translation=on
mbstring.http_input=HTML-ENTITIES
mbstring.internal_encoding=UTF-8

The vulnerability would be remotely exploitable in such a case.

Solution:
Upgrade to version 5.2.8. Note that the maintenance of 4.x series was
discontinued.


ADDITIONAL INFORMATION

The information has been provided by <mailto:mozo@mozo.jp> Moriyoshi
Koizumi.

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

No comments:

Post a Comment