oss-security February 2011 archive
Main Archive Page > Month Archives  > oss-security archives
oss-security: [oss-security] Re: PHP Exif 64bit Casting Vulnerab

[oss-security] Re: PHP Exif 64bit Casting Vulnerability, CVE request

From: Pierre Joye <pierre.php_at_nospam>
Date: Wed Feb 16 2011 - 08:34:01 GMT
To: oss-security@lists.openwall.com

anyone?

On Mon, Feb 14, 2011 at 10:50 AM, Pierre Joye <pierre.php@gmail.com> wrote:
> hi,
>
> Can someone assign a CVE for the following issue please?
>
> Fix is already applied in our 5.3 and trunk branches:
>
> http://svn.php.net/viewvc?view=revision&revision=308316
> http://svn.php.net/viewvc?view=revision&revision=308317
>
> Note for the distro maintainers, please hang on a bit before applying
> it, at least a couple of day to be sure that the fix covers all cases
> or do not break anything. Tests pass but we never know :)
>
> Cheers,
>
> ---------- Forwarded message ----------
> From: Luca Carettoni <luca.carettoni@ikkisoft.com>
> Date: Fri, Jan 14, 2011 at 8:05 PM
> Subject: PHP Exif 64bit Casting Vulnerability
> To: security@php.net
>
>
> Hi,
> please find enclosed a security advisory of a discovered
> vulnerability in /php-5.3.5/ext/exif/exif.c
>
> Looking forward to receiving your follow-up.
>
> Regards,
> Luca
>
> =====================================================================
> PHP Exif 64bit Casting Vulnerability
> =====================================================================
>
> Affected Software : PHP <= 5.3.5 (Exif extension for 64bit platforms)
> Severity : Low
> Local/Remote : Remote
> Author : @_ikki, @paradoxengine (blog.nibblesec.org)
>
> [Summary]
>
> PHP Exif extension allows developers to work with image metadata
> within their PHP code. For instance, using exif functions it is possible
> to read metadata from digital camera pictures.
> For further details on this file format, please refer to:
> http://www.media.mit.edu/pia/Research/deepview/exif.html
>
> PHP Exif extension for 64bit platforms is affected by a casting
> vulnerability that occurs during the image header parsing.
> According to our preliminary analysis, exploitation of this flaw results
> in Denial of Service.
>
> This vulnerability affects PHP 5.3.5 and likely all previous versions.
> During our analysis, we have successfully tested our PoC against PHP
> 5.3.2, PHP 5.3.3 and the latest PHP release 5.3.5.
>
> Using the following configuration, a system is most likely vulnerable:
> (a) PHP 64bit version
> (b) PHP compiled with --enable-exif
> (c) memory_limit = -1
>
> [Vulnerability Details]
>
> In case of 64bit platforms, an improper conversion occurs within
> "/php-5.3.5/ext/exif/exif.c" at line 1100 (php_ifd_get32s) and 1118
> (php_ifd_get32u).
>
> In detail, an image having properly crafted Image File Directory (IFD)
> can be used to trigger a segmentation fault caused by a memory access
> violation:
>
> $ gdb ./sapi/cli/php
> GNU gdb 6.8-debian
> Copyright (C) 2008 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later
> <http://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law. Type "show
> copying"
> and "show warranty" for details.
> This GDB was configured as "x86_64-linux-gnu"...
> (gdb) run -c /etc/php5/cli/php.ini ../exif.php ../ihaterepeating2.jpeg
> Starting
> program: /archive/stuff/vulnsResearch/php_exif/php-5.3.5/sapi/cli/php
> -c /etc/php5/cli/php.ini ../exif.php ../ihaterepeating2.jpeg
> [Thread debugging using libthread_db enabled]
>
> --- start ../ihaterepeating2.jpeg ---
>
> [New Thread 0x7ff7d45a26e0 (LWP 10941)]
>
> Program received signal SIGSEGV, Segmentation fault.
> [Switching to Thread 0x7ff7d45a26e0 (LWP 10941)]
> 0x000000000055e297 in php_ifd_get32s (value=0x2055000, motorola_intel=0)
> at /archive/stuff/vulnsResearch/php_exif/php-5.3.5/ext/exif/exif.c:1108
> 1108 return (((char *)value)[3] << 24)
>
> (gdb) backtrace
> #0 0x000000000055e297 in php_ifd_get32s (value=0x2055000,
> motorola_intel=0)
> at /archive/stuff/vulnsResearch/php_exif/php-5.3.5/ext/exif/exif.c:1108
> #1 0x000000000055e2f9 in php_ifd_get32u (value=0x2055000,
> motorola_intel=0)
> at /archive/stuff/vulnsResearch/php_exif/php-5.3.5/ext/exif/exif.c:1120
> #2 0x000000000055f37e in exif_iif_add_value
> (image_info=0x7fff68f4e0d0,
> section_index=13, name=0x7fff68f4d920 "UndefinedTag:0x0205", tag=517,
> format=5,
> length=536870913, value=0x2017124, motorola_intel=0) at
> /archive/stuff/vulnsResearch/php_exif/php-5.3.5/ext/exif/exif.c:1760
> #3 0x000000000055f4d1 in exif_iif_add_tag (image_info=0x7fff68f4e0d0,
> section_index=13, name=0x7fff68f4d920 "UndefinedTag:0x0205", tag=517,
> format=5,
> length=536870913, value=0x2017124) at
> /archive/stuff/vulnsResearch/php_exif/php-5.3.5/ext/exif/exif.c:1801
> #4 0x00000000005625a8 in exif_process_IFD_TAG
> (ImageInfo=0x7fff68f4e0d0,
> dir_entry=0x20170e8 "\005\002\005", offset_base=0x2016da0 "II*",
> IFDlength=7157,
> displacement=12, section_index=13, ReadNextIFD=0, tag_table=0x949740)
> at /archive/stuff/vulnsResearch/php_exif/php-5.3.5/ext/exif/exif.c:3115
> [...]
>
> Within the PoC image, bytes in position 358-35B can be used to craft
> the value of the 'components' variable (int) which is later used within
> memory read operations.
>
> Two cases appear to be interesting:
>
> {Case A - Negative value}
> $hexdump -C ihaterepeating.jpeg | grep -i "03 00 00 A0"
> results in "components=-1610612733"
>
> {Case B - Positive value}
> $hexdump -C ihaterepeating2.jpeg | grep -i "01 00 00 20"
> results in "components=536870913"
> Please note that 0x20 = 32dec
>
> As mentioned, the value of the 'components' variable is later computed
> in memory operations within another variable named 'length'.
> Such value is used in a for-loop instruction (line 1745) to read image
> metadata starting from a memory address.
>
> Although it is possible to control the offset, the following
> instructions (line 1671) limit such value to positive integers only.
>
> <-- cut here -->
> if (length < 0) {
> return;
> }
> <-- cut here -->
>
> Consequently it seems possible to oversize the expected value only,
> which results in a memory access violation.
>
> [Proof-Of-Concept]
>
> Two images (case A and B) have been properly crafted:
> http://www.ikkisoft.com/stuff/ihaterepeating.jpeg
> http://www.ikkisoft.com/stuff/ihaterepeating2.jpeg (SegFault)
>
> You may want to use this script to read exif data:
>
> <-- cut here -->
> <?php
> echo" --- start ---\n\n";
> exif_read_data($argv[1]);
> echo" --- end ---\n\n";
> ?>
> <-- cut here -->
>
> [Fix Information]
>
> n/a
>
>
>
>
>
> --
> Luca Carettoni <luca.carettoni@ikkisoft.com>
>
>
>
>
> --
> Pierre
>
> @pierrejoye | http://blog.thepimp.net | http://www.libgd.org
>

-- Pierre @pierrejoye | http://blog.thepimp.net | http://www.libgd.org