GHSA-r977-prxv-hc43

Опубликовано: 21 нояб. 2024

Источник: github

Github: Не прошло ревью

CVSS3: 4.8

Описание

Single byte overread with convert.quoted-printable-decode filter

Summary

A memory-related vulnerability in PHP’s filter handling system, particularly when processing input with convert.quoted-printable-decode filters, leads to a segmentation fault. This vulnerability is triggered through specific sequences of input data, causing PHP to crash. When exploited, it allows an attacker to extract a single byte of data from the heap or cause a DoS.

Details

The issue is caused by a missing bound check.

The crash is reliably detected by AddressSanitizer (ASAN), which reports a segmentation fault caused by a read memory access violation. This suggests that there may be an out-of-bounds read or a use-after-free condition in the affected filters. Below is an example stack trace as detected by ASAN:

AddressSanitizer: SEGV on unknown address 0x7ffff4200000 (pc 0x55555635d5b4 bp 0x000000000001 sp 0x7fffffff9e20 T0) The signal is caused by a READ memory access. #0 0x55555635d5b4 in php_conv_qprint_decode_convert (/php-8.3.13/sapi/cli/php+0xf5d5b4) #1 0x555556355e00 in strfilter_convert_append_bucket (/php-8.3.13/sapi/cli/php+0xf55e00) #2 0x55555635507d in strfilter_convert_filter (/php-8.3.13/sapi/cli/php+0xf5507d) ...

PoC

Set to not detect leaks export ASAN_OPTIONS=detect_leaks=0
Run the following with the 2 attached files against php compiled with ASAN in php_crash.zip cat ./php_crash | ./sapi/cli/php poc.php
Note the ASAN trace once the final output his the echo implode

root@32fbd16f3ed1:/php-8.3.13# cat php_crash | ./sapi/cli/php zlib_fuzz.php Warning: file_get_contents(): Unable to locate filter "bzip2.compress" in /php-8.3.13/zlib_fuzz.php on line 25 Warning: file_get_contents(): Unable to create filter (bzip2.compress) in /php-8.3.13/zlib_fuzz.php on line 25 Warning: file_get_contents(): Unable to locate filter "bzip2.decompress" in /php-8.3.13/zlib_fuzz.php on line 25 Warning: file_get_contents(): Unable to create filter (bzip2.decompress) in /php-8.3.13/zlib_fuzz.php on line 25 AddressSanitizer:DEADLYSIGNAL ================================================================= ==1558930==ERROR: AddressSanitizer: SEGV on unknown address 0x7ffff4200000 (pc 0x55555635d5b4 bp 0x000000000001 sp 0x7fffffff9e40 T0) ==1558930==The signal is caused by a READ memory access. #0 0x55555635d5b4 in php_conv_qprint_decode_convert /php-8.3.13/ext/standard/filters.c:999:46 #1 0x555556355e00 in strfilter_convert_append_bucket /php-8.3.13/ext/standard/filters.c #2 0x55555635507d in strfilter_convert_filter /php-8.3.13/ext/standard/filters.c:1525:7 #3 0x5555563f7b0f in _php_stream_fill_read_buffer /php-8.3.13/main/streams/streams.c:583:14 #4 0x5555563f942e in _php_stream_read /php-8.3.13/main/streams/streams.c:747:8 #5 0x555556400a9c in _php_stream_copy_to_mem /php-8.3.13/main/streams/streams.c:1580:16 #6 0x5555561ced5e in zif_file_get_contents /php-8.3.13/ext/standard/file.c:445:18 #7 0x555556887bae in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /php-8.3.13/Zend/zend_vm_execute.h:1337:2 #8 0x5555566e729b in execute_ex /php-8.3.13/Zend/zend_vm_execute.h:57007:7 #9 0x5555566e7e95 in zend_execute /php-8.3.13/Zend/zend_vm_execute.h:61604:2 #10 0x5555565f7adb in zend_execute_scripts /php-8.3.13/Zend/zend.c:1893:4 #11 0x55555639c646 in php_execute_script /php-8.3.13/main/main.c:2528:13 #12 0x555556c29b97 in do_cli /php-8.3.13/sapi/cli/php_cli.c:966:5 #13 0x555556c270aa in main /php-8.3.13/sapi/cli/php_cli.c:1341:18 #14 0x7ffff75301c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #15 0x7ffff753028a in __libc_start_main csu/../csu/libc-start.c:360:3 #16 0x555555803bc4 in _start (/php-8.3.13/sapi/cli/php+0x403bc4) (BuildId: 712b3d4fbdcb978a011679cd1c90ada321af14cf)

AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /php-8.3.13/ext/standard/filters.c:999:46 in php_conv_qprint_decode_convert

Impact

It affects any systems that use these filters in sequence, especially those processing untrusted user input through php://filter. Systems leveraging this filter chain may be vulnerable to this overrun, and under specific conditions, there is a risk of DoS or information leakage.

Пакеты

Наименование

Отсутствует

Затронутые версииВерсия исправления

< 8.1.31

8.1.31

Наименование

Отсутствует

Затронутые версииВерсия исправления

< 8.2.26

8.2.26

Наименование

Отсутствует

Затронутые версииВерсия исправления

< 8.3.14

8.3.14

EPSS

Процентиль: 42%

0.00197

Низкий

4.8 Medium

CVSS3

CVE ID

CVE-2024-11233

Дефекты

CWE-122

Связанные уязвимости

CVE-2024-11233

CVSS3: 4.8

ubuntu

7 месяцев назад

In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, due to an error in convert.quoted-printable-decode filter certain data can lead to buffer overread by one byte, which can in certain circumstances lead to crashes or disclose content of other memory areas.