oss-sec mailing list archives

Re: CVE Request: PHP: out of bounds read crashes php-cgi

From: Stanislav Malyshev <smalyshev () gmail com>
Date: Wed, 31 Dec 2014 14:14:23 -0800

Hi!

On 12/31/14 9:30 AM, cve-assign () mitre org wrote:

https://bugs.php.net/bug.php?id=68618 (out of bounds read crashes
php-cgi).

http://git.php.net/?p=php-src.git;a=commit;h=f9ad3086693fce680fbe246e4a45aa92edd2ac35


Use CVE-2014-9427.

Can you clarify what threat models exist that cross privilege
boundaries? Bug #68618 says "could disclose server memory, but anyone


I'm not sure if it's exploitable at all. For starters, it requires
feeding arbitrary files to PHP - which means you already have the
equivalent of full shell access to the host in question as the user
running PHP. In theory, it can result in memory contents disclosure -
though since we're talking about mmap it requires the map used for this
file to be aligned just next to another one, otherwise it'd just segfault.

that can upload php scripts can do far worse." Is the only relevant
scenario that the attacker uploads a crafted .php file and thereby
obtains read access (that would otherwise be unavailable) to memory
locations within a parent process?


The potential for reading memory is for the php-cgi process, since CGI
is its own process. So the only data that can potentially be disclosed
is from the CGI process itself. Also, to result in disclosure and not
just segfault the attacker will need to somehow achieve that memory
beyond the region to which the file is mapped would be a valid memory
and contain something that PHP's lexer would interpret as a complete PHP
script (otherwise it'd just keep scanning until it hits unmapped memory
where it would segfault). I'm not saying it's not possible at all, but
it'd probably be very non-trivial to do this if possible. I'm pretty
sure none of it is possible without, as described above, the equivalent
of shell access under the user running PHP. So I'm not sure if there's
any privilege escalation anyway - maybe if PHP setup is very restricted
so no outside file/program access is possible.

Or is it relevant that a victim may accidentally upload an
incorrect .php file, and may expect that this is harmless, but the
actual behavior is that PHP reads and executes out-of-bounds data that
the victim did not wish to execute?


It's impossible with "accidental" script - it has to be specially made.
E.g. for the problem to happen the file has to start with '#' and have
no newlines (i.e. not be an actual PHP script).
-- 
Stas Malyshev
smalyshev () gmail com

Current thread:

Re: CVE Request: PHP: out of bounds read crashes php-cgi Stanislav Malyshev (Dec 31)
- Re: CVE Request: PHP: out of bounds read crashes php-cgi cve-assign (Jan 02)