Re: CVE Request: PHP: out of bounds read crashes php-cgi

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> > Use CVE-2014-9427.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9427
now has this.

> ... somehow achieve that memory
> beyond the region to which the file is mapped would be a valid memory
> and contain something that PHP's lexer would interpret as a complete PHP
> script (otherwise it'd just keep scanning until it hits unmapped memory
> where it would segfault). I'm not saying it's not possible at all, but
> it'd probably be very non-trivial to do this if possible. I'm pretty
> sure none of it is possible without, as described above, the equivalent
> of shell access under the user running PHP.

The main threat model is exactly this scenario that you've described,
except that the person with shell access is the victim, not the
attacker. This person intentionally uploads a one-character # file,
but does this because of an oversight (e.g., they hadn't properly
saved the file in a text editor). The person would reasonably expect
that, if an attacker then visits the URL for this file, the php-cgi
process would either print the # character or print nothing. (The
attacker happens to know the URL, or maybe guesses that one-character
# files often have a "test.php" filename.) A security impact could
occur if, when the attacker visits this URL, something else happens,
excluding a crash. First, the php-cgi process could print characters
that were not actually present in the uploaded file. Second (and the
more general case for data sent to the php_execute_script function),
the php-cgi process could execute PHP code that was not actually
present in the uploaded file.

We agree that your "somehow achieve that memory ..." requirement is
necessary for each of those security impacts. However, the unpatched
code does appear to move on to data corruption fairly soon. The
purpose of the code is to skip past a #!/usr/bin/php line and arrange
for the buffer to start at the beginning of the next line of the .php
file. If there's an invalid file with no '\n' character, the code can
(at least for a theoretically possible architecture and memory layout)
reach the "file_handle.handle.stream.mmap.buf += i" and
"file_handle.handle.stream.mmap.len -= i" lines. This len is a size_t
and nothing prevents i from being larger than this len value.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUp4QiAAoJEKllVAevmvmsEOoH/inxXnd64CP8G5EoRvZ4JcdV
opgYo7QHm+0l8mZ/rHzef5n/E/l/jhVLMMA73iYMKFJlwF+lQow4rbZ1ukj7tmNg
7FDh3C3lFrflJoWpfi5DhGv9NLvvuUzvEHqq5UyQdIab7Ogcixn6YnEm8qFUUozp
kq4BbozQfEkGblW/0DRxh+/Jl0Yv5///4AILvM9dayI/R5H5l99x1gJguWITXsM1
sQmcwzsg076hOHP+cDfs80W/mB4ZQ7GPoltwhuqavjXeL1pF1AE7+il+4oHMfRT1
taIgIinuF2qigm1FYl94JExR4Q/PZRIT280gNprGm+28c71iMTK9orfrjrGzVj4=
=ZBxF
-----END PGP SIGNATURE-----