[pcre-dev] [Bug 1503] New: PCRE Library Stack Overflow Vulne…

Top Page
Delete this message
Author: hhjack
Date:  
To: pcre-dev
Subject: [pcre-dev] [Bug 1503] New: PCRE Library Stack Overflow Vulnerability
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1503
           Summary: PCRE Library Stack Overflow Vulnerability
           Product: PCRE
           Version: 8.35
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: security
          Priority: medium
         Component: Code
        AssignedTo: ph10@???
        ReportedBy: rubymail@???
                CC: pcre-dev@???



Created an attachment (id=739)
--> (http://bugs.exim.org/attachment.cgi?id=739)
The regular expression that could reproduce the stack overflow.

PCRE Library Stack Overflow Vulnerability
------------------------------------------------------------------
I. Summary
PCRE library is prone to a vulnerability which leads to Stack Overflow. Without
enough bound checking inside compile_regex(), the stack memory could be
overflowed via a crafted regular expression. Since PCRE library is widely used,
this vulnerability should affect many applications. An attacker may exploit
this issue to execute arbitrary code in the context of the user running the
affected application.
------------------------------------------------------------------
II. Description
PCRE is a regular expression C library inspired by the regular expression
capabilities in the Perl programming language. The PCRE library is incorporated
into a number of prominent programs, such as the Adobe Flash, Apache HTTP
Server, Nginx HTTP server, PHP and R scripting languages. Latest version of
PCRE is prone to a Stack Overflow vulnerability which could caused by the
following regular expression.

/(((a\2)|(a*)\g<-1>))*a?/

To reproduce the problem, we could use pcretest provide by PCRE library or
applications which is wrapped with PCRE such as PHP.
For pcretest, simply type the regular expression after the re>

For PHP, latest version of PHP 5.5/5.6 (wrapped with PCRE 8.35) could be
triggered by following code snippet.

<?php
preg_match("/(((a\\2)|(a*)\\g<-1>))*a?/","abcd",$arr);
?>

Carefully crafted regular expression may allow the attacker to control the EIP
and other stack variables, resulting in code execution.
Latest version of PCRE is tested under Windows and Linux. Other versions and
applications may also be affected.
------------------------------------------------------------------
III. Impact
Stack Overflow
------------------------------------------------------------------
IV. Affected
Latest version of PCRE library (8.35).
Other versions and applications may also be affected.
------------------------------------------------------------------
V. Solution
There is no known workaround at this time.
------------------------------------------------------------------
VI. Credit
Wen Guanxing from Venustech ADLAB is credited for this vulnerability.


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email