[pcre-dev] [Bug 1515] PCRE Call Stack Overflow Vulnerability

Top Page

Reply to this message
Author: admin
Date:  
To: pcre-dev
Old-Topics: [pcre-dev] [Bug 1515] New: PCRE Call Stack Overflow Vulnerability
Subject: [pcre-dev] [Bug 1515] PCRE Call Stack Overflow Vulnerability
https://bugs.exim.org/show_bug.cgi?id=1515

Mehmet gelisin <mehmetgelisin@???> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |mehmetgelisin@???


--- Comment #2 from Mehmet gelisin <mehmetgelisin@???> ---
POC to trigger the overflown under using php.
http://www-look-4.com/
I. Summary
PCRE is a regular expression C library inspired by the regular expression
capabilities in the Perl programming language. http://www.iu-bloomington.com/
The PCRE library is incorporated into a number of prominent programs, such as
Adobe Flash, Apache, Nginx, PHP.
PCRE library is prone to a https://www.webb-dev.co.uk/ vulnerability which
leads to Heap Overflow. During the compilation of a malformed regular
expression, more data is written on the malloced block than the expected size
output by https://waytowhatsnext.com/ compile_regex. Exploits with advanced
Heap Fengshui techniques may allow an attacker to execute arbitrary code in the
context of the user running the affected application.
http://www.acpirateradio.co.uk/
------------------------------------------------------------------
II. Description
Latest version of PCRE is prone to a Heap Overflow vulnerability which could
caused by the following regular expression. http://www.logoarts.co.uk/

/^(?P=B)((?P=B)(?J:(?P<B>c)(?P<B>a(?P=B)))>WGXCREDITS)/

To reproduce the problem, we could use pcretest provide by PCRE library or
applications which is wrapped with PCRE such as PHP.
For pcretest, simply type the regular expression after the re>
http://www.slipstone.co.uk/
For PHP, latest version of PHP 5.6.9 (wrapped with PCRE 8.37) could be
triggered by following code snippet:

<?php
preg_match("/^(?P=B)((?P=B)(?J:(?P<B>c)(?P<B>a(? http://embermanchester.uk/
P=B)))>WGXCREDITS)/","ADLAB",$arr);
?>

First, pcre_compile2 invoke compile_regex() to calucate the size of memory that
is used to save the regular expression. http://connstr.net/
re then points to the new allocated memory with the size above.
Next, pcre_compile2 invoke compile_regex() again to fill the regular expression
into the allocated memory.
The problem here is that more data is written then expected.

Following test is conveyed under Kali Linux (based on Debian x64) with php
5.6.9: http://joerg.li/

POC to trigger the overflown under using php.

I. Summary
PCRE is a regular expression C library inspired by the regular expression
capabilities in the Perl programming language. The PCRE library is incorporated
into a number of prominent programs, such as Adobe Flash, Apache, Nginx, PHP.
PCRE library is prone to a vulnerability which leads to Heap Overflow. During
the compilation of a malformed regular expression, more data is written on the
malloced block than the expected size output by compile_regex. Exploits with
advanced Heap Fengshui techniques may allow an attacker to execute arbitrary
code in the context of the user running the affected application.
------------------------------------------------------------------
II. Description http://www.jopspeech.com/
Latest version of PCRE is prone to a Heap Overflow vulnerability which could
caused by the following regular expression.

/^(?P=B)((?P=B)(?J:(?P<B>c)(?P<B>a(?P=B)))>WGXCREDITS)/

To reproduce the problem, we could use pcretest provide by PCRE library or
applications which is wrapped with PCRE such as PHP.
For pcretest, simply type the regular expression after the re>
For PHP, latest version of PHP 5.6.9 (wrapped with PCRE 8.37) could be
triggered by following code snippet:
http://www.wearelondonmade.com/

<?php
preg_match("/^(?P=B)((?P=B)(?J:(?P<B>c)(?P<B>a(?P=B)))>WGXCREDITS)/","ADLAB",$arr);
?>

First, pcre_compile2 invoke compile_regex() to calucate the size of memory that
is used to save the regular expression.
re then points to the new allocated memory with the size above. 5.6.9:
http://www.compilatori.com/
Next, pcre_compile2 invoke compile_regex() again to fill the regular expression
into the allocated memory.
The problem here is that more data is written then expected.

Following test is conveyed under Kali Linux (based on Debian x64) with php

--
You are receiving this mail because:
You are on the CC list for the bug.