PHP mbstring Buffer Overflow Vulnerability

Exploits Vulnerabilities

Summary :
PHP is “a scripting language extensively used in web application development. The package contains a number of language extensions aside from the language core”.

A heap buffer overflow was found in mbstring extension that is bundled in the standard distribution. mbstring extension provides a set of functions for the manipulation of multibyte / Unicode strings.

The vulnerability occurs in the part of the encoding conversion facility that decodes strings that contain HTML entities into Unicode strings. Due to the decoder’s incorrect handling of error conditions, the bounds check for a heap-allocated buffer is effectively bypassed. An attacker can exploit this vulnerability to transfer arbitrary data to a specific region of the heap if he gains control over the input of the decoder.

Credit :
The information has been provided by Moriyoshi Koizumi. [mozo at mozo.jp]

Vulnerable Systems :
* PHP version 4.3.0 or newer

Immune Systems :
* PHP versions prior to 4.3.0
* PHP version 5.2.7
* PHP version 5.3 alpha 3

Details :
The following pieces are excerpts from the HTML-entity decoder code in question (mbfilter_htmlent.c), where the decoder is implemented as a callback function that is called against each characters of the input string sequentially with a structure (mbfl_convert_filter) containing the state of the decoder.

mbfl_convert_filter has a field named “output_function” that points to a function to which the decoded data is passed on a per-character basis. The function is supposed to return a negative value on error. It will most likely fail if the argument is an Unicode value that is not designated to any character.

In particular, since the signature of the output_function is int(*)(int, void *) though the buffer is an array of unsigned char, every character code that is greater than 127 gets passed to the function with its value negated and leads to unconditional failure.

Impact :
Since mbstring functions make use of the facility in various places, almost all of those can be considered vulnerable. The functions listed below should be particularly noted according to their primary usage:
– mb_convert_encoding()
– mb_check_encoding()
– mb_convert_variables()
– mb_parse_str()

The following functions are supposed to be safe in their nature.
– mb_decode_numericentity() *
– mb_detect_encoding()
– mb_detect_order()
– mb_ereg()
– mb_ereg_match()
– mb_ereg_replace()
– mb_ereg_search()
– mb_ereg_search_pos()
– mb_ereg_search_regs()
– mb_ereg_search_init()
– mb_ereg_search_getregs()
– mb_ereg_search_getpos()
– mb_ereg_search_setpos()
– mb_ereg_set_options()
– mb_eregi()
– mb_eregi_replace()
– mb_get_info()
– mb_http_input()
– mb_http_output()
– mb_internal_encoding()
– mb_language()
– mb_list_encodings()
– mb_preferred_mime_name()
– mb_regex_encoding()
– mb_regex_set_options()
– mb_split()
– mb_substitute_character()

(*) Based on the different code while providing similar functionality.

Besides these scriptable functions, mbstring provides functionality that automatically filters the form values given through a request URI or POSTed content. Because browsers may send characters of the form data that cannot be represented in the encoding used in the HTML document as HTML entities, it should be no surprise that an user has a PHP installation configured as
follows:
mbstring.encoding_translation=on
mbstring.http_input=HTML-ENTITIES
mbstring.internal_encoding=UTF-8

The vulnerability would be remotely exploitable in such a case.

Solution :
Upgrade to version 5.2.8. Note that the maintenance of 4.x series was discontinued.

Source : SecuriTeam
http://www.securiteam.com/unixfocus/6X00P0ANFM.html

Leave a Reply