CVE-2011-0708 : Detail

CVE-2011-0708

Overflow
14.05%V3
Network
2011-03-20
00h00 +00:00
2016-08-19
13h57 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

exif.c in the Exif extension in PHP before 5.3.6 on 64-bit platforms performs an incorrect cast, which allows remote attackers to cause a denial of service (application crash) via an image with a crafted Image File Directory (IFD) that triggers a buffer over-read.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

Metrics

Metrics Score Severity CVSS Vector Source
V2 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 16261

Publication date : 2011-02-27 23h00 +00:00
Author : _ikki & paradoxengine
EDB Verified : Yes

Source: http://permalink.gmane.org/gmane.comp.security.oss.general/4198 ===================================================================== PHP Exif 64bit Casting Vulnerability ===================================================================== Affected Software : PHP <= 5.3.5 (Exif extension for 64bit platforms) Severity : Low Local/Remote : Remote Author : @_ikki, @paradoxengine (blog.nibblesec.org) [Summary] PHP Exif extension allows developers to work with image metadata within their PHP code. For instance, using exif functions it is possible to read metadata from digital camera pictures. For further details on this file format, please refer to: http://www.media.mit.edu/pia/Research/deepview/exif.html PHP Exif extension for 64bit platforms is affected by a casting vulnerability that occurs during the image header parsing. According to our preliminary analysis, exploitation of this flaw results in Denial of Service. This vulnerability affects PHP 5.3.5 and likely all previous versions. During our analysis, we have successfully tested our PoC against PHP 5.3.2, PHP 5.3.3 and the latest PHP release 5.3.5. Using the following configuration, a system is most likely vulnerable: (a) PHP 64bit version (b) PHP compiled with --enable-exif (c) memory_limit = -1 [Vulnerability Details] In case of 64bit platforms, an improper conversion occurs within "/php-5.3.5/ext/exif/exif.c" at line 1100 (php_ifd_get32s) and 1118 (php_ifd_get32u). In detail, an image having properly crafted Image File Directory (IFD) can be used to trigger a segmentation fault caused by a memory access violation: $ gdb ./sapi/cli/php GNU gdb 6.8-debian Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu"... (gdb) run -c /etc/php5/cli/php.ini ../exif.php ../ihaterepeating2.jpeg Starting program: /archive/stuff/vulnsResearch/php_exif/php-5.3.5/sapi/cli/php -c /etc/php5/cli/php.ini ../exif.php ../ihaterepeating2.jpeg [Thread debugging using libthread_db enabled] --- start ../ihaterepeating2.jpeg --- [New Thread 0x7ff7d45a26e0 (LWP 10941)] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7ff7d45a26e0 (LWP 10941)] 0x000000000055e297 in php_ifd_get32s (value=0x2055000, motorola_intel=0) at /archive/stuff/vulnsResearch/php_exif/php-5.3.5/ext/exif/exif.c:1108 1108 return (((char *)value)[3] << 24) (gdb) backtrace #0 0x000000000055e297 in php_ifd_get32s (value=0x2055000, motorola_intel=0) at /archive/stuff/vulnsResearch/php_exif/php-5.3.5/ext/exif/exif.c:1108 #1 0x000000000055e2f9 in php_ifd_get32u (value=0x2055000, motorola_intel=0) at /archive/stuff/vulnsResearch/php_exif/php-5.3.5/ext/exif/exif.c:1120 #2 0x000000000055f37e in exif_iif_add_value (image_info=0x7fff68f4e0d0, section_index=13, name=0x7fff68f4d920 "UndefinedTag:0x0205", tag=517, format=5, length=536870913, value=0x2017124, motorola_intel=0) at /archive/stuff/vulnsResearch/php_exif/php-5.3.5/ext/exif/exif.c:1760 #3 0x000000000055f4d1 in exif_iif_add_tag (image_info=0x7fff68f4e0d0, section_index=13, name=0x7fff68f4d920 "UndefinedTag:0x0205", tag=517, format=5, length=536870913, value=0x2017124) at /archive/stuff/vulnsResearch/php_exif/php-5.3.5/ext/exif/exif.c:1801 #4 0x00000000005625a8 in exif_process_IFD_TAG (ImageInfo=0x7fff68f4e0d0, dir_entry=0x20170e8 "\005\002\005", offset_base=0x2016da0 "II*", IFDlength=7157, displacement=12, section_index=13, ReadNextIFD=0, tag_table=0x949740) at /archive/stuff/vulnsResearch/php_exif/php-5.3.5/ext/exif/exif.c:3115 [...] Within the PoC image, bytes in position 358-35B can be used to craft the value of the 'components' variable (int) which is later used within memory read operations. Two cases appear to be interesting: {Case A - Negative value} $hexdump -C ihaterepeating.jpeg | grep -i "03 00 00 A0" results in "components=-1610612733" {Case B - Positive value} $hexdump -C ihaterepeating2.jpeg | grep -i "01 00 00 20" results in "components=536870913" Please note that 0x20 = 32dec As mentioned, the value of the 'components' variable is later computed in memory operations within another variable named 'length'. Such value is used in a for-loop instruction (line 1745) to read image metadata starting from a memory address. Although it is possible to control the offset, the following instructions (line 1671) limit such value to positive integers only. <-- cut here --> if (length < 0) { return; } <-- cut here --> Consequently it seems possible to oversize the expected value only, which results in a memory access violation. [Proof-Of-Concept] Two images (case A and B) have been properly crafted: http://www.ikkisoft.com/stuff/ihaterepeating.jpeg http://www.ikkisoft.com/stuff/ihaterepeating2.jpeg (SegFault) You may want to use this script to read exif data: <-- cut here --> <?php echo" --- start ---\n\n"; exif_read_data($argv[1]); echo" --- end ---\n\n"; ?> <-- cut here --> [Fix Information] n/a -- Luca Carettoni PoC: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/16261.zip

Products Mentioned

Configuraton 0

Php>>Php >> Version To (including) 5.3.5

Php>>Php >> Version 1.0

Php>>Php >> Version 2.0

Php>>Php >> Version 2.0b10

Php>>Php >> Version 3.0

Php>>Php >> Version 3.0.1

Php>>Php >> Version 3.0.2

Php>>Php >> Version 3.0.3

Php>>Php >> Version 3.0.4

Php>>Php >> Version 3.0.5

Php>>Php >> Version 3.0.6

Php>>Php >> Version 3.0.7

Php>>Php >> Version 3.0.8

Php>>Php >> Version 3.0.9

Php>>Php >> Version 3.0.10

Php>>Php >> Version 3.0.11

Php>>Php >> Version 3.0.12

Php>>Php >> Version 3.0.13

Php>>Php >> Version 3.0.14

Php>>Php >> Version 3.0.15

Php>>Php >> Version 3.0.16

Php>>Php >> Version 3.0.17

Php>>Php >> Version 3.0.18

Php>>Php >> Version 4.0

Php>>Php >> Version 4.0

Php>>Php >> Version 4.0

Php>>Php >> Version 4.0

Php>>Php >> Version 4.0

Php>>Php >> Version 4.0

Php>>Php >> Version 4.0.0

Php>>Php >> Version 4.0.1

Php>>Php >> Version 4.0.2

Php>>Php >> Version 4.0.3

Php>>Php >> Version 4.0.4

Php>>Php >> Version 4.0.5

Php>>Php >> Version 4.0.6

Php>>Php >> Version 4.0.7

Php>>Php >> Version 4.1.0

Php>>Php >> Version 4.1.1

Php>>Php >> Version 4.1.2

Php>>Php >> Version 4.2.0

Php>>Php >> Version 4.2.1

Php>>Php >> Version 4.2.2

Php>>Php >> Version 4.2.3

Php>>Php >> Version 4.3.0

Php>>Php >> Version 4.3.1

Php>>Php >> Version 4.3.2

Php>>Php >> Version 4.3.3

Php>>Php >> Version 4.3.4

Php>>Php >> Version 4.3.5

Php>>Php >> Version 4.3.6

Php>>Php >> Version 4.3.7

Php>>Php >> Version 4.3.8

Php>>Php >> Version 4.3.9

Php>>Php >> Version 4.3.10

Php>>Php >> Version 4.3.11

Php>>Php >> Version 4.4.0

Php>>Php >> Version 4.4.1

Php>>Php >> Version 4.4.2

Php>>Php >> Version 4.4.3

Php>>Php >> Version 4.4.4

Php>>Php >> Version 4.4.5

Php>>Php >> Version 4.4.6

Php>>Php >> Version 4.4.7

Php>>Php >> Version 4.4.8

Php>>Php >> Version 4.4.9

Php>>Php >> Version 5.0.0

Php>>Php >> Version 5.0.0

Php>>Php >> Version 5.0.0

Php>>Php >> Version 5.0.0

Php>>Php >> Version 5.0.0

Php>>Php >> Version 5.0.0

Php>>Php >> Version 5.0.0

Php>>Php >> Version 5.0.0

Php>>Php >> Version 5.0.1

Php>>Php >> Version 5.0.2

Php>>Php >> Version 5.0.3

Php>>Php >> Version 5.0.4

Php>>Php >> Version 5.0.5

Php>>Php >> Version 5.1.0

Php>>Php >> Version 5.1.1

Php>>Php >> Version 5.1.2

Php>>Php >> Version 5.1.3

Php>>Php >> Version 5.1.4

Php>>Php >> Version 5.1.5

Php>>Php >> Version 5.1.6

Php>>Php >> Version 5.2.0

Php>>Php >> Version 5.2.1

Php>>Php >> Version 5.2.2

Php>>Php >> Version 5.2.3

Php>>Php >> Version 5.2.4

Php>>Php >> Version 5.2.4

    Php>>Php >> Version 5.2.5

    Php>>Php >> Version 5.2.6

    Php>>Php >> Version 5.2.7

    Php>>Php >> Version 5.2.8

    Php>>Php >> Version 5.2.9

    Php>>Php >> Version 5.2.10

    Php>>Php >> Version 5.2.11

    Php>>Php >> Version 5.2.12

    Php>>Php >> Version 5.2.13

    Php>>Php >> Version 5.2.14

    Php>>Php >> Version 5.2.15

    Php>>Php >> Version 5.2.16

    Php>>Php >> Version 5.2.17

    Php>>Php >> Version 5.3.0

    Php>>Php >> Version 5.3.1

    Php>>Php >> Version 5.3.2

    Php>>Php >> Version 5.3.3

    Php>>Php >> Version 5.3.4

    References

    http://marc.info/?l=bugtraq&m=133469208622507&w=2
    Tags : vendor-advisory, x_refsource_HP
    http://www.vupen.com/english/advisories/2011/0764
    Tags : vdb-entry, x_refsource_VUPEN
    http://www.exploit-db.com/exploits/16261/
    Tags : exploit, x_refsource_EXPLOIT-DB
    http://www.mandriva.com/security/advisories?name=MDVSA-2011:053
    Tags : vendor-advisory, x_refsource_MANDRIVA
    http://www.debian.org/security/2011/dsa-2266
    Tags : vendor-advisory, x_refsource_DEBIAN
    http://www.vupen.com/english/advisories/2011/0890
    Tags : vdb-entry, x_refsource_VUPEN
    http://www.php.net/releases/5_3_6.php
    Tags : x_refsource_CONFIRM
    http://www.php.net/ChangeLog-5.php
    Tags : x_refsource_CONFIRM
    http://www.php.net/archive/2011.php
    Tags : x_refsource_CONFIRM
    http://marc.info/?l=bugtraq&m=133469208622507&w=2
    Tags : vendor-advisory, x_refsource_HP
    http://bugs.php.net/bug.php?id=54002
    Tags : x_refsource_CONFIRM
    http://openwall.com/lists/oss-security/2011/02/16/7
    Tags : mailing-list, x_refsource_MLIST
    http://www.redhat.com/support/errata/RHSA-2011-1423.html
    Tags : vendor-advisory, x_refsource_REDHAT
    http://openwall.com/lists/oss-security/2011/02/14/1
    Tags : mailing-list, x_refsource_MLIST
    http://www.mandriva.com/security/advisories?name=MDVSA-2011:052
    Tags : vendor-advisory, x_refsource_MANDRIVA
    http://securityreason.com/securityalert/8114
    Tags : third-party-advisory, x_refsource_SREASON
    http://www.securityfocus.com/bid/46365
    Tags : vdb-entry, x_refsource_BID
    http://www.vupen.com/english/advisories/2011/0744
    Tags : vdb-entry, x_refsource_VUPEN
    http://rhn.redhat.com/errata/RHSA-2012-0071.html
    Tags : vendor-advisory, x_refsource_REDHAT
    http://support.apple.com/kb/HT5002
    Tags : x_refsource_CONFIRM