Hispasec
Security Advisory
http://hispasec.com/

Name         : PHP
Threat level : LOW/MED
Class        : Denial of Service
Discovered   : 2009-08-10
Published    : ---
Credit       : Gynvael Coldwind, Matthew "j00ru" Jurczyk, Martin Noga
Vulnerable   : PHP 5.2.10 / 5.3.0, all platforms



==[ Abstract ]==

PHP is a well-known script programming language, commonly used by the Apache web server,
present on most machines running under Linux/Unix kernel control. It is mostly used to run
scripts on the WWW server side, but it can be also used from the command-line level. Since the
PHP server is running in the context of Apache, an exception generated by PHP will most likely
result in the entire apache process going down. By using the vulnerability describing here, one
is able to crash the PHP server (in its default configuration), both locally and remotely.



==[ Details ]==

The vulnerability makes use of the lack of a special sanity check regarding the user-supplied data,
inside the default EXIF extension. The module intends to allow an external programmer to obtain
every possible information existing inside the EXIF tag inside a JPEG / TIFF image file. Such
information is often stored by modern cameras, providing additional information about the specified
photo.

To be more exact, the unsecure code is listed below:

--- cut ---

static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offset, int section_index TSRMLS_DC)
{

(...)

if (entry_tag == TAG_EXIF_IFD_POINTER ||
   entry_tag == TAG_INTEROP_IFD_POINTER ||
entry_tag == TAG_GPS_IFD_POINTER ||
  entry_tag == TAG_SUB_IFD
) {

(...)

exif_process_IFD_in_TIFF(ImageInfo, entry_offset, sub_section_index TSRMLS_CC);

--- cut ---


As one can see, the exif_process_IFD_in_TIFF function uses recursive calls under certain conditions. The "if"
statement presented above is inside a wider for() loop, iterating throught every single Tag Entry present in the
current IFD directory. There are four contant values that are interpreted as if they contained offset of the
next IFD to parse (an 'extension' of what IFD.NextOffset provides). As far as the code is correctly understood,
it seems to be able to create recursive lists of IFDs containing various information about the specified file
(such as the Thumbnail data).

However, there is no sanity check whether the recursive call level hasn't exceeded the maximum allowed number, thus
making it possible for the attacker to create a loop of one or more elements. As the code is not protected against
such situations, it would theoretically execute forever, resulting in the "Infinite loop" vulnerability conditions.
On the other hand, one must remember that there is no iteration loop when it comes the IFD list. Instead, a function
call is made every time a special tag is found. Due to the fact that every single call takes some memory from the stack
(retaddr, stack frame, function arguments etc), the code will eventually crash, caused by the lack of remaining
stack memory to use. The above scenario results standard Denial Of Service conditions, making it possible to crash
the PHP server by both local and remote attacker, as long as he is able to execute some PHP code (nearly 100% effectiveness).


==[ Solution ]==

One possible solution is to add a new variable containing the current function level (or control this information
using different approaches). Furthermore, it should be compared to the maximum allowed level, chosen carefully so that
the thread stack size is not exceeded under any circumstances. Another idea is to give up making recursive calls and
try to create a kind of "IFD Queue" handled by an interation loop. However, the last approach would require much code
to be rewritten, which could potentially lead to a number of new code bugs being generated.


==[ Proof of Concept ]==

The PoC file should be enclosed to this advisory file, in a ready-to-use state.


==[ Vendor Status ]==

The vendor has not yet been informed about this issue.


==[ Time line ]==

2009-08-10 : The vulnerability has been discovered
2009-xx-xx :


== Disclaimer ==

This document and all the information it contains is provided "as is",
without any warranty. Author is not responsible for the misuse
of the information provided in this advisory. The advisory is
provided for educational purposes only.

Permission is hereby granted to redistribute this advisory, providing
that no changes are made and that the copyright notices and
disclaimers remain intact.

------------------------------------------
Copyright (C) 2009 Hispasec Sistemas
------------------------------------------

Add a comment:

Nick:
URL (optional):
Math captcha: 8 ∗ 4 + 5 =