CVE-2017-11164: oss-security - Re: [scr358145] pcre-8.41

• Products
  • Openwall GNU/*/Linux server OS
  • Linux Kernel Runtime Guard
  • John the Ripper password cracker
    • Free & Open Source for any platform
    • in the cloud
    • Pro for Linux
    • Pro for macOS
  • Wordlists for password cracking
  • passwdqc policy enforcement
    • Free & Open Source for Unix
    • Pro for Windows (Active Directory)
  • yescrypt KDF & password hashing
  • yespower Proof-of-Work (PoW)
  • crypt_blowfish password hashing
  • phpass ditto in PHP
  • tcb better password shadowing
  • Pluggable Authentication Modules
  • scanlogd port scan detector
  • popa3d tiny POP3 daemon
  • blists web interface to mailing lists
  • msulogin single user mode login
  • php_mt_seed mt_rand() cracker
• Services
• Publications
  • Articles
  • Presentations
• Resources
  • Mailing lists
  • Community wiki
  • Source code repositories (GitHub)
  • Source code repositories (CVSweb)
  • File archive & mirrors
  • How to verify digital signatures
  • OVE IDs
• What’s new

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Date: Tue, 11 Jul 2017 10:03:01 +0800 From: “ben” <qbenjin@…com> To: “oss-security” <oss-security@…ts.openwall.com> Cc: “huangyonggang” <huangyonggang@…60.cn> Subject: Re: [scr358145] pcre-8.41 - 8.41

[Suggested description] In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.

---

[Additional Information] This vulns like CVE-2017-9729. it is about line 2061 (from the https://vcs.pcre.org/pcre/code/trunk/pcre_exec.c?revision=1683&view=markup page) of pcre_exec.c:

RMATCH(eptr, prev, offset_top, md, eptrb, RM13);

this recursive calls case Segmentation fault ,because of stack exhaustion.

The poc code like:

if(regcomp (&regtmp,"\x28\x61\x2A\x5C\x56\x2A\x5C\x43\x2B\x29\x2A\x6F\xE5\xA2\x80", REG_UTF8 )==0) {
regmatch_t pmatch[1]; regexec(&regtmp, "\x6C\x6F\xE5\xA2\x80\x2D ",1, pmatch, 0); regfree(&regtmp); } with configure --enable-utf

---

[VulnerabilityType Other] stack exhaustion

---

[Vendor of Product] http://www.pcre.org/

---

[Affected Product Code Base] pcre-8.41 - 8.41

---

[Affected Component] pcre_exec.c

---

[Attack Type] Remote

---

[Impact Denial of Service] true

---

[Attack Vectors] many methods! many program use pcre, like: php and nginx ,please see: https://en.wikipedia.org/wiki/Comparison_of_regular_expression_engines

---

[Reference] https://en.wikipedia.org/wiki/Comparison_of_regular_expression_engines http://www.pcre.org/

---

[Discoverer] Benjin Liu, codesafe of qihoo 360 ,http://codesafe.cn

Use CVE-2017-11164.

---

CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1

iQIcBAEBCAAGBQJZY7EfAAoJEHb/MwWLVhi2wBIP/jIMwxZB892scrm393PA4zM3 adhV1TQ2tkpG4ALp4zC0MhHFfVr11LuWlSxsgu/OGHBTPLYldbK+hhVOtaV7EqSB +vrvAKEepOJKLB71AR4XpixzedQnP0+SOAgYvnpVI3LW/Yb2j2yZhhTbzh6H+5Zy Z75mpeDH7HibIkTgFMlAJ6d/3VsN7Xmadc9YzZ7m+NvdU/r3pg+/dxQHd1zwrMPl 3V/IBVpAq0XiHUy470mruV7EUWAdB8rWIoN1AAxN61aiCrp0xZ/MIEXOqQPyswhd bO7jrJgeCUbovhi/PZMINX67zgTVt+yOfnpgwr5wLFoTXjzES1N1sdNWruGSN/VY SrGimn286l/bYaDCr5nY4o6W+RALuIMw/gJL6VBuJFcQ9aNpG9GH3JdT154TZwDt HM3LHX8tGPULeVLRFn77rdmaoaWUaEYvvBb6UvwQyTn81lx6TNCu3nVULCxNnkpp EVypMZo4SJ8nxJjfA+Ccvy1ZJimMAkb5mZvu+dVT95sN827HvYAVyvxQx1a7aeku euBjypn84Jx+tj9q4Hgkto8qwmJGar1dWab8/qh8YH1KLpfXgIoNMlUcSWjvdB53 QPv2btH48/aHnZ5Gp+0D7CxWxUtP2FoSzghlINjakJ1/zXGhGgqJoRnF9BjZ/uTG yuPbKM/5rrPKj9Q9Gc/t =rH9J -----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.