Jump to content
Nytro

Exploiting PHP Format String Bugs the Easy Way

By Nytro, in Reverse engineering & exploit development

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

Exploiting PHP Format String Bugs the Easy Way

 

I’ve been spending a lot of time poking through the PHP source-code lately, and twice now I’ve come across format string vulnerabilities. [1][2]  I don’t consider format string bugs particularly interesting in-and-of themselves (they’re well known, and well understood), but it turns out PHP format strings are special.  PHP adds functionality that makes these bugs a breeze to exploit.  Let me explain…

First though, full disclosure: this technique is not entirely my own.  The original idea was inspired by Stefan Esser (@i0n1c) back in November of 2015. [3]  If you enjoy security research, especially relating to PHP, I would highly recommend you follow him!

Ok, PHP handles most format strings using custom internal functions.  There are lots of these defined all throughout the code.  For instance let’s grep for function definitions containing a format string as an argument.  This isn’t perfect or scientific, but it gives you an idea.

1
2
andrew@thinkpad /tmp % grep -PRHn "const char ?\* ?(format|fmt)" ./php-7.0.3 | wc -l
149

I won’t post all of those, but here are two examples.  In fact, these are the same functions that were erroneously called in the two bugs linked below.

1
2
3
static void zend_throw_or_error(int fetch_type, zend_class_entry *exception_ce, const char *format, ...)
ZEND_API ZEND_COLD zend_object *zend_throw_exception_ex(zend_class_entry *exception_ce, zend_long code, const char *format, ...)
... etc ...

Most, if not all, of these internal format string functions ultimately call either “xbuf_format_converter” (defined in main/spprintf.c), or “format_converter” (defined in main/snprintf.c).  These two functions actually do the work of walking along the string and substituting specifiers with their corresponding values.  This would be totally uninteresting, except for the fact that PHP adds one block that you don’t see in other format string implementations.  From “main/spprintf.c”…

 

Articol complet: https://jmpesp.org/blog/index.php/2016/07/28/exploiting-php-format-string-bugs-the-easy-way/

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...