Nytro Posted August 7, 2016 Report Posted August 7, 2016 Exploiting PHP Format String Bugs the Easy Way I’ve been spending a lot of time poking through the PHP source-code lately, and twice now I’ve come across format string vulnerabilities. [1][2] I don’t consider format string bugs particularly interesting in-and-of themselves (they’re well known, and well understood), but it turns out PHP format strings are special. PHP adds functionality that makes these bugs a breeze to exploit. Let me explain… First though, full disclosure: this technique is not entirely my own. The original idea was inspired by Stefan Esser (@i0n1c) back in November of 2015. [3] If you enjoy security research, especially relating to PHP, I would highly recommend you follow him! Ok, PHP handles most format strings using custom internal functions. There are lots of these defined all throughout the code. For instance let’s grep for function definitions containing a format string as an argument. This isn’t perfect or scientific, but it gives you an idea. 1 2 andrew@thinkpad /tmp % grep -PRHn "const char ?\* ?(format|fmt)" ./php-7.0.3 | wc -l 149 I won’t post all of those, but here are two examples. In fact, these are the same functions that were erroneously called in the two bugs linked below. 1 2 3 static void zend_throw_or_error(int fetch_type, zend_class_entry *exception_ce, const char *format, ...) ZEND_API ZEND_COLD zend_object *zend_throw_exception_ex(zend_class_entry *exception_ce, zend_long code, const char *format, ...) ... etc ... Most, if not all, of these internal format string functions ultimately call either “xbuf_format_converter” (defined in main/spprintf.c), or “format_converter” (defined in main/snprintf.c). These two functions actually do the work of walking along the string and substituting specifiers with their corresponding values. This would be totally uninteresting, except for the fact that PHP adds one block that you don’t see in other format string implementations. From “main/spprintf.c”… Articol complet: https://jmpesp.org/blog/index.php/2016/07/28/exploiting-php-format-string-bugs-the-easy-way/ Quote