|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
If you have found a vulnerability, please send to our SecurityAlert Database : secalert()securityreason()com
Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com |
|
|
Home SecurityAlert Database |
|
|
Topic : | PHP ImageCopyResized/ImageCopyResampled Integer Overflow
|
SecurityAlert : 3103
CVE : CVE-2007-3996
SecurityRisk : Medium (About)
Remote Exploit : Yes
Local Exploit : Yes
Exploit Available : Yes
Credit : Mattias Bengtsson & Philip Olausson
Published : 08.09.2007
Affected Software : | x <= PHP 5.2.3 |
 Advisory Content : PHP ImageCopyResized/ImageCopyResampled Integer Overflow
Affected Products:
<= PHP 5.2.3
Authors:
Mattias Bengtsson <mattias@secweb.se>
Philip Olausson <po@secweb.se>
Reported:
2007-06-05
Released:
2007-08-30
CVE:
CVE-2007-3996
Issue:
Two integer overflows exists in PHP's implementation of libgd. Remote
exploitation of this overflow may under some circumstances allow execution
of arbitrary code.
Description:
PHP is a widely-used general-purpose scripting language that is especially
suited for Web development and can be embedded into HTML. libgd is used for
dynamic creation of images.
Details:
The overflow is located in the function gdImageCopyResized(). Which are
used within the PHP code and can also be reached from PHP using
imagecopyresized() or imagecopyresampled().
...
stx = (int *) gdMalloc (sizeof (int) * srcW);
sty = (int *) gdMalloc (sizeof (int) * srcH);
...
for (i = 0; (i < srcW); i++) {
stx[i] = dstW * (i+1) / srcW - dstW * i / srcW ;
}
for (i = 0; (i < srcH); i++) {
sty[i] = dstH * (i+1) / srcH - dstH * i / srcH ;
}
...
Passing a high value of srcW or srcH results in a integer overflow when
allocating the buffer for stx and sty. The for-loops occuring after the
allocation will then try to write a big amout of data that will result in a
crash or possible execution of arbitrary code.
If a web application use this function for resizing images that could be
uploaded remotely, the overflow can be triggered by a specially crafted
image file.
Proof Of Concepts:
<?php
imagecopyresized(imagecreatetruecolor(0x7fffffff, 120),
imagecreatetruecolor(120, 120),
0, 0, 0, 0, 0x7fffffff, 120, 120, 120);
?>
Impact:
Due to the fact that this vulnerability can be triggered remotely the
impact should be considered high.
Solution:
Upgrade to PHP 5.2.4
Feedback :
If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
|
|
|
|