oss-sec mailing list archives

Re: [scr358145] pcre-8.41 - 8.41

From: "ben" <qbenjin () qq com>
Date: Tue, 11 Jul 2017 10:03:01 +0800

[Suggested description]
In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c
allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.

------------------------------------------

[Additional Information]
This vulns like CVE-2017-9729.
it is about line 2061 (from the https://vcs.pcre.org/pcre/code/trunk/pcre_exec.c?revision=1683&view=markup page) of 
pcre_exec.c:

RMATCH(eptr, prev, offset_top, md, eptrb, RM13);

this recursive calls case Segmentation fault ,because of stack exhaustion.


 The poc code like: 

 if(regcomp (&regtmp,"\x28\x61\x2A\x5C\x56\x2A\x5C\x43\x2B\x29\x2A\x6F\xE5\xA2\x80", REG_UTF8 )==0)
  {  
   regmatch_t pmatch[1];
   regexec(&regtmp, "\x6C\x6F\xE5\xA2\x80\x2D ",1, pmatch, 0);
   regfree(&regtmp);
 }
with configure --enable-utf

------------------------------------------

[VulnerabilityType Other]
stack exhaustion

------------------------------------------

[Vendor of Product]
http://www.pcre.org/

------------------------------------------

[Affected Product Code Base]
pcre-8.41 - 8.41

------------------------------------------

[Affected Component]
pcre_exec.c

------------------------------------------

[Attack Type]
Remote

------------------------------------------

[Impact Denial of Service]
true

------------------------------------------

[Attack Vectors]
many methods!   many program use pcre,  like: php and nginx ,please see: 
https://en.wikipedia.org/wiki/Comparison_of_regular_expression_engines

------------------------------------------

[Reference]
https://en.wikipedia.org/wiki/Comparison_of_regular_expression_engines
http://www.pcre.org/

------------------------------------------

[Discoverer]
Benjin Liu, codesafe of qihoo 360 ,http://codesafe.cn


Use CVE-2017-11164.


- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJZY7EfAAoJEHb/MwWLVhi2wBIP/jIMwxZB892scrm393PA4zM3
adhV1TQ2tkpG4ALp4zC0MhHFfVr11LuWlSxsgu/OGHBTPLYldbK+hhVOtaV7EqSB
+vrvAKEepOJKLB71AR4XpixzedQnP0+SOAgYvnpVI3LW/Yb2j2yZhhTbzh6H+5Zy
Z75mpeDH7HibIkTgFMlAJ6d/3VsN7Xmadc9YzZ7m+NvdU/r3pg+/dxQHd1zwrMPl
3V/IBVpAq0XiHUy470mruV7EUWAdB8rWIoN1AAxN61aiCrp0xZ/MIEXOqQPyswhd
bO7jrJgeCUbovhi/PZMINX67zgTVt+yOfnpgwr5wLFoTXjzES1N1sdNWruGSN/VY
SrGimn286l/bYaDCr5nY4o6W+RALuIMw/gJL6VBuJFcQ9aNpG9GH3JdT154TZwDt
HM3LHX8tGPULeVLRFn77rdmaoaWUaEYvvBb6UvwQyTn81lx6TNCu3nVULCxNnkpp
EVypMZo4SJ8nxJjfA+Ccvy1ZJimMAkb5mZvu+dVT95sN827HvYAVyvxQx1a7aeku
euBjypn84Jx+tj9q4Hgkto8qwmJGar1dWab8/qh8YH1KLpfXgIoNMlUcSWjvdB53
QPv2btH48/aHnZ5Gp+0D7CxWxUtP2FoSzghlINjakJ1/zXGhGgqJoRnF9BjZ/uTG
yuPbKM/5rrPKj9Q9Gc/t
=rH9J
-----END PGP SIGNATURE-----

Current thread:

Re: [scr358145] pcre-8.41 - 8.41 ben (Jul 10)
- Re: Re: [scr358145] pcre-8.41 - 8.41 Agostino Sarubbo (Jul 10)