oss-sec mailing list archives

Re: The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence

From: Florian Weimer <fweimer () redhat com>
Date: Mon, 27 May 2024 12:31:46 +0200

* Charles Fol:

Hello all,

Although very late, here is a follow up explaining the impact of the
vulnerability.

Provided that you can force an application to convert a partially
controlled buffer to ISO-2022-CN-EXT, you get an
overflow of 1 to 3 bytes whose value you don't control.

This can be triggered in at least two ways in PHP:

- Through direct calls to iconv()
- Through the use of PHP filters (i.e. using a "file read" vulnerability)

Due to the way PHP's heap is built, you can use such a memory
corruption to alter part of a free list pointer,
which can in turn give you an arbitrary write primitive in the
program's memory.

With this bug, any person that has a file read vulnerability with a
controlled prefix on a PHP application has RCE.


Out of curiosity, why would PHP translate a file to ISO-2022-CN-EXT
while reading it?  It's not even an ASCII-transparent charset.

Thanks,
Florian

Current thread:

The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence Adhemerval Zanella Netto (Apr 17)
- Re: The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence Solar Designer (Apr 18)
  - Re: The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence Charles Fol (May 27)
    - Re: The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence Florian Weimer (May 27)
    - Re: The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence Erik Auerswald (May 27)
    - Re: The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence Florian Weimer (May 27)
    - Re: The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence Solar Designer (May 27)
    - Re: The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence Charles Fol (May 27)
- Re: The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence Florian Weimer (Apr 24)