Vigil@nce: PHP, memory reading via libxml2
January 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
The PHP code does not check UTF-8 data transmitted to libxml2, so
an attacker can read a fragment of the PHP process memory.
– Severity: 1/4
– Creation date: 25/01/2011
IMPACTED PRODUCTS
– PHP
DESCRIPTION OF THE VULNERABILITY
The libxml2 library creates XML documents. For example, the
xmlTextWriterPtr::xmlTextWriterWriteAttribute() method adds an
attribute. Its parameters have to be valid UTF-8.
The XMLWriter::writeAttribute() method of the XML module of PHP
calls libxml2. However, it does not validate UTF-8 data before
transmitting them to libxml2.
UTF-8 sequences starting with the bits 1110xxxx are composed of 3
bytes. The "\xE0\x81" is thus invalid because the third byte is
missing. However, libxml2 reads the third byte, which is the null
(’\0’) string ending character. The library thus does not detect
the end of string and continues to read after it.
An attacker can therefore force the absorption of the null byte by
XMLWriter::writeAttribute(), and then read the generated XML
document, which will contain memory data located after the end of
the malformed UTF-8 sequence transmitted to writeAttribute().
The PHP code thus does not check UTF-8 data transmitted to
libxml2, so an attacker can read a fragment of the PHP process
memory.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/PHP-memory-reading-via-libxml2-10297