Vigil@nce: PHP, reading memory via GD imagerotate
January 2009 by Vigil@nce
SYNTHESIS
An attacker can use the imagerotate() function of GD in order to
read the process memory.
Gravity: 1/4
Consequences: data reading
Provenance: user account
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 30/12/2008
IMPACTED PRODUCTS
– PHP
DESCRIPTION
The GD module of PHP is used to handle images.
The imagerotate() function rotates an image, and applies a
background color on new pixels:
imagerotate($image, $angle, $background_color)
However, the background color is not checked before being used as
an offset for reading.
A local attacker can therefore create a PHP script calling
imagerotate() in order to read the memory of the PHP process.
CHARACTERISTICS
Identifiers: BID-33002, CVE-2008-5498, VIGILANCE-VUL-8361