SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT


PHP exif_process NULL Pointer DoS (Feb 9, 2018)



Description


A code execution vulnerability exists in PHP's exif extension module, which could cause denial of service on the server side. An attacker can exploit this vulnerability by sending a certain crafted JPEG or TIFF file to a web application.

The cause of this vulnerability is due to a null pointer exception during PHP parsing the exif part of a picture file. When handling the exif section, the PHP module will have a series of encoding converter functions.

exif_read_data() (If the Exif data contains a user comment tag) 
-----> exif_process_user_comment() (If encoding designation for the string contains "JIS" and 5 null bytes)  
-----> zend_multibyte_encoding_converter() 
-----> zend_multibyte_fetch_encoding() 

The return value of zend_multibyte_fetch_encoding() will be passed to zend_multibyte_encoding_converter as a pointer parameter.

ZEND_API size_t zend_multibyte_encoding_converter(
unsigned char **to, 
size_t *to_length, 
const unsigned char *from, 
size_t from_length, 
const zend_encoding *encoding_to, 
const zend_encoding *encoding_from)

In the zend_multibyte_fetch_encoding(), the encode_jis section in the file will be passed in as a parameter, which could be set to null by malicious input, and eventually makes zend_multibyte_fetch_encoding() returns null. Thus, the zend_multibyte_encoding_converter will trigger a null pointer falier, cauing the web application DoS.

SonicWall Capture Labs Threat Research team has developed the following signature to identify and stop the attacks:

  • IPS 13182: PHP exif_process NULL Pointer Dereference 2



Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
#SonicWall
© 2018 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 13.11 | S2MSW02