CVE-2023-3824

Buffer overflow and overread in phar_dir_read()

Publication date: 08/11/2023

Remote Code Execution - PHP

The famous exploit who took Lockbit3 down during the Cronos Operation the 20th of February of 2024.

When loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or RCE.

{
    "dataType": "CVE_RECORD",
    "dataVersion": "5.0",
    "cveMetadata": {
        "cveId": "CVE-2023-3824",
        "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
        "state": "PUBLISHED",
        "assignerShortName": "php",
        "dateReserved": "2023-07-21T16:57:23.334Z",
        "datePublished": "2023-08-11T05:48:34.082Z",
        "dateUpdated": "2023-08-11T05:48:34.082Z"
    },
    "containers": {
        "cna": {
            "affected": [
                {
                    "defaultStatus": "affected",
                    "product": "PHP",
                    "vendor": "PHP Group",
                    "versions": [
                        {
                            "lessThan": "8.0.30",
                            "status": "affected",
                            "version": "8.0.*",
                            "versionType": "semver"
                        },
                        {
                            "lessThan": "8.1.22",
                            "status": "affected",
                            "version": "8.1.*",
                            "versionType": "semver"
                        },
                        {
                            "lessThan": "8.2.8",
                            "status": "affected",
                            "version": "8.2.*",
                            "versionType": "semver"
                        }
                    ]
                }
            ],
            "credits": [
                {
                    "lang": "en",
                    "type": "reporter",
                    "user": "00000000-0000-4000-9000-000000000000",
                    "value": "Niels Dossche  "
                }
            ],

Score: CVSS v3.x: PHP Group: 9.4 // NVD: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

"metrics": [
                {
                    "cvssV3_1": {
                        "attackComplexity": "LOW",
                        "attackVector": "NETWORK",
                        "availabilityImpact": "LOW",
                        "baseScore": 9.4,
                        "baseSeverity": "CRITICAL",
                        "confidentialityImpact": "HIGH",
                        "integrityImpact": "HIGH",
                        "privilegesRequired": "NONE",
                        "scope": "UNCHANGED",
                        "userInteraction": "NONE",
                        "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
                        "version": "3.1"
                    },
                    "format": "CVSS",

Vulnerable Code:

/**
 * Used for readdir() on an opendir()ed phar directory handle
 */
static ssize_t phar_dir_read(php_stream *stream, char *buf, size_t count) /* {{{ */
{
	size_t to_read;
	HashTable *data = (HashTable *)stream->abstract;
	zend_string *str_key;
	zend_ulong unused;

	if (HASH_KEY_NON_EXISTENT == zend_hash_get_current_key(data, &str_key, &unused)) {
		return 0;
	}

	zend_hash_move_forward(data);
	to_read = MIN(ZSTR_LEN(str_key), count);

	if (to_read == 0 || count < ZSTR_LEN(str_key)) {
		return 0;
	}

	memset(buf, 0, sizeof(php_stream_dirent));
	memcpy(((php_stream_dirent *) buf)->d_name, ZSTR_VAL(str_key), to_read);
	((php_stream_dirent *) buf)->d_name[to_read + 1] = '\0';

	return sizeof(php_stream_dirent);
}
/* }}} */

References:

POC:

PreviousCVE-2023-42942NextCVE-2023-22515

Last updated