Vulnerability report written by the TA team by analyzing "PHP Stack Buffer Overflow Vulnerability"

CVE-2023-3824 is a stack buffer overflow vulnerability in PHP that occurs when reading PHAR (PHP Archive) files. This vulnerability could allow attackers to cause memory corruption or execute remote code on the affected system. To mitigate this risk, it is crucial to update PHP to the latest version and ensure proper validation when handling PHAR files.

Tags: PHP, Stack buffer overflow, Remote Code Execution, CVE-2023-3824, phar archive

1. Overview

This is a vulnerability found in PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8. It is related to the way PHP handles PHP Archive (PHAR) files. Specifically, insufficient length checking while reading PHAR directory entries can result in a stack buffer overflow. This vulnerability is an attack that has the potential to cause memory corruption or, more importantly, remote code execution (RCE).

Source : https://www.securitynewspaper.com/2023/08/08/code-exploiting-two-critical-php-8-0-30-vulnerabilities-published/

2. Attack Type

The vulnerability creates a malicious Phar file in PHP and causes a buffer overflow vulnerability.

1. Create a new PHP file and add code to it.

2. execute a PHP script to generate a malicious Phar file.

When the above script is executed, buffer overflows and overleads are triggered, leading to the vulnerability.

Exploiting this vulnerability is difficult and highly dependent on the target application, but it can be exploited through a combination of stack information leaks and buffer overflows, so be careful.

EX)

If the code was run in Valgrind (an open-source DBI tool based on Linux), it would show the problem.

The strlen() function does not properly NUL-terminate the d_name buffer, causing overreading to begin.

3. Response

The universal response to the CVE-2023-3824 vulnerability is as follows

1. updating the PHP version with the latest security patches
2. review and secure functions related to Phar files where the vulnerability occurs
3. tightening access controls at the server level and blocking data with WAF features

4. Conclusion

CVE-2023-3824 is a critical vulnerability in PHP that can pose a serious security risk. Exploitation of this vulnerability could allow an attacker to execute remote code or cause memory corruption by leveraging a stack buffer overflow. To mitigate these risks, it is important to update PHP to the latest patched version and implement strict security practices when handling Phar files.

5. References

• https://github.com/php/php-src/security/advisories/GHSA-jqcx-ccgc-xwhv
• https://stackoverflow.com/questions/78182104/trying-to-understand-cve-2023-3824
• https://nvd.nist.gov/vuln/detail/CVE-2023-3824
• https://github.com/jhonnybonny/CVE-2023-3824