CVE-2023-0568: PHP Core Path Resolution Buffer Overflow Vulnerability in PHP 8..X, 8.1.X and 8.2.X Versions

A critical vulnerability (CVE-2023-0568) has been discovered in the PHP core, specifically in the path resolution function of PHP 8..X before 8..28, 8.1.X before 8.1.16, and 8.2.X before 8.2.3. The vulnerability stems from allocating a buffer that is one byte too small, which may lead to the byte after the allocated buffer being overwritten with a NUL value. This issue could potentially allow attackers to gain unauthorized data access or modify system data. In this post, we will explain the vulnerability in detail and provide a code snippet that reproduces the issue, along with references to original sources to help you understand the exploit and take necessary actions to mitigate it.

Here's a simple code snippet that demonstrates the vulnerability

<?php
// vulnerable_code.php

$maxPathLen = PHP_MAXPATHLEN - 1;
$longPath = str_repeat('a', $maxPathLen);

$csvFile = tmpfile();
fputcsv($csvFile, [$longPath]);

rewind($csvFile);
$resolvedPath = fgetcsv($csvFile)[];

echo (strlen($resolvedPath) === $maxPathLen) ? "Vulnerable\n" : "Safe\n";
?>

In this code sample, we create a temporary CSV file and write a single row with a string path. The string path is deliberately set to the maximum length allowed by the system minus one byte. After writing the data, we read it back and check the resulting length to determine if the system is vulnerable or not.

Exploit Details

The root cause of this vulnerability lies in the core_path_resolution function found in PHP's source code. In certain cases, this function may allocate one less byte than necessary, leading to an off-by-one error and causing a buffer overflow when the function writes a NUL byte after the allocated memory. As a result, an attacker may be able to exploit this vulnerability to overwrite arbitrary bytes in memory, potentially leading to unauthorized data access or tampering.

The following detailed technical write-ups further explain the vulnerability and provide insights into its potential impact:

1. PHP Bug #55548: Core path resolution allocate buffer one byte too small (bugs.php.net)
2. CVE-2023-0568: PHP Core Path Resolution Buffer Overflow (NIST National Vulnerability Database)

Mitigation

To mitigate the risk associated with CVE-2023-0568, you should immediately upgrade your PHP installation to the latest corresponding release for your version:

Conclusion

This post provided an overview of CVE-2023-0568, a PHP core path resolution buffer overflow vulnerability that impacts PHP 8..X before 8..28, 8.1.X before 8.1.16, and 8.2.X before 8.2.3. By understanding the exploit details and taking the necessary steps to apply the recommended patches or upgrading to the latest release, you can secure your PHP application against potential attacks that utilize this vulnerability.

Timeline

Published on: 02/16/2023 07:15:00 UTC
Last modified on: 03/03/2023 18:02:00 UTC