PHP exif_process NULL Pointer DoS
A code execution vulnerability exists in PHP's exif extension module, which could cause denial of service on the server side. An attacker can exploit this vulnerability by sending a certain crafted JPEG or TIFF file to a web application.
The cause of this vulnerability is due to a null pointer exception during PHP parsing the exif part of a picture file. When handling the exif section, the PHP module will have a series of encoding converter functions.
exif_read_data() (If the Exif data contains a user comment tag) -----> exif_process_user_comment() (If encoding designation for the string contains "JIS" and 5 null bytes) -----> zend_multibyte_encoding_converter() -----> zend_multibyte_fetch_encoding()
The return value of zend_multibyte_fetch_encoding() will be passed to zend_multibyte_encoding_converter as a pointer parameter.
ZEND_API size_t zend_multibyte_encoding_converter( unsigned char **to, size_t *to_length, const unsigned char *from, size_t from_length, const zend_encoding *encoding_to, const zend_encoding *encoding_from)
In the zend_multibyte_fetch_encoding(), the encode_jis section in the file will be passed in as a parameter, which could be set to null by malicious input, and eventually makes zend_multibyte_fetch_encoding() returns null. Thus, the zend_multibyte_encoding_converter will trigger a null pointer falier, cauing the web application DoS.
SonicWall Capture Labs Threat Research team has developed the following signature to identify and stop the attacks:
- IPS 13182: PHP exif_process NULL Pointer Dereference 2