cbcvebase.
CVE-2019-6977
published 2019-01-27

CVE-2019-6977: gdImageColorMatch in gd_color_match.c in the GD Graphics Library (aka LibGD) 2.2.5, as used in the imagecolormatch function in PHP before 5.6.40, 7.x before…

PriorityP274high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
65.12%
99.2th percentile
gdImageColorMatch in gd_color_match.c in the GD Graphics Library (aka LibGD) 2.2.5, as used in the imagecolormatch function in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1, has a heap-based buffer overflow. This can be exploited by an attacker who is able to trigger imagecolormatch calls with crafted image data.

Affected

12 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debiandebian_linux
debianlibgd2< libgd2 2.2.5-5.1 (bookworm)libgd2 2.2.5-5.1 (bookworm)
libgdlibgd
phpphp< 5.6.405.6.40
phpphp
phpphp>= 7.0.0 < 7.1.267.1.26
phpphp>= 7.2.0 < 7.2.147.2.14

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://gist.github.com/cmb69/1f36d285eb297ed326f5c821d7aafced
urlhttps://bugs.php.net/bug.php?id=77270
commandimagecolormatch($img1, $img2)
  • The vulnerability is triggered via PHP's imagecolormatch() function with a crafted second image that has a minimal color palette (e.g., 1-2 colors allocated via imagecolorallocate) while pixel color index values are set out-of-bounds (up to 255), causing a heap OOB write. Monitor PHP applications calling imagecolormatch() with untrusted image input.
  • Exploit proof-of-concept uses a GET/POST parameter 'f' to pass a function pointer address and 'c' to pass an OS command for execution, delivered to a PHP script exposing imagecolormatch(). Look for HTTP requests with hex-formatted pointer values in parameters (e.g., ?f=0x...) alongside a command parameter.
  • The exploit allocates exactly 2 colors (nb_colors=2) in the palette image so that buf size equals 0x50 bytes (2 * 0x28), matching dom_object fastbin size for heap feng shui. Detection of imagecolormatch() calls where the second image has very few colors (1-2) but pixel values reference out-of-range color indices is a strong exploit indicator.
  • The attacker needs to be able to upload a specially crafted image to a PHP script which uses the imagecolormatch() function. Monitor file upload endpoints on PHP applications for palette-mode images (imagecreate) with anomalous pixel color indices exceeding the allocated color count.
  • ·Affected PHP versions are: before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. The exploit was specifically tested on PHP 7.2.12. Detection and patching scope should be validated against the exact PHP version in use.
  • ·The exploit is architecture-dependent (heap layout, pointer sizes, fastbin sizes). The PoC targets 64-bit PHP 7.2.x specifically; exploitation reliability on other versions or 32-bit systems may differ significantly.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.