CVE-2016-3191 in PCRE
Summary
by MITRE
The compile_branch function in pcre_compile.c in PCRE 8.x before 8.39 and pcre2_compile.c in PCRE2 before 10.22 mishandles patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, aka ZDI-CAN-3542.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/02/2019
The vulnerability identified as CVE-2016-3191 represents a critical stack-based buffer overflow in the Perl Compatible Regular Expressions libraries, specifically affecting PCRE versions prior to 8.39 and PCRE2 versions prior to 10.22. This flaw resides within the compile_branch function located in pcre_compile.c for PCRE 8.x and pcre2_compile.c for PCRE2 implementations. The vulnerability manifests when processing regular expressions containing the (*ACCEPT) substring combined with nested parentheses, creating a scenario where the parser fails to properly manage stack memory allocation during pattern compilation. The issue was particularly dangerous because it could be exploited through JavaScript RegExp objects processed by web browsers, specifically demonstrated against Konqueror browser's JavaScript engine. This vulnerability directly maps to CWE-121 Stack-based Buffer Overflow, which classifies the flaw as a classic stack corruption vulnerability where insufficient bounds checking allows attackers to overwrite adjacent stack memory. The attack vector leverages the fact that JavaScript engines often utilize PCRE libraries for regular expression processing, making web applications and browser environments prime targets for exploitation.
The technical exploitation of this vulnerability occurs through carefully crafted regular expressions that trigger the buffer overflow during the compilation phase of pattern processing. When the compile_branch function encounters a pattern with (*ACCEPT) and nested parentheses, the recursive parsing logic fails to properly account for stack space requirements, leading to memory corruption that can be leveraged for arbitrary code execution or denial of service. The flaw demonstrates characteristics consistent with the attack pattern described in the MITRE ATT&CK framework under T1059.007 Command and Scripting Interpreter: JavaScript, where attackers can leverage browser-based JavaScript engines to deliver malicious payloads. The vulnerability is particularly concerning because it operates at the library level, affecting any application or browser that relies on PCRE for regular expression processing. The stack overflow occurs during compile time rather than runtime execution, meaning that simply processing a malicious regular expression can trigger the vulnerability without requiring additional malicious code execution.
The operational impact of CVE-2016-3191 extends across multiple security domains and attack surfaces due to the widespread adoption of PCRE libraries in various software applications. Web browsers, web servers, and security appliances that utilize PCRE for content filtering, input validation, and pattern matching are all potentially vulnerable to this flaw. The vulnerability affects both PCRE 8.x and PCRE2 implementations, creating a broad attack surface that includes Konqueror browser, Apache web server modules, and numerous other applications that depend on regular expression processing. This vulnerability can result in complete system compromise when exploited for arbitrary code execution, or cause denial of service that renders applications unusable. Organizations running affected software versions face significant risk, as the vulnerability can be triggered through user input processing, log parsing, or any application component that accepts regular expressions. The exploitability factor is high due to the ease with which malicious regular expressions can be crafted and delivered through web-based attacks, making this vulnerability particularly dangerous in environments where user input is processed without proper sanitization.
Mitigation strategies for CVE-2016-3191 require immediate patching of affected PCRE and PCRE2 library versions to the patched releases. Organizations should prioritize updating their systems to PCRE 8.39 or later and PCRE2 10.22 or later to eliminate the vulnerability. Additionally, implementing input validation and sanitization measures can help reduce the risk of exploitation by filtering or escaping potentially malicious regular expressions before they reach the PCRE compilation functions. Security monitoring should include detection of suspicious regular expression patterns that might trigger the vulnerability, particularly those containing (*ACCEPT) constructs combined with nested parentheses. Network-based intrusion detection systems should be configured to identify and block traffic containing known malicious regular expression patterns. System administrators should also consider implementing application-level restrictions on regular expression processing, particularly in web applications where user input is processed through PCRE functions. The vulnerability highlights the importance of keeping third-party libraries updated and implementing proper security controls around regular expression processing in applications. Organizations should also consider implementing sandboxing or containerization techniques to limit the potential impact if exploitation occurs, as the vulnerability could lead to complete system compromise when successful.