CVE-2017-11164 in PCRE
Summary
by MITRE
In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 12/31/2020
The vulnerability identified as CVE-2017-11164 represents a critical stack exhaustion issue within the Perl Compatible Regular Expressions library version 8.41. This flaw specifically affects the OP_KETRMAX feature implementation within the pcre_exec.c source file, creating a condition where maliciously crafted regular expressions can trigger uncontrolled recursive behavior. The vulnerability stems from the improper handling of certain quantifiers in regular expression patterns, particularly those involving repeated matches with maximum bounds. When the matching engine processes these specially constructed patterns, it enters into a recursive loop that consumes excessive stack memory, ultimately leading to stack exhaustion and potential application crash or denial of service.
The technical implementation of this vulnerability resides in how PCRE handles the OP_KETRMAX opcode during regular expression matching operations. This opcode is designed to handle possessive quantifiers with maximum repetition limits, but the implementation fails to properly bound recursive calls that occur during pattern matching. The flaw manifests when the regular expression engine encounters patterns that combine specific quantifier combinations with backtracking mechanisms, causing the recursive matching process to spiral out of control. This behavior aligns with CWE-674, which describes "Uncontrolled Recursion" as a weakness where a program's recursion is not properly bounded, leading to stack overflow conditions.
From an operational perspective, this vulnerability presents significant risks to applications that rely on PCRE for input validation, text processing, or pattern matching operations. Attackers can exploit this weakness by crafting regular expressions that trigger the recursive behavior, potentially causing denial of service against web applications, network devices, or any system that processes untrusted regular expression input. The impact extends beyond simple service disruption, as the vulnerability can be leveraged in broader attack chains where denial of service serves as a precursor to more sophisticated exploitation techniques. This vulnerability directly maps to ATT&CK technique T1499.004, which covers "Endpoint Denial of Service" through resource exhaustion attacks.
The mitigation strategies for CVE-2017-11164 primarily involve upgrading to PCRE version 8.42 or later, where the recursive behavior has been properly bounded and controlled. System administrators should implement input validation measures to limit the complexity and length of regular expressions processed by applications, particularly when dealing with user-supplied input. Additionally, implementing resource limits and stack size restrictions on applications using PCRE can provide defensive measures against exploitation attempts. Organizations should also consider implementing regular expression sandboxing techniques and monitoring for unusual processing patterns that might indicate attempted exploitation of this vulnerability. The fix implemented in PCRE 8.42 addresses the root cause by introducing proper recursion depth limiting and ensuring that the matching engine does not enter infinite recursive loops when processing maliciously crafted patterns.