PHP 5.6 / 5.5 / 5.4 Session Deserialized Use-After-Free

基本字段

漏洞编号：: SSV-89407

披露/发现时间：: 未知

提交时间：: 2015-09-12

漏洞等级：

漏洞类别：: 释放后重用

影响组件：: PHP
(影响版本较多,点击查看)

漏洞作者：: 未知

提交者：: 名匿

CVE-ID：: 补充

CNNVD-ID：: 补充

CNVD-ID：: 补充

ZoomEye Dork：: 补充

来源

漏洞详情

贡献者名匿共获得 1.95KB

#Use After Free Vulnerabilities in Session DeserializerTaoguang Chen <[@chtg](<a href="http://github.com/chtg" rel="nofollow">http://github.com/chtg</a>)> - Write Date: 2015.8.9- Release Date: 2015.9.4> Multiple use-after-free vulnerabilities were discovered in session deserializer (php/php_binary/php_serialize) that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.Affected Versions------------Affected is PHP 5.6 < 5.6.13Affected is PHP 5.5 < 5.5.29Affected is PHP 5.4 < 5.4.45Credits------------This vulnerability was disclosed by Taoguang Chen.Description------------<pre>PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */{... PHP_VAR_UNSERIALIZE_INIT(var_hash);p = val;while (p < endptr) {...if (has_value) {ALLOC_INIT_ZVAL(current);if (php_var_unserialize(&current, (const unsigned char **) &q,(const unsigned char *) endptr, &var_hash TSRMLS_CC)) {php_set_session_var(name, namelen, current, &var_hash TSRMLS_CC);}zval_ptr_dtor(&current);}PS_ADD_VARL(name, namelen);skip:efree(name);p = q;}break_outer_loop:PHP_VAR_UNSERIALIZE_DESTROY(var_hash);return SUCCESS;}</pre>When session deserializer (php/php_binary) deserializing multiple datait will call to php_var_unserialize() multiple times. So we can createZVAL and free it via the php_var_unserialize() with a craftedserialized string, and also free the memory (reduce the referencecount of the ZVAL to zero) via zval_ptr_dtor() with deserialize twoidentical session data, then the next call to php_var_unserialize()will still allow to use R: or r: to set references to that alreadyfreed memory. It is possible to use-after-free attack and executearbitrary code remotely.In some other cases, session deserializer(php/php_binary/php_serialize) may also lead to use-after-freevulnerabilities: i) via crafted Serializable::unserialize() ii) viaunserialize()'s callback function and zend_lookup_class() call acrafted __autoload().