| Summary: | php: Session WDDX Packet Deserialization Type Confusion Vulnerability | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED WONTFIX | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | abhgupta, carnil, cbuissar, dmcphers, fedora, jialiu, jokerman, jorton, kseifried, lmeyer, mmaslano, mmccomas, rcollet, tiwillia, webstack-team |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | php 5.5.31, php 5.6.17 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-02-03 12:57:48 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | 1297727 | ||
| Bug Blocks: | 1297732 | ||
Created php tracking bugs for this issue: Affects: fedora-all [bug 1297727] php-5.6.17-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. php-5.6.17-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. Lowering the impact down to moderate based on the following : * WDDX packet deserialization should not be used with untrusted source : http://php.net/manual/en/function.wddx-deserialize.php#refsect1-function.wddx-deserialize-returnvalues |
It was found that attacker can deserialize a string-type ZVAL via php_wddx_deserialize_ex(), which means he is able to create fake HashTable via the Z_ARRVAL_P macro with the string-type ZVAL. This could result in arbitrary remote code execution. Vulnerable code: _SERIALIZER_DECODE_FUNC(wddx) { ... MAKE_STD_ZVAL(retval); if ((ret = php_wddx_deserialize_ex((char *)val, vallen, retval)) == SUCCESS) { for (zend_hash_internal_pointer_reset(Z_ARRVAL_P(retval)); zend_hash_get_current_data(Z_ARRVAL_P(retval), (void **) &ent) == SUCCESS; zend_hash_move_forward(Z_ARRVAL_P(retval))) { hash_type = zend_hash_get_current_key_ex(Z_ARRVAL_P(retval), &key, &key_length, &idx, 0, NULL); Upstream patch: https://git.php.net/?p=php-src.git;a=commit;h=1785d2b805f64eaaacf98c14c9e13107bf085ab1 Upstream bug (contains reproducer): https://bugs.php.net/bug.php?id=70741