Bug 1297726

Summary: php: Session WDDX Packet Deserialization Type Confusion Vulnerability
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abhgupta, carnil, cbuissar, dmcphers, fedora, jialiu, jokerman, jorton, kseifried, lmeyer, mmaslano, mmccomas, rcollet, tiwillia, webstack-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: php 5.5.31, php 5.6.17 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-02-03 12:57:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1297727    
Bug Blocks: 1297732    

Description Adam Mariš 2016-01-12 10:27:22 UTC 
It was found that attacker can deserialize a string-type ZVAL via php_wddx_deserialize_ex(), which means he is able to create fake HashTable via the Z_ARRVAL_P macro with the string-type ZVAL. This could result in arbitrary remote code execution.

Vulnerable code:

_SERIALIZER_DECODE_FUNC(wddx)
{
	...
	
	MAKE_STD_ZVAL(retval);

	if ((ret = php_wddx_deserialize_ex((char *)val, vallen, retval)) == SUCCESS) {

		for (zend_hash_internal_pointer_reset(Z_ARRVAL_P(retval));
			 zend_hash_get_current_data(Z_ARRVAL_P(retval), (void **) &ent) == SUCCESS;
			 zend_hash_move_forward(Z_ARRVAL_P(retval))) {
			 hash_type = zend_hash_get_current_key_ex(Z_ARRVAL_P(retval), &key, &key_length, &idx, 0, NULL);

Upstream patch:

https://git.php.net/?p=php-src.git;a=commit;h=1785d2b805f64eaaacf98c14c9e13107bf085ab1

Upstream bug (contains reproducer):

https://bugs.php.net/bug.php?id=70741
Comment 1 Adam Mariš 2016-01-12 10:27:57 UTC 
Created php tracking bugs for this issue:

Affects: fedora-all [bug 1297727]
Comment 2 Fedora Update System 2016-01-16 13:22:13 UTC 
php-5.6.17-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 3 Fedora Update System 2016-01-16 14:20:30 UTC 
php-5.6.17-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 4 Cedric Buissart 2016-01-29 11:53:05 UTC 
Lowering the impact down to moderate based on the following :
 * WDDX packet deserialization should not be used with untrusted source :
http://php.net/manual/en/function.wddx-deserialize.php#refsect1-function.wddx-deserialize-returnvalues