Bugzilla – Bug 925109
VUL-0: CVE-2015-4147: php5,php53: PHP SoapClient's __call() type confusion through unserialize()
Last modified: 2016-06-21 11:13:31 UTC
via oss-sec, no cve yet From: Andrea Palazzo <andrea.palazzo@truel.it> Subject: [oss-security] CVE Request: PHP SoapClient's __call() type confusion through unserialize() Date: Fri, 20 Mar 2015 20:35:59 +0100 Hi everyone, I'd like to request a CVE for the PHP Sec Bug #69085. Description: SoapClient's __call() method is prone to a type confusion vulnerability which can be used to gain remote code execution through unsafe unserialize() calls. Info: https://bugs.php.net/bug.php?id=69085 Thank you, best regards, Andrea
Description: ------------ SoapClient's __call() method is prone to a type confusion vulnerability which can be used to gain remote code execution through unsafe unserialize() calls. In soap.c:2906 if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__default_headers", sizeof("__default_headers"), (void **) &tmp)==SUCCESS) { HashTable *default_headers = Z_ARRVAL_P(*tmp); the Z_ARRVAL_P macro is called on __default_headers assuming that it is an array without any actual check about it. It has been shown several times that this kind of vulnerability could lead to crash, arbitrary read/write memory access and code execution, so I'm not discussing about the actual exploitation of this one (you can refer to my previous submissions about natsort() and extract() if needed by the way). However, it's worth pointing out that given the nature of __call() magic method, any direct call on a user-controlled userialized input should be considered remotely exploitable. Test script: --------------- <?php //tested on 64bit Ubuntu PHP 5.6.6 //crash on memory access violation @1337 $dummy = unserialize('O:10:"SoapClient":3:{s:3:"uri";s:1:"a";s:8:"location";s:22:"http://localhost/a.xml";s:17:"__default_headers";i:1337;}'); var_dump($dummy->whatever()); ?> Actual result: -------------- (gdb) r soapvar.php Starting program: /usr/bin/php soapvar.php [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". [New Thread 0x7fffec568700 (LWP 13984)] [Thread 0x7fffec568700 (LWP 13984) exited] Program received signal SIGSEGV, Segmentation fault. zend_hash_internal_pointer_reset_ex (ht=ht@entry=0x539, pos=pos@entry=0x0) at /build/buildd/php5-5.6.3+dfsg/Zend/zend_hash.c:1020 1020 *pos = ht->pListHead; (gdb) x/i $pc => 0x6e93d3 <zend_hash_internal_pointer_reset_ex+3>: mov 0x20(%rdi),%rax (gdb) p $rdi $1 = 1337
http://git.php.net/?p=php-src.git;a=commitdiff_plain;h=997b7e56302710bb3db00b56d0629ac75d73a207
QA: 1. install php5(3), php5(3)-soap 2. $ cat test.php <?php //tested on 64bit Ubuntu PHP 5.6.6 //crash on memory access violation @1337 $dummy = unserialize('O:10:"SoapClient":3:{s:3:"uri";s:1:"a";s:8:"location";s:22:"http://localhost/a.xml";s:17:"__default_headers";i:1337;}'); var_dump($dummy->whatever()); ?> $ BEFORE: 3. $ php test.php Segmentation fault $ AFTER: 3. $ php test.php PHP Fatal error: Uncaught SoapFault exception: [Client] DTD are not supported by SOAP in /925109/test.php:7 Stack trace: #0 /925109/test.php(7): SoapClient->__call('whatever', Array) #1 /925109/test.php(7): SoapClient->whatever() #2 {main} thrown in /925109/test.php on line 7 $
Reproducible down to 5.2.
Packages submitted.
Could you check the openSUSE submission? https://build.opensuse.org/request/show/293989 Unfortunately we just released a PHP update which broke the source link. Could you osc pull and re-submit?
openSUSE-SU-2015:0684-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 924970,924972,925109 CVE References: CVE-2015-2348,CVE-2015-2787 Sources used: openSUSE 13.2 (src): php5-5.6.1-18.1 openSUSE 13.1 (src): php5-5.4.20-49.1
CVE request is oustanding http://seclists.org/oss-sec/2015/q2/82
SUSE-SU-2015:0868-1: An update that solves 9 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 922022,922451,922452,923946,924970,924972,925109,928408,928506,928511 CVE References: CVE-2014-9705,CVE-2014-9709,CVE-2015-2301,CVE-2015-2305,CVE-2015-2348,CVE-2015-2783,CVE-2015-2787,CVE-2015-3329,CVE-2015-3330 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): php5-5.5.14-22.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php5-5.5.14-22.1
SUSE-SU-2015:1018-1: An update that solves 11 vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 922022,922451,922452,923946,924972,925109,928506,928511,931421,931769,931772,931776 CVE References: CVE-2014-9705,CVE-2014-9709,CVE-2015-2301,CVE-2015-2305,CVE-2015-2783,CVE-2015-2787,CVE-2015-3329,CVE-2015-4021,CVE-2015-4022,CVE-2015-4024,CVE-2015-4026 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): php53-5.3.17-0.41.1 SUSE Linux Enterprise Server 11 SP3 for VMware (src): php53-5.3.17-0.41.1 SUSE Linux Enterprise Server 11 SP3 (src): php53-5.3.17-0.41.1
released
SUSE-SU-2016:1638-1: An update that fixes 85 vulnerabilities is now available. Category: security (important) Bug References: 884986,884987,884989,884990,884991,884992,885961,886059,886060,893849,893853,902357,902360,902368,910659,914690,917150,918768,919080,921950,922451,922452,923945,924972,925109,928506,928511,931421,931769,931772,931776,933227,935074,935224,935226,935227,935229,935232,935234,935274,935275,938719,938721,942291,942296,945412,945428,949961,968284,969821,971611,971612,971912,973351,973792,976996,976997,977003,977005,977991,977994,978827,978828,978829,978830,980366,980373,980375,981050,982010,982011,982012,982013,982162 CVE References: CVE-2004-1019,CVE-2006-7243,CVE-2014-0207,CVE-2014-3478,CVE-2014-3479,CVE-2014-3480,CVE-2014-3487,CVE-2014-3515,CVE-2014-3597,CVE-2014-3668,CVE-2014-3669,CVE-2014-3670,CVE-2014-4049,CVE-2014-4670,CVE-2014-4698,CVE-2014-4721,CVE-2014-5459,CVE-2014-8142,CVE-2014-9652,CVE-2014-9705,CVE-2014-9709,CVE-2014-9767,CVE-2015-0231,CVE-2015-0232,CVE-2015-0273,CVE-2015-1352,CVE-2015-2301,CVE-2015-2305,CVE-2015-2783,CVE-2015-2787,CVE-2015-3152,CVE-2015-3329,CVE-2015-3411,CVE-2015-3412,CVE-2015-4021,CVE-2015-4022,CVE-2015-4024,CVE-2015-4026,CVE-2015-4116,CVE-2015-4148,CVE-2015-4598,CVE-2015-4599,CVE-2015-4600,CVE-2015-4601,CVE-2015-4602,CVE-2015-4603,CVE-2015-4643,CVE-2015-4644,CVE-2015-5161,CVE-2015-5589,CVE-2015-5590,CVE-2015-6831,CVE-2015-6833,CVE-2015-6836,CVE-2015-6837,CVE-2015-6838,CVE-2015-7803,CVE-2015-8835,CVE-2015-8838,CVE-2015-8866,CVE-2015-8867,CVE-2015-8873,CVE-2015-8874,CVE-2015-8879,CVE-2016-2554,CVE-2016-3141,CVE-2016-3142,CVE-2016-3185,CVE-2016-4070,CVE-2016-4073,CVE-2016-4342,CVE-2016-4346,CVE-2016-4537,CVE-2016-4538,CVE-2016-4539,CVE-2016-4540,CVE-2016-4541,CVE-2016-4542,CVE-2016-4543,CVE-2016-4544,CVE-2016-5093,CVE-2016-5094,CVE-2016-5095,CVE-2016-5096,CVE-2016-5114 Sources used: SUSE Linux Enterprise Server 11-SP2-LTSS (src): php53-5.3.17-47.1