Bugzilla – Bug 945428
VUL-0: CVE-2015-6836: php53, php5: SOAP serialize_function_call() type confusion / RCE
Last modified: 2016-09-06 16:19:32 UTC
rh#1260683 A type confusion occurs within SOAP serialize_function_call due to an insufficient validation of the headers field. In the SoapClient's __call method, the verify_soap_headers_array check is applied only to headers retrieved from zend_parse_parameters; problem is that a few lines later, soap_headers could be updated or even replaced with values from the __default_headers object fields. Vulnerable code: if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__default_headers", sizeof("__default_headers"), (void **) &tmp) == SUCCESS && Z_TYPE_PP(tmp) == IS_ARRAY) { 2913 HashTable *default_headers = Z_ARRVAL_P(*tmp); 2914 if (soap_headers) { 2915 if (!free_soap_headers) { 2916 HashTable *t = emalloc(sizeof(HashTable)); 2917 zend_hash_init(t, 0, NULL, ZVAL_PTR_DTOR, 0); 2918 zend_hash_copy(t, soap_headers, (copy_ctor_func_t) zval_add_ref, NULL, sizeof(zval *)); 2919 soap_headers = t; 2920 free_soap_headers = 1; 2921 } 2922 zend_hash_internal_pointer_reset(default_headers); 2923 while (zend_hash_get_current_data(default_headers, (void**)&tmp) == SUCCESS) { 2924 Z_ADDREF_PP(tmp); 2925 zend_hash_next_index_insert(soap_headers, tmp, sizeof(zval *), NULL); 2926 zend_hash_move_forward(default_headers); 2927 } 2928 } else { 2929 soap_headers = Z_ARRVAL_P(*tmp); 2930 free_soap_headers = 0; 2931 } In such case, the soap_headers array is no longer assured to be holding Objects only, thus leading to a type confusion when serialize_function_call will try to access its elements through 4351 HashTable *ht = Z_OBJPROP_PP(header); Upstream report: https://bugs.php.net/bug.php?id=70388 Upstream patch: http://git.php.net/?p=php-src.git;a=commit;h=e201f01ac17243a1e5fb6a3911ed8e21b1619ac1 References: https://bugzilla.redhat.com/show_bug.cgi?id=1260683 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6836 http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-6836.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6836
bugbot adjusting priority
Created attachment 647282 [details] poc 1
Created attachment 647283 [details] poc 2
openSUSE-SU-2015:1628-1: An update that solves 8 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 942291,942293,942294,942295,942296,945402,945403,945412,945428 CVE References: CVE-2015-6831,CVE-2015-6832,CVE-2015-6833,CVE-2015-6834,CVE-2015-6835,CVE-2015-6836,CVE-2015-6837,CVE-2015-6838 Sources used: openSUSE 13.2 (src): php5-5.6.1-36.1 openSUSE 13.1 (src): php5-5.4.20-67.1
SUSE-SU-2015:1633-1: An update that solves 8 vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 935074,942291,942293,942294,942295,942296,944302,945402,945403,945412,945428 CVE References: CVE-2015-6831,CVE-2015-6832,CVE-2015-6833,CVE-2015-6834,CVE-2015-6835,CVE-2015-6836,CVE-2015-6837,CVE-2015-6838 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): php5-5.5.14-36.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php5-5.5.14-36.1
SUSE-SU-2015:1701-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 945412,945428 CVE References: CVE-2015-6836,CVE-2015-6837,CVE-2015-6838 Sources used: SUSE Linux Enterprise Server 11-SP2-LTSS (src): php5-5.2.14-0.7.30.72.1 SUSE Linux Enterprise Debuginfo 11-SP2 (src): php5-5.2.14-0.7.30.72.1
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-10-26. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62310
SUSE-SU-2015:1818-1: An update that solves 5 vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 935074,942291,942294,942295,942296,945412,945428 CVE References: CVE-2015-6831,CVE-2015-6833,CVE-2015-6836,CVE-2015-6837,CVE-2015-6838 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): php53-5.3.17-48.1 SUSE Linux Enterprise Software Development Kit 11-SP3 (src): php53-5.3.17-48.1 SUSE Linux Enterprise Server for VMWare 11-SP3 (src): php53-5.3.17-48.1 SUSE Linux Enterprise Server 11-SP4 (src): php53-5.3.17-48.1 SUSE Linux Enterprise Server 11-SP3 (src): php53-5.3.17-48.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): php53-5.3.17-48.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): php53-5.3.17-48.1
released
SUSE-SU-2016:1638-1: An update that fixes 85 vulnerabilities is now available. Category: security (important) Bug References: 884986,884987,884989,884990,884991,884992,885961,886059,886060,893849,893853,902357,902360,902368,910659,914690,917150,918768,919080,921950,922451,922452,923945,924972,925109,928506,928511,931421,931769,931772,931776,933227,935074,935224,935226,935227,935229,935232,935234,935274,935275,938719,938721,942291,942296,945412,945428,949961,968284,969821,971611,971612,971912,973351,973792,976996,976997,977003,977005,977991,977994,978827,978828,978829,978830,980366,980373,980375,981050,982010,982011,982012,982013,982162 CVE References: CVE-2004-1019,CVE-2006-7243,CVE-2014-0207,CVE-2014-3478,CVE-2014-3479,CVE-2014-3480,CVE-2014-3487,CVE-2014-3515,CVE-2014-3597,CVE-2014-3668,CVE-2014-3669,CVE-2014-3670,CVE-2014-4049,CVE-2014-4670,CVE-2014-4698,CVE-2014-4721,CVE-2014-5459,CVE-2014-8142,CVE-2014-9652,CVE-2014-9705,CVE-2014-9709,CVE-2014-9767,CVE-2015-0231,CVE-2015-0232,CVE-2015-0273,CVE-2015-1352,CVE-2015-2301,CVE-2015-2305,CVE-2015-2783,CVE-2015-2787,CVE-2015-3152,CVE-2015-3329,CVE-2015-3411,CVE-2015-3412,CVE-2015-4021,CVE-2015-4022,CVE-2015-4024,CVE-2015-4026,CVE-2015-4116,CVE-2015-4148,CVE-2015-4598,CVE-2015-4599,CVE-2015-4600,CVE-2015-4601,CVE-2015-4602,CVE-2015-4603,CVE-2015-4643,CVE-2015-4644,CVE-2015-5161,CVE-2015-5589,CVE-2015-5590,CVE-2015-6831,CVE-2015-6833,CVE-2015-6836,CVE-2015-6837,CVE-2015-6838,CVE-2015-7803,CVE-2015-8835,CVE-2015-8838,CVE-2015-8866,CVE-2015-8867,CVE-2015-8873,CVE-2015-8874,CVE-2015-8879,CVE-2016-2554,CVE-2016-3141,CVE-2016-3142,CVE-2016-3185,CVE-2016-4070,CVE-2016-4073,CVE-2016-4342,CVE-2016-4346,CVE-2016-4537,CVE-2016-4538,CVE-2016-4539,CVE-2016-4540,CVE-2016-4541,CVE-2016-4542,CVE-2016-4543,CVE-2016-4544,CVE-2016-5093,CVE-2016-5094,CVE-2016-5095,CVE-2016-5096,CVE-2016-5114 Sources used: SUSE Linux Enterprise Server 11-SP2-LTSS (src): php53-5.3.17-47.1