<p>#Use After Free Vulnerabilities in Session Deserializer</p><p>Taoguang Chen <[@chtg](<a href="http://github.com/chtg" rel="nofollow">http://github.com/chtg</a>)> </p><p>- Write Date: 2015.8.9</p><p>- Release Date: 2015.9.4</p><p>> Multiple use-after-free vulnerabilities were discovered in session deserializer (php/php_binary/php_serialize) that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.</p><p>Affected Versions</p><p>------------</p><p>Affected is PHP 5.6 < 5.6.13</p><p>Affected is PHP 5.5 < 5.5.29</p><p>Affected is PHP 5.4 < 5.4.45</p><p>Credits</p><p>------------</p><p>This vulnerability was disclosed by Taoguang Chen.</p><p>Description</p><p>------------</p><p></p><pre><p>PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */</p><p>{</p><p>...</p><p>PHP_VAR_UNSERIALIZE_INIT(var_hash);</p><p>p = val;</p><p>while (p < endptr) {</p><p>...</p><p>if (has_value) {</p><p>ALLOC_INIT_ZVAL(current);</p><p>if...
<p>#Use After Free Vulnerabilities in Session Deserializer</p><p>Taoguang Chen <[@chtg](<a href="http://github.com/chtg" rel="nofollow">http://github.com/chtg</a>)> </p><p>- Write Date: 2015.8.9</p><p>- Release Date: 2015.9.4</p><p>> Multiple use-after-free vulnerabilities were discovered in session deserializer (php/php_binary/php_serialize) that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.</p><p>Affected Versions</p><p>------------</p><p>Affected is PHP 5.6 < 5.6.13</p><p>Affected is PHP 5.5 < 5.5.29</p><p>Affected is PHP 5.4 < 5.4.45</p><p>Credits</p><p>------------</p><p>This vulnerability was disclosed by Taoguang Chen.</p><p>Description</p><p>------------</p><p></p><pre><p>PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */</p><p>{</p><p>...</p><p>PHP_VAR_UNSERIALIZE_INIT(var_hash);</p><p>p = val;</p><p>while (p < endptr) {</p><p>...</p><p>if (has_value) {</p><p>ALLOC_INIT_ZVAL(current);</p><p>if (php_var_unserialize(&current, (const unsigned char **) &q,</p><p>(const unsigned char *) endptr, &var_hash TSRMLS_CC)) {</p><p>php_set_session_var(name, namelen, current, &var_hash TSRMLS_CC);</p><p>}</p><p>zval_ptr_dtor(&current);</p><p>}</p><p>PS_ADD_VARL(name, namelen);</p><p>skip:</p><p>efree(name);</p><p>p = q;</p><p>}</p><p>break_outer_loop:</p><p>PHP_VAR_UNSERIALIZE_DESTROY(var_hash);</p><p>return SUCCESS;</p><p>}</p><p></p></pre><p>When session deserializer (php/php_binary) deserializing multiple data</p><p>it will call to php_var_unserialize() multiple times. So we can create</p><p>ZVAL and free it via the php_var_unserialize() with a crafted</p><p>serialized string, and also free the memory (reduce the reference</p><p>count of the ZVAL to zero) via zval_ptr_dtor() with deserialize two</p><p>identical session data, then the next call to php_var_unserialize()</p><p>will still allow to use R: or r: to set references to that already</p><p>freed memory. It is possible to use-after-free attack and execute</p><p>arbitrary code remotely.</p><p>In some other cases, session deserializer</p><p>(php/php_binary/php_serialize) may also lead to use-after-free</p><p>vulnerabilities: i) via crafted Serializable::unserialize() ii) via</p><p>unserialize()'s callback function and zend_lookup_class() call a</p><p>crafted __autoload().</p>
