Shulou(Shulou.com)06/01 Report--

This article mainly explains the principle of "PHP bypassing the disabled function loophole". The content of the article is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought to study and learn "the principle of PHP bypassing the disabled function loophole".

Brief introduction of vulnerabilities

PHP issued an announcement that there was a UAF risk in the old version of the php_array_merge_recursive function, which could be exploited to bypass the disabled function.

Affected version

PHP 7.2-7.4.9

Security experts recommend that users upgrade to a secure version as soon as possible to address the risk.

Loophole principle

1. Implementation of array_merge_recursive function

In the implementation of the array_merge_recursive function, by traversing the key value of the source array, if the key value does not exist, the corresponding value is directly inserted into the target array; if the key value exists, the corresponding target array is queried. When this key value does not exist in the target array, the key value and the corresponding value are inserted into the target array; if the same key value exists, an attempt is made to add the corresponding value to the target array. As shown in the following figure, when the target value is NULL, convert it to an array type and add NULL to the array, convert it to an array type when the value in the source array is an object type, and add src_zval to the array after trying to add a reference for src_entry. If the value type in the source array is an array, call the php_array_merge_recursive function recursively.

Second, principle analysis

Z_TRY_ADDREF_P (src_entry) is mistakenly called when trying to add a reference count to a value in the source array, where src_entry is a reference to the value in the source array, where the reference count is added to the reference rather than to the value in the source array.

If you pass a variable string in the array_merge_recursive function (the string obtained by direct assignment is immutable and will fail when you try to add a reference count), the reference count of the variable string does not increase in the src_zval. When the array is destroyed, it causes UAF because the reference count of the variable string changes to 0 in advance.

III. Utilization analysis

Note: the following debugging is done directly on php debugging instead of loading php debugging on the server, but there is not much difference.

1. After the string is released, a new object is created for type confusion, and the len of the string is overwritten by the ce of the newly created object. Ce is an address, so subsequent string writing will not be affected.

The comparison before and after occupying the space is as follows:

After the string object is released, before creating the object:

After creating the object:

2. The memory information is leaked after reading the handlers of the newly created object. The value of handers is the 0x0000000008dfe500 in the figure above, which can be used to disclose the php base address after any memory is read. Read the area of the newly created object that contains the heap address, and get the address of the released string. For example, you can read the heap address in 0x7ffffb080540. Minus 0xc8 is the string address hex (0x00007ffffb0805b0-0xc8) = 0x7ffffb0804e8 in the string object, which is the address of the val property of the string object.

3. Rewrite the type pointed to by the value of a property of the newly created object to a reference, and the address of the reference is a fake reference string object. You can change the type of the first attribute of the newly created object, the first element in the properties_table array, to the reference, and the address to the address of the fake reference string object. The address 0x7ffffb0804f8 holds is the address of the first property of the newly created object, and the 0xa stored in the address 0x7ffffb080500 represents the reference type.

The address it points to 0x00007ffffb080548 holds the address of the fake reference object, and the third octet of the forged object needs to be set to 6 (the type of the reference object). The memory layout of the reference string object is shown in the following figure. As you can see, the saved type in the reference is 0x6 represents the string type, but the address is 0x0, and memory reading can then be achieved by writing any address.

4. Arbitrary memory reading is achieved by modifying the starting address of the forged string, using the previously leaked handlers address to obtain the elf base address, and then traversing the memory to obtain the address of the zif_system function.

5. Forge a closure object, copy its stored value from a real closure object, modify the function type to the built-in function type, and the has_dimension attribute address is zif_system, as shown in the following figure.

6. Modify the address of an attribute of the object to the address of the forged closure object, and call the attribute function of the object to complete the bypass of the disabled function.

Vulnerability verification

1. Attack attempts in version 7.4.5

Upload the script on the target server and execute the command.

(video address: https://v.qq.com/x/page/c31651dla6g.html)

II. Analysis of 7.4.10 version repair

Change Z_TRY_ADDREF_P (src_entry) to Z_TRY_ADDREF_P (src_zval).

Thank you for your reading, the above is the content of "the principle of PHP bypassing the disabled function loophole". After the study of this article, I believe you have a deeper understanding of the principle of PHP bypassing the disabled function loophole, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.