Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you an example analysis of the post-use release vulnerabilities in PHP SplDoublyLinkedList. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

Vulnerability description

A post-use release vulnerability exists in PHP's SplDoublyLinkedList two-way linked list library that allows attackers to escape disable_functions restriction functions by running PHP code. With the help of this vulnerability, remote attackers will be able to implement PHP sandboxing escape and execute arbitrary code. More precisely, upon successful exploitation, an attacker will be able to bypass some of the limitations of PHP, such as disable_functions and safe_mode.

Affected version

PHP v8.0 (Alpha)

PHP v7.4.10 and previous versions

Manufacturer's response

According to our security classification, we don't think this is a security issue because it requires very special code to be executed on the server side to trigger the vulnerability. If an attacker can implement code injection, it must be caused by a vulnerability that is more serious than this one.

Loophole analysis

SplDoublyLinkedList is a bidirectional linked list library (DLL) in PHP that supports iterations, that is, the ability to store a pointer to the current DLL element to implement iterations. In this way, developers can point DLL to other elements by calling next () and prev ().

When we delete an element in the DLL, PHP removes the element from the DLL and then destroys the zval, and if the pointer points to the element, there is a null pointer problem. Therefore, when the zval is destroyed, the current pointer still points to the associated element, even if it has been removed from the linked list. As a result, the post-use release problem arises because we can trigger the vulnerability by calling $dll- > next () or $dll- > prev () in the constructor of zval.

Use input parameters to trigger vulnerabilities

We can use two values to create a SplDoublyLinkedList object $s, the first value is an object with a special structure _ _ destruct, and the other value is ignored. Next, we can call $s-> rewind () to point the pointer of the current iteration element to our object. When we call $s-> offsetUnset (0), it will call the underlying C function SPL_METHOD (SplDoublyLinkedList, offsetUnset) (which exists in ext/spl/spl_dllist.c), which will do the following:

1. Remove the element from the double-line linked list by setting the following parameters:

Element- > prev- > next = element- > nextelement- > next- > prev = element- > prev

2. Destroy the related zval (llist- > dtor)

3. If intern- > traverse_pointer points to the target element, it sets the pointer to NULL

In the second step, the _ _ destruct method of our object is called, while intern- > traverse_pointer still points to the element. To trigger the post-use release problem, we need to do the following:

Remove the second element from the two-way linked list by calling $s-> offsetUnset (0) so that intern- > traverse_pointer- > next points to an unallocated space

Call $s-> next (): the call chain is intern- > traverse_pointer = intern- > traverse_pointer- > next. Since the address has been released in the first step, traverse_pointer will point to an unassigned address

Using $s-> current (), we will be able to access unassigned addresses, triggering post-use release of vulnerabilities

Vulnerability repair

You need to clean up the intern- > traverse_pointer pointer before destroying the zval, and then delete the related references. The reference code is as follows:

Was_traverse_pointer = 0; / / Clear the current pointer if (intern- > traverse_pointer = = element) {intern- > traverse_pointer = NULL; was_traverse_pointer = 1;} if (llist- > dtor) {llist- > dtor (element);} if (was_traverse_pointer) {SPL_LLIST_DELREF (element) } / / In the current implementation, this part is useless, because / / llist- > dtor will UNDEF the zval before zval_ptr_dtor (& element- > data); ZVAL_UNDEF (& element- > data); SPL_LLIST_DELREF (element)

Vulnerability exploitation

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.