Bug 935226 – VUL-0: CVE-2015-4599 CVE-2015-4600 CVE-2015-4601: php5,php53: type confusion issue in unserialize() with various SOAP methods

Bug 935226 - (CVE-2015-4599) VUL-0: CVE-2015-4599 CVE-2015-4600 CVE-2015-4601: php5,php53: type confusion issue in unserialize() with various SOAP methods

(CVE-2015-4599)
Summary:	VUL-0: CVE-2015-4599 CVE-2015-4600 CVE-2015-4601: php5,php53: type confusion ...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/117822/
Whiteboard:	maint:released:sle10-sp3:62109 maint:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2015-06-18 09:43 UTC by Marcus Meissner
Modified:	2016-06-21 11:15 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
testcase (198 bytes, application/x-php) 2015-06-18 13:56 UTC, Petr Gajdos	Details
testcase (110 bytes, application/x-php) 2015-06-18 13:57 UTC, Petr Gajdos	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2015-06-18 09:43:20 UTC

via https://bugzilla.redhat.com/show_bug.cgi?id=1222538

PHP versions 5.4.40, 5.5.24, and 5.6.8 provide a fix for type confusion vulnerability in unserialize() function used on a various SOAP methods.

Copy-paste description of the issue from the upstream bug:
"""
PHP_METHOD(SoapFault, __toString)
{
...
  faultcode   = zend_read_property(soap_fault_class_entry, this_ptr, "faultcode", sizeof("faultcode")-1, 1 TSRMLS_CC);
  faultstring = zend_read_property(soap_fault_class_entry, this_ptr, "faultstring", sizeof("faultstring")-1, 1 TSRMLS_CC);
  file = zend_read_property(soap_fault_class_entry, this_ptr, "file", sizeof("file")-1, 1 TSRMLS_CC);
  line = zend_read_property(soap_fault_class_entry, this_ptr, "line", sizeof("line")-1, 1 TSRMLS_CC);
...
  len = spprintf(&str, 0, "SoapFault exception: [%s] %s in %s:%ld\nStack trace:\n%s",
                 Z_STRVAL_P(faultcode), Z_STRVAL_P(faultstring), Z_STRVAL_P(file), Z_LVAL_P(line),
                 Z_STRLEN_P(trace) ? Z_STRVAL_P(trace) : "#0 {main}\n");

  zval_ptr_dtor(&trace);

  RETURN_STRINGL(str, len, 0);
｝

The Z_STRVAL_P macro lead to looking up an arbitrary valid memory address, and return a string via a integer-type zval that start from this memory address.
If the memory address is an invalid memory position, it should result in a crash.
The Z_LVAL_P macro lead to leaking memory address via a string-type zval that string value stored.

The following code should leak arbitrary memory or crash PHP:

<?php

$data = 'O:9:"SoapFault":4:{s:9:"faultcode";i:4298448493;s:11:"faultstring";i:4298448543;s:7:"'."\0*\0".'file";i:4298447319;s:7:"'."\0*\0".'line";s:4:"ryat";}';
echo unserialize($data);

?>

Result (Test on standard MacOSX 10.10.2 installation of PHP 5.6.6.):

SoapFault exception: [UH??AWAVSPI??I??H????
 in UH??AWAVAUATSH???:4307253992           ] UH??SPD???*?????t"H?
Stack trace:
#0 test.php(4): unserialize('O:9:"SoapFault"...')
#1 {main}
"""

Upstream bug:
https://bugs.php.net/bug.php?id=69152

Upstream commits:
http://git.php.net/?p=php-src.git;a=commitdiff;h=0c136a2abd49298b66acb0cad504f0f972f5bfe8
http://git.php.net/?p=php-src.git;a=commitdiff;h=51856a76f87ecb24fe1385342be43610fb6c86e4
http://git.php.net/?p=php-src.git;a=commitdiff;h=fb83c76deec58f1fab17c350f04c9f042e5977d1

Comment 1 Petr Gajdos 2015-06-18 13:42:30 UTC

These type confusion vulnerabilities are becoming boring .. :/.

Comment 2 Petr Gajdos 2015-06-18 13:56:40 UTC

Created attachment 638365 [details]
testcase

Comment 3 Petr Gajdos 2015-06-18 13:57:40 UTC

Created attachment 638366 [details]
testcase

Comment 4 Petr Gajdos 2015-06-18 13:59:07 UTC

On 11 (php 5.2) and 13.2 I get

$ php test1.php
Segmentation fault
$ php test2.php
Segmentation fault
$

Comment 5 Petr Gajdos 2015-06-18 14:14:44 UTC

(In reply to Marcus Meissner from comment #0)
> http://git.php.net/?p=php-src.git;a=commitdiff;
> h=fb83c76deec58f1fab17c350f04c9f042e5977d1

Hmm, this commit is already marked as fix for CVE-2015-4602, see bug 935224 comment 0.

Comment 6 Petr Gajdos 2015-06-18 14:20:00 UTC

(In reply to Marcus Meissner from comment #0)
> http://git.php.net/?p=php-src.git;a=commitdiff;
> h=0c136a2abd49298b66acb0cad504f0f972f5bfe8

And this commit seems to be fix for CVE-2015-4148, see 933227 comment 0.

Comment 7 Petr Gajdos 2015-06-18 14:34:02 UTC

I guess
http://git.php.net/?p=php-src.git;a=commit;h=a894a8155fab068d68a04bf181dbaddfa01ccbb0
is fix for the second testcase

(This testcase is from php bug 69152, comment from [2015-03-25 10:35 UTC].)

Comment 8 Petr Gajdos 2015-06-18 14:46:24 UTC

(In reply to Petr Gajdos from comment #7)
> I guess
> http://git.php.net/?p=php-src.git;a=commit;
> h=a894a8155fab068d68a04bf181dbaddfa01ccbb0
> is fix for the second testcase

Confirmed.

Comment 9 Petr Gajdos 2015-06-18 15:08:14 UTC

AFTER

$ php test1.php
SoapFault exception: [4298448493] 4298448543 in 4298447319:0
Stack trace:
#0 /935226/test1.php(4): unserialize('O:9:"SoapFault"...')
#1 {main}
$ php test2.php
exception 'Exception' in /935226/test2.php:2
Stack trace:
#0 {main}

Or something similar.

Comment 10 Petr Gajdos 2015-06-19 08:00:07 UTC

(In reply to Petr Gajdos from comment #7)
> I guess
> http://git.php.net/?p=php-src.git;a=commit;
> h=a894a8155fab068d68a04bf181dbaddfa01ccbb0
> is fix for the second testcase
> 
> (This testcase is from php bug 69152, comment from [2015-03-25 10:35 UTC].)

This is actually fix and test2.php is a testcase for CVE-2015-4603, see bug 935234.

Comment 11 Petr Gajdos 2015-06-22 14:20:56 UTC

oS:    mr#313087
12:    mr#60828
11sp3: sr#60826
11:    sr#60824
10sp3: sr#60822

Comment 13 Swamp Workflow Management 2015-06-22 20:25:30 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-07-06.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62089

Comment 15 Swamp Workflow Management 2015-07-06 08:06:13 UTC

openSUSE-SU-2015:1197-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 935224,935225,935226,935227,935232,935234,935274,935275
CVE References: CVE-2015-3411,CVE-2015-3412,CVE-2015-4598,CVE-2015-4599,CVE-2015-4600,CVE-2015-4601,CVE-2015-4602,CVE-2015-4603,CVE-2015-4604,CVE-2015-4605,CVE-2015-4643,CVE-2015-4644
Sources used:
openSUSE 13.2 (src):    php5-5.6.1-30.6
openSUSE 13.1 (src):    php5-5.4.20-61.5

Comment 16 Swamp Workflow Management 2015-07-17 08:13:44 UTC

SUSE-SU-2015:1253-1: An update that fixes 15 vulnerabilities is now available.

Category: security (important)
Bug References: 919080,927147,931421,931769,931772,931776,933227,935224,935226,935227,935232,935234,935274,935275
CVE References: CVE-2015-3411,CVE-2015-3412,CVE-2015-4021,CVE-2015-4022,CVE-2015-4024,CVE-2015-4026,CVE-2015-4148,CVE-2015-4598,CVE-2015-4599,CVE-2015-4600,CVE-2015-4601,CVE-2015-4602,CVE-2015-4603,CVE-2015-4643,CVE-2015-4644
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    php5-5.5.14-30.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-30.1

Comment 17 Swamp Workflow Management 2015-07-17 09:09:28 UTC

SUSE-SU-2015:1253-2: An update that fixes 15 vulnerabilities is now available.

Category: security (important)
Bug References: 919080,927147,931421,931769,931772,931776,933227,935224,935226,935227,935232,935234,935274,935275
CVE References: CVE-2015-3411,CVE-2015-3412,CVE-2015-4021,CVE-2015-4022,CVE-2015-4024,CVE-2015-4026,CVE-2015-4148,CVE-2015-4598,CVE-2015-4599,CVE-2015-4600,CVE-2015-4601,CVE-2015-4602,CVE-2015-4603,CVE-2015-4643,CVE-2015-4644
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-30.1

Comment 18 Swamp Workflow Management 2015-07-17 18:10:13 UTC

SUSE-SU-2015:1265-1: An update that fixes 11 vulnerabilities is now available.

Category: security (important)
Bug References: 919080,933227,935074,935224,935226,935227,935232,935234,935274,935275
CVE References: CVE-2015-3411,CVE-2015-3412,CVE-2015-4148,CVE-2015-4598,CVE-2015-4599,CVE-2015-4600,CVE-2015-4601,CVE-2015-4602,CVE-2015-4603,CVE-2015-4643,CVE-2015-4644
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    php53-5.3.17-0.43.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    php53-5.3.17-0.43.1
SUSE Linux Enterprise Server 11 SP3 (src):    php53-5.3.17-0.43.1

Comment 19 Andreas Stieger 2015-07-20 14:21:23 UTC

released, closing

Comment 20 Swamp Workflow Management 2016-06-21 11:15:16 UTC

SUSE-SU-2016:1638-1: An update that fixes 85 vulnerabilities is now available.

Category: security (important)
Bug References: 884986,884987,884989,884990,884991,884992,885961,886059,886060,893849,893853,902357,902360,902368,910659,914690,917150,918768,919080,921950,922451,922452,923945,924972,925109,928506,928511,931421,931769,931772,931776,933227,935074,935224,935226,935227,935229,935232,935234,935274,935275,938719,938721,942291,942296,945412,945428,949961,968284,969821,971611,971612,971912,973351,973792,976996,976997,977003,977005,977991,977994,978827,978828,978829,978830,980366,980373,980375,981050,982010,982011,982012,982013,982162
CVE References: CVE-2004-1019,CVE-2006-7243,CVE-2014-0207,CVE-2014-3478,CVE-2014-3479,CVE-2014-3480,CVE-2014-3487,CVE-2014-3515,CVE-2014-3597,CVE-2014-3668,CVE-2014-3669,CVE-2014-3670,CVE-2014-4049,CVE-2014-4670,CVE-2014-4698,CVE-2014-4721,CVE-2014-5459,CVE-2014-8142,CVE-2014-9652,CVE-2014-9705,CVE-2014-9709,CVE-2014-9767,CVE-2015-0231,CVE-2015-0232,CVE-2015-0273,CVE-2015-1352,CVE-2015-2301,CVE-2015-2305,CVE-2015-2783,CVE-2015-2787,CVE-2015-3152,CVE-2015-3329,CVE-2015-3411,CVE-2015-3412,CVE-2015-4021,CVE-2015-4022,CVE-2015-4024,CVE-2015-4026,CVE-2015-4116,CVE-2015-4148,CVE-2015-4598,CVE-2015-4599,CVE-2015-4600,CVE-2015-4601,CVE-2015-4602,CVE-2015-4603,CVE-2015-4643,CVE-2015-4644,CVE-2015-5161,CVE-2015-5589,CVE-2015-5590,CVE-2015-6831,CVE-2015-6833,CVE-2015-6836,CVE-2015-6837,CVE-2015-6838,CVE-2015-7803,CVE-2015-8835,CVE-2015-8838,CVE-2015-8866,CVE-2015-8867,CVE-2015-8873,CVE-2015-8874,CVE-2015-8879,CVE-2016-2554,CVE-2016-3141,CVE-2016-3142,CVE-2016-3185,CVE-2016-4070,CVE-2016-4073,CVE-2016-4342,CVE-2016-4346,CVE-2016-4537,CVE-2016-4538,CVE-2016-4539,CVE-2016-4540,CVE-2016-4541,CVE-2016-4542,CVE-2016-4543,CVE-2016-4544,CVE-2016-5093,CVE-2016-5094,CVE-2016-5095,CVE-2016-5096,CVE-2016-5114
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    php53-5.3.17-47.1