Headline
CVE-2022-31625: Uninitialized array in pg_query_params() leading to RCE
In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when using Postgres database extension, supplying invalid parameters to the parametrized query may lead to PHP attempting to free memory using uninitialized data as pointers. This could lead to RCE vulnerability or denial of service.
Sec Bug #81720
Uninitialized array in pg_query_params() leading to RCE
Submitted:
2022-05-16 14:50 UTC
Modified:
2022-06-06 07:13 UTC
From:
c dot fol at ambionics dot io
Assigned:
stas (profile)
Status:
Closed
Package:
PostgreSQL related
PHP Version:
8.1.6
OS:
Private report:
No
CVE-ID:
2022-31625
[2022-05-16 14:50 UTC] c dot fol at ambionics dot io
Description:
Hello PHP team,
in PHP_FUNCTION(pg_query_params), the array meant to store the char* representation of the query parameters is allocated on the heap, but not cleared:
``` params = (char **)safe_emalloc(sizeof(char *), num_params, 0); ```
If a conversion error happens (for instance, one of the params is an object), `_php_pgsql_free_params()` gets called *on the whole array*. Since the array is not initialized, a lingering value from a previous request can get freed, leading in the end to remote code execution.
To patch, use calloc or memset-0 it.
There are other functions where you use basically the same code (if cannot convert to string, then free all params) so it might be worth a look.
Patch:
```
- _php_pgsql_free_params(params, num_params);
- _php_pgsql_free_params(params, i); ```
Best regards, Charles Fol ambionics.io
Test script:
<?php
$strings = [];
function uenc($v) { $out = '’; for($i=0; $i<strlen($v);$i++) { $out .= ‘\u’ . ‘00’ . str_pad(dechex(ord($v[$i])), 2, '0’, STR_PAD_LEFT); } return ‘"’ . $out . '"’; }
$json = ‘{"a": 1, "args":[ "A","A","A", {} ]}’ ; $c = pg_connect(‘host=172.17.0.3 user=postgres password=password’);
$data = json_decode($json);
$resultXXX = pg_query_params($c, 'SELECT * FROM test WHERE x NOT IN ($1)', $data->args); // var_dump(pg_fetch_all($resultXXX));
Expected result:
No crash.
Actual result:
Crash.
Patches
Add a Patch
Pull Requests
Add a Pull Request
History
AllCommentsChangesGit/SVN commitsRelated reports
[2022-05-17 09:45 UTC] [email protected]
-Status: Open +Status: Verified -Assigned To: +Assigned To: cmb
[2022-05-17 09:45 UTC] [email protected]
Thanks for reporting! I can confirm the issue. I’ll have a closer look.
[2022-05-17 11:17 UTC] c dot fol at ambionics dot io
Cool !
I’m wondering if you also got the previous bug, #81719, related to PDO. I didn’t receive a confirmation email.
[2022-05-17 11:35 UTC] [email protected]
-Assigned To: cmb +Assigned To: stas
[2022-05-17 11:35 UTC] [email protected]
Proposed patch: https://gist.github.com/cmb69/b2b5ab0cb54a5683fe3aff4c7c09f7c2\.
While fixing this issue, I noticed that pg_send_execute() tries to convert the $params elements to string, but checks the wrong variable (`tmp` instead of `tmp_str`), what may cause a segfault. The patch also fixes this.
As to whether this is actually a security issue: any potential exploit requires the script to pass values which are not coercible to string to the $params parameter of `pg_query_params()` or `pg_send_execute()`. That might be regarded as sloppy userland programming, so I’m not sure if we classify this as security issue. On the other hand, the documentation is not explicit about this conversion to string requirement (although the placeholders hint at it).
Stas, what do you think?
I’m wondering if you also got the previous bug, #81719, related to PDO.
I’ll have a look at that right away.
[2022-05-25 21:36 UTC] [email protected]
-CVE-ID: needed +CVE-ID: 2022-31625
[2022-06-06 07:13 UTC] [email protected]
-Status: Verified +Status: Closed
Related news
Vulnerability in the Oracle Demantra Demand Management product of Oracle Supply Chain (component: E-Business Collections). Supported versions that are affected are 12.1 and 12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Demantra Demand Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Demantra Demand Management accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
Red Hat Security Advisory 2022-8197-01 - PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Issues addressed include a use-after-free vulnerability.
An update for php is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-21708: php: Use after free due to php_filter_float() failing for ints * CVE-2022-31625: php: Uninitialized array in pg_query_params() leading to RCE
An update for the php:8.0 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-21708: php: Use after free due to php_filter_float() failing for ints * CVE-2022-31625: php: Uninitialized array in pg_query_params() leading to RCE
Gentoo Linux Security Advisory 202209-20 - Multiple vulnerabilities have been discovered in PHP, the worst of which could result in local root privilege escalation. Versions less than 7.4.30:7.4 are affected.
Red Hat Security Advisory 2022-6158-01 - PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.
An update for the php:7.4 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-31625: php: uninitialized array in pg_query_params() leading to RCE
Ubuntu Security Notice 5479-3 - USN-5479-1 fixed vulnerabilities in PHP. Unfortunately that update for CVE-2022-31625 was incomplete for Ubuntu 18.04 LTS. This update fixes the problem. Charles Fol discovered that PHP incorrectly handled initializing certain arrays when handling the pg_query_params function. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. Charles Fol discovered that PHP incorrectly handled passwords in mysqlnd. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code.
Ubuntu Security Notice 5479-2 - USN-5479-1 fixed vulnerabilities in PHP. This update provides the corresponding updates for Ubuntu 16.04 ESM. Charles Fol discovered that PHP incorrectly handled initializing certain arrays when handling the pg_query_params function. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. Charles Fol discovered that PHP incorrectly handled passwords in mysqlnd. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code.
Red Hat Security Advisory 2022-5491-01 - PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Issues addressed include buffer overflow and privilege escalation vulnerabilities.
An update for rh-php73-php is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-21703: php: Local privilege escalation via PHP-FPM * CVE-2021-21707: php: special character breaks path in xml parsing * CVE-2022-31625: php: uninitialized array in pg_query_params() leading to RCE * CVE-2022-31626: php: password of excessive length triggers buffer overflow leading to RCE
Ubuntu Security Notice 5479-1 - Charles Fol discovered that PHP incorrectly handled initializing certain arrays when handling the pg_query_params function. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. Charles Fol discovered that PHP incorrectly handled passwords in mysqlnd. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code.
The phar_make_dirstream function in ext/phar/dirstream.c in PHP before 5.6.18 and 7.x before 7.0.3 mishandles zero-size ././@LongLink files, which allows remote attackers to cause a denial of service (uninitialized pointer dereference) or possibly have unspecified other impact via a crafted TAR archive.