Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-31625: Uninitialized array in pg_query_params() leading to RCE

In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when using Postgres database extension, supplying invalid parameters to the parametrized query may lead to PHP attempting to free memory using uninitialized data as pointers. This could lead to RCE vulnerability or denial of service.

CVE
#sql#vulnerability#dos#js#git#php#rce#postgres

Sec Bug #81720

Uninitialized array in pg_query_params() leading to RCE

Submitted:

2022-05-16 14:50 UTC

Modified:

2022-06-06 07:13 UTC

From:

c dot fol at ambionics dot io

Assigned:

stas (profile)

Status:

Closed

Package:

PostgreSQL related

PHP Version:

8.1.6

OS:

Private report:

No

CVE-ID:

2022-31625

[2022-05-16 14:50 UTC] c dot fol at ambionics dot io

Description:

Hello PHP team,

in PHP_FUNCTION(pg_query_params), the array meant to store the char* representation of the query parameters is allocated on the heap, but not cleared:

``` params = (char **)safe_emalloc(sizeof(char *), num_params, 0); ```

If a conversion error happens (for instance, one of the params is an object), `_php_pgsql_free_params()` gets called *on the whole array*. Since the array is not initialized, a lingering value from a previous request can get freed, leading in the end to remote code execution.

To patch, use calloc or memset-0 it.

There are other functions where you use basically the same code (if cannot convert to string, then free all params) so it might be worth a look.

Patch:

```

  • _php_pgsql_free_params(params, num_params);
  • _php_pgsql_free_params(params, i); ```

Best regards, Charles Fol ambionics.io

Test script:

<?php

$strings = [];

function uenc($v) { $out = '’; for($i=0; $i<strlen($v);$i++) { $out .= ‘\u’ . ‘00’ . str_pad(dechex(ord($v[$i])), 2, '0’, STR_PAD_LEFT); } return ‘"’ . $out . '"’; }

$json = ‘{"a": 1, "args":[ "A","A","A", {} ]}’ ; $c = pg_connect(‘host=172.17.0.3 user=postgres password=password’);

$data = json_decode($json);

$resultXXX = pg_query_params($c, 'SELECT * FROM test WHERE x NOT IN ($1)', $data->args); // var_dump(pg_fetch_all($resultXXX));

Expected result:

No crash.

Actual result:

Crash.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2022-05-17 09:45 UTC] [email protected]

-Status: Open +Status: Verified -Assigned To: +Assigned To: cmb

[2022-05-17 09:45 UTC] [email protected]

Thanks for reporting! I can confirm the issue. I’ll have a closer look.

[2022-05-17 11:17 UTC] c dot fol at ambionics dot io

Cool !

I’m wondering if you also got the previous bug, #81719, related to PDO. I didn’t receive a confirmation email.

[2022-05-17 11:35 UTC] [email protected]

-Assigned To: cmb +Assigned To: stas

[2022-05-17 11:35 UTC] [email protected]

Proposed patch: https://gist.github.com/cmb69/b2b5ab0cb54a5683fe3aff4c7c09f7c2\.

While fixing this issue, I noticed that pg_send_execute() tries to convert the $params elements to string, but checks the wrong variable (`tmp` instead of `tmp_str`), what may cause a segfault. The patch also fixes this.

As to whether this is actually a security issue: any potential exploit requires the script to pass values which are not coercible to string to the $params parameter of `pg_query_params()` or `pg_send_execute()`. That might be regarded as sloppy userland programming, so I’m not sure if we classify this as security issue. On the other hand, the documentation is not explicit about this conversion to string requirement (although the placeholders hint at it).

Stas, what do you think?

I’m wondering if you also got the previous bug, #81719, related to PDO.

I’ll have a look at that right away.

[2022-05-25 21:36 UTC] [email protected]

-CVE-ID: needed +CVE-ID: 2022-31625

[2022-06-06 07:13 UTC] [email protected]

-Status: Verified +Status: Closed

Related news

CVE-2023-21850: Oracle Critical Patch Update Advisory - January 2023

Vulnerability in the Oracle Demantra Demand Management product of Oracle Supply Chain (component: E-Business Collections). Supported versions that are affected are 12.1 and 12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Demantra Demand Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Demantra Demand Management accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

Red Hat Security Advisory 2022-8197-01

Red Hat Security Advisory 2022-8197-01 - PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Issues addressed include a use-after-free vulnerability.

RHSA-2022:8197: Red Hat Security Advisory: php security, bug fix, and enhancement update

An update for php is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-21708: php: Use after free due to php_filter_float() failing for ints * CVE-2022-31625: php: Uninitialized array in pg_query_params() leading to RCE

RHSA-2022:7624: Red Hat Security Advisory: php:8.0 security, bug fix, and enhancement update

An update for the php:8.0 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-21708: php: Use after free due to php_filter_float() failing for ints * CVE-2022-31625: php: Uninitialized array in pg_query_params() leading to RCE

Gentoo Linux Security Advisory 202209-20

Gentoo Linux Security Advisory 202209-20 - Multiple vulnerabilities have been discovered in PHP, the worst of which could result in local root privilege escalation. Versions less than 7.4.30:7.4 are affected.

Red Hat Security Advisory 2022-6158-01

Red Hat Security Advisory 2022-6158-01 - PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.

RHSA-2022:6158: Red Hat Security Advisory: php:7.4 security update

An update for the php:7.4 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-31625: php: uninitialized array in pg_query_params() leading to RCE

Ubuntu Security Notice USN-5479-3

Ubuntu Security Notice 5479-3 - USN-5479-1 fixed vulnerabilities in PHP. Unfortunately that update for CVE-2022-31625 was incomplete for Ubuntu 18.04 LTS. This update fixes the problem. Charles Fol discovered that PHP incorrectly handled initializing certain arrays when handling the pg_query_params function. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. Charles Fol discovered that PHP incorrectly handled passwords in mysqlnd. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code.

Ubuntu Security Notice USN-5479-2

Ubuntu Security Notice 5479-2 - USN-5479-1 fixed vulnerabilities in PHP. This update provides the corresponding updates for Ubuntu 16.04 ESM. Charles Fol discovered that PHP incorrectly handled initializing certain arrays when handling the pg_query_params function. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. Charles Fol discovered that PHP incorrectly handled passwords in mysqlnd. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code.

Red Hat Security Advisory 2022-5491-01

Red Hat Security Advisory 2022-5491-01 - PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Issues addressed include buffer overflow and privilege escalation vulnerabilities.

RHSA-2022:5491: Red Hat Security Advisory: rh-php73-php security and bug fix update

An update for rh-php73-php is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-21703: php: Local privilege escalation via PHP-FPM * CVE-2021-21707: php: special character breaks path in xml parsing * CVE-2022-31625: php: uninitialized array in pg_query_params() leading to RCE * CVE-2022-31626: php: password of excessive length triggers buffer overflow leading to RCE

Ubuntu Security Notice USN-5479-1

Ubuntu Security Notice 5479-1 - Charles Fol discovered that PHP incorrectly handled initializing certain arrays when handling the pg_query_params function. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. Charles Fol discovered that PHP incorrectly handled passwords in mysqlnd. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code.

CVE-2016-4343: PHP: PHP 7 ChangeLog

The phar_make_dirstream function in ext/phar/dirstream.c in PHP before 5.6.18 and 7.x before 7.0.3 mishandles zero-size ././@LongLink files, which allows remote attackers to cause a denial of service (uninitialized pointer dereference) or possibly have unspecified other impact via a crafted TAR archive.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907