lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <bb1c0dd8-17bc-945a-5048-e38b6a81f86f@karmainsecurity.com>
Date: Mon, 6 Feb 2017 16:40:32 +0100
From: Egidio Romano <research@...mainsecurity.com>
To: bugtraq@...urityfocus.com, fulldisclosure@...lists.org,
 oss-security@...ts.openwall.com
Subject: [FD] [KIS-2017-01] PEAR HTML_AJAX <= 0.5.7 (PHP Serializer) PHP
 Object Injection Vulnerability

---------------------------------------------------------------------------
PEAR HTML_AJAX <= 0.5.7 (PHP Serializer) PHP Object Injection Vulnerability
---------------------------------------------------------------------------


[-] Software Link:

https://pear.php.net/package/HTML_AJAX


[-] Affected Versions:

All versions from 0.3.0 to 0.5.7.


[-] Vulnerability Description:

The vulnerable code is located within the HTML_AJAX_Serializer_PHP class defined into
the /AJAX/Serializer/PHP.php script. Such a class uses the unserialize() PHP function
with user-controlled input unless a class name which is not in the provided array
of allowed classes is found within the serialized string. Class names are
extracted by using the _getSerializedClassNames() method:

68.	    function _getSerializedClassNames($string) {
69.	        // Strip any string representations (which might contain object syntax)
70.	        while (($pos = strpos($string, 's:')) !== false) {
71.	            $pos2 = strpos($string, ':', $pos + 2);
72.	            if ($pos2 === false) {
73.	                // invalidly serialized string
74.	                return false;
75.	            }
76.	            $end = $pos + 2 + substr($string, $pos + 2, $pos2) + 1;
77.	            $string = substr($string, 0, $pos) . substr($string, $end);
78.	        }
79.	
80.	        // Pull out the class names
81.	        preg_match_all('/O:[0-9]+:"(.*)"/U', $string, $matches);
82.	
83.	        // Make sure names are unique (same object serialized twice)
84.	        return array_unique($matches[1]);
85.	    }

By default the array of allowed classes is empty, meaning that no classes are allowed
to be unserialized. However, due to the faulty regular expression used at line 81, it
might be possible to bypass such a restriction by replacing "O:X" with "O:+X" from
within the serialized string, where X is the length of the class name. This can be
exploited by unauthenticated attackers to inject arbitrary PHP objects into the
application scope, allowing to perform "POP chain" attacks or exploit memory
corruption vulnerabilities within the PHP's serialization internals, potentially
leading to execution of arbitrary code on the web server.


[-] Solution:

Update to version 0.5.8 or disable the PHP Serializer.


[-] Disclosure Timeline:

[19/01/2017] - Issue reported to https://pear.php.net/bugs/bug.php?id=21165
[01/02/2017] - CVE number requested
[01/02/2017] - CVE number assigned
[02/02/2017] - Version 0.5.8 released: http://blog.pear.php.net/2017/02/02/security
[06/02/2017] - Public disclosure


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2017-5677 to this vulnerability.


[-] Credits:

Vulnerability discovered by Egidio Romano.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2017-01

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ