Описание
Use-After-Free in SOAP using Apache map with Remote Code Execution
ext-soap supports deduplicating objects in the XML graph through id and href. When traversing the XML graph, ext-soap will remember all plain PHP objects using the hash map SOAP_GLOBAL(ref_map), where the pointer to the libxml2 node acts as a key, and the PHP object as a value. This happens in soap_add_xml_ref().
Crucially, the reference count of the PHP object is not increased. Normally this is not a problem, as all objects in the XML graph are stored in the resulting object graph and cannot be freed.
soap_check_xml_ref() does the opposite of soap_add_xml_ref(); it will check whether some libxml2 node as already been evaluated and stored in SOAP_GLOBAL(ref_map).
The Apache map offers a mechanism to free objects between these two points by overwriting existing map entries.
This example will:
- evaluate the
mapnode - evaluate the
Staleobject, which includes calling callingsoap_add_xml_ref()to remember it inSOAP_GLOBAL(ref_map) - add the resulting object to a temporary map, which will be the result of the Apache map node
- overwrite the object immediately with
NULLfor the<item>with an empty<value>, releasing theStaleobject only strongly referenced by the temporary map, with the reference inSOAP_GLOBAL(ref_map)becoming stale - have
<stale href="#stale"/>refer to this stale pointer withinSOAP_GLOBAL(ref_map), reusing the freed memory
After this code, $result will refer to the stale memory where Stale was previously allocated. The attacker has high control over this memory segment by subsequently allocating plain strings, leading to Remote Code Execution.
The solution is straight forward, namely increase the reference count before adding objects to SOAP_GLOBAL(ref_map), and configure a ZVAL_PTR_DTOR deallocator to release the objects when the procedure is done.
Пакеты
ext-soap
< 8.2.31
8.2.31
ext-soap
< 8.3.31
8.3.31
ext-soap
< 8.4.21
8.4.21
ext-soap
< 8.5.6
8.5.6
Связанные уязвимости
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution.
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution.
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution.
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before ...