PHPserialize & amp; unserializeSecurityRiskR

Directory 1. Definition of serialization 2. serialize: serialization 3. unserialize: deserialization 4. Security Risks of serialization and deserialization 5. UseAfterFreeVulnerabilityinunserialize () withDateTime * [CVE-2015

Directory 1. serialization Definition 2. serialize: serialization 3. unserialize: deserialization 4. security risks of serialization and deserialization 5. use After Free Vulnerability in unserialize () with DateTime * [CVE-2015-0273] 6. exploitation of memory corruption vulnerabilities in PHP (CVE-2014-8142 and CVE-

Directory

1. serialization Definition 2. serialize: serialization 3. unserialize: deserialization 4. security risks of serialization and deserialization 5. use After Free Vulnerability in unserialize () with DateTime * [CVE-2015-0273] 6. memory Corruption Vulnerability exploits in PHP (CVE-2014-8142 and CVE-2015-0231)

1. serialization Definition

Serialization is commonly defined in computer science as follows:

1. for synchronization control, it indicates to force a single access within the same time. 2. the data storage and transmission part refers to the process of storing an object to a storage medium, such as a file or a buffer containing hundreds of millions of objects, or encoding when data is transmitted over the network, it can be in byte or XML format. The byte or XML encoding format can restore completely equal objects. This program is used to transfer objects between different applications, and the server stores objects to files or databases. The opposite process is also called deserialization.

Serialization has multiple advantages

1. A simple and persistent method to keep the object going 2. a method that initiates a remote process call, such as 3 in SOAP. A Method for distributing objects, especially in software componentization such as COM and CORBA

Relevant Link:

http://zh.wikipedia.org/wiki/%E5%BA%8F%E5%88%97%E5%8C%96http://baike.baidu.com/view/160029.htm

2. serialize: serialization

Serialize: generate a representation of a stored value
Serialize () returns a string that contains a byte stream that represents value and can be stored anywhere. This facilitates storing or passing PHP values without losing their types and structures.
Serialize () can process any types other than resource, including

1. Reference to its own referenced array 2. References in the array/object of serialize () will also be stored (the reference itself will also be serialized) 3 ....

In essence, the serialization process is an "object (in a broad sense, including integer, float, string, array, and object)" for "object destruction ", the object is then converted to a common intermediate storage string. During the serialization process, the object goes through the following declaration cycle:

1. _ sleep (): Get the execution permission before the execution object is destroyed. 2. _ destruct (): Execute the actual object destruction operation.

Code

 ";            $this->protected_var = "protected_var";            $this->private_var = "private_var";        }                function __destruct()         {            echo "function __destruct() is called" . "
";           }                public function __sleep()        {            echo "function __sleep() is called" . "
";        }                public function __wakeup()        {            echo "function __wakeup() is called" . "
";        }    }    //initialize a var    $obj = new Connection();    //var_dump($obj);    $result = serialize($obj);    //var_dump($result);    unserialize($result);?>

Relevant Link:

http://php.net/manual/zh/function.serialize.phphttp://php.net/manual/zh/language.oop5.magic.php#object.wakeuphttp://php.net/manual/zh/language.oop5.decon.php

3. unserialize: deserialization

Create a PHP value from a stored Representation
Unserialize () is used to operate a single serialized variable and convert it back to the PHP value.

In deserialization, the declared period of an object is

1. _ construct (): Execute object registration, including object Member registration 2. _ wakeup: Get the execution permission after the constructor is executed

Relevant Link:

http://php.net/manual/zh/function.unserialize.php

4. Security Risks in serialization and deserialization

0x1: Object Injection

 secret = "?????????????????????????????";        if ($o->secret === $o->enter)            echo "Congratulation! Here is my secret: ".$o->secret;        else            echo "Oh no... You can't fool me";        }        else echo "are you trolling?";    }?>

Serialize is a just4fun object, which is referenced and assigned a value before serialization.

$o->enter = &$o->secret

0x2: PHP Session serialization and deserialization Processor

http://drops.wooyun.org/tips/3909

0x3: Webshell Hiding Based on serialization and deserialization

Http://www.cnblogs.com/littlehann/p/3522990.htmlsearch :0x22: PHP serialization and deserialization features backdoor Layout

Relevant Link:

http://drops.wooyun.org/papers/660

5. Use After Free Vulnerability in unserialize () with DateTime [CVE-2015-0273]

A use-after-free vulnerability was discovered in unserialize () with DateTime/DateTimeZone objects's _ wakeup () magic method that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.

0x1: Affected Versions

Affected is PHP 5.6 < 5.6.6Affected is PHP 5.5 < 5.5.22Affected is PHP 5.4 < 5.4.38Affected is PHP 5.3 <= 5.3.29

0x2: vulnerability source code analysis

\ Php-src-master \ ext \ date \ php_date.c

static int php_date_initialize_from_hash(php_date_obj **dateobj, HashTable *myht){    zval             *z_date;    zval             *z_timezone;    zval             *z_timezone_type;    zval              tmp_obj;    timelib_tzinfo   *tzi;    php_timezone_obj *tzobj;    z_date = zend_hash_str_find(myht, "date", sizeof("data")-1);    if (z_date) {        convert_to_string(z_date);        z_timezone_type = zend_hash_str_find(myht, "timezone_type", sizeof("timezone_type")-1);        if (z_timezone_type) {            convert_to_long(z_timezone_type);            z_timezone = zend_hash_str_find(myht, "timezone", sizeof("timezone")-1);            if (z_timezone) {                convert_to_string(z_timezone);...

The convert_to_long () leads to the ZVAL and all its children is freed from memory. however the unserialize () code will still allow to use R: or r: to set references to that already freed memory. there is a use after free vulnerability, and allows to execute arbitrary code.

0x3: poc

 >= 8;    }    return $out;}?>

Gdb php
Run uafpoc. php assert "system \ ('sh' \) = exit \(\)"

Relevant Link:

https://github.com/80vul/phpcodz/tree/master/research

6. Memory Corruption Vulnerability exploitation in PHP (CVE-2014-8142 and CVE-2015-0231)

To be studied

Relevant Link:

http://drops.wooyun.org/papers/4864

Copyright (c) 2014 LittleHann All rights reserved