Almost two year ago I reported a bug #76047 for which initially I didn’t understand the root cause until Nikita Popov explained it was a Use after free issue in debug_backtrace() obtained in destructor. Back then I didn’t manage to get a short reproduction case until yesterday when it was reported that there is an exploit using this bug. It allows to execute a disabled function in php.ini – in this case it is the system() function.
Basically as I understand it the exploit after triggering the issue (see Nikita’s short reproduction version) uses the leaked pointer to get a pointer to a closure, php heap, obtain the address of internal system() function and overwrite it over the closure. Then it is possible to execute the closure which now actually executes system().
Just an hour ago a fix was committed to Master.
Veselin Kenashkov
Latest posts by Veselin Kenashkov (see all)
- Docker image with Apache 2.2 and PHP 5.3 - September 26, 2020
- Emulation and virtualization guides - September 24, 2020
- A case against “Don’t add unneeded context” - September 2, 2020