An old bug that turned out to be exploitable UAF vulnerability

Almost two year ago I reported a bug #76047 for which initially I didn’t understand the root cause until Nikita Popov explained it was a Use after free issue in debug_backtrace() obtained in destructor. Back then I didn’t manage to get a short reproduction case until yesterday when it was reported that there is an exploit using this bug. It allows to execute a disabled function in php.ini – in this case it is the system() function.

Basically as I understand it the exploit after triggering the issue (see Nikita’s short reproduction version) uses the leaked pointer to get a pointer to a closure, php heap, obtain the address of internal system() function and overwrite it over the closure. Then it is possible to execute the closure which now actually executes system().

Just an hour ago a fix was committed to Master.

Find me at

Veselin Kenashkov

Developer at Azonmedia
Loves PHP, frameworks and old computers. Currently interested in Swoole and Vuejs.
Veselin Kenashkov
Find me at

Latest posts by Veselin Kenashkov (see all)

Share if you liked it

Leave a Reply

Your email address will not be published. Required fields are marked *