A significant vulnerability has been identified within PHP’s ZipArchive class, specifically concerning its garbage collection (GC) algorithm. This issue, logged as Sec Bug #72434, was first submitted on June 16, 2016, and reveals a use after free vulnerability that could enable remote code execution on affected systems.
The problem arises when PHP’s garbage collection interacts with specific PHP objects, particularly during the unserialization process. According to a detailed report by the discoverers, Ruslan Habalov and Dario Weißer, "A critical use after free vulnerability was discovered when PHP's garbage collection algorithm interacts with other specific PHP objects." Their analysis indicates that exploiting this vulnerability is possible in local or remote contexts.
Notably, the flaw affects all PHP versions from 5.3 onwards, including PHP 7. The researchers have highlighted that the issue requires the configuration option "--enable-zip" to be active, which is commonly the default in many operating system distributions. In their report, they emphasized, "This vulnerability has wide-reaching effects like allowing the exploitation of unserialize to gain remote code execution on a target system."
"--enable-zip"
The nature of the bug stems from a flaw within PHP's internal garbage collection algorithm. This algorithm is designed to clear up zval objects that contain cyclic references. This risk becomes prominent when a zval destructs, triggering the GC algorithm to check for potential root candidates, like arrays or objects. If such candidates are detected, they are logged into a root buffer, which the GC uses to manage cyclic references. Habalov and Weißer describe the method, stating that, "The GC algorithm is supposed to clean up zvals with cyclic references."
The series of steps within this algorithm can misfire when it reaches a ZipArchive object. It is at this point that the method "php_zip_get_properties" is called, leading to further complications. Habalov and Weißer noted, "We can trick the GC algorithm into visiting a specific property of the object first and only then call get_properties on this specific object." This vulnerability, which has already been exploited in prior instances, allows attackers to manipulate the garbage collector and execute arbitrary code.
"php_zip_get_properties"
Following extensive analysis, the researchers opted not to release a proof of concept (POC) to avoid potential malicious exploitation of the vulnerability. They concluded, "Since this has been done already several times, we will leave out any POC exploit at this point."
This vulnerability has been assigned the CVE-ID 2016-5773 and is now marked as closed. Importantly, users are advised to review their PHP deployment configurations and consider upgrading to maintain security. With the increasing reliance on PHP for web applications, it is crucial for developers and organizations to stay informed about such vulnerabilities and implement necessary security measures promptly.
In conclusion, as digital threats evolve, the importance of robust security mechanisms within programming languages like PHP cannot be overstated. The discovery of this use after free vulnerability serves as a reminder of the ongoing need for vigilance in software development and systems management. PHP users are urged to remain cautious and update their systems as necessary to mitigate the potential risks associated with this critical bug.