Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:105288
Return-Path: <yohgaki@ohgaki.net>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 89706 invoked from network); 16 Apr 2019 13:39:39 -0000
Received: from unknown (HELO es-i.jp) (180.42.98.130)
  by pb1.pair.com with SMTP; 16 Apr 2019 13:39:39 -0000
Received: (qmail 79202 invoked by uid 89); 16 Apr 2019 10:38:15 -0000
Received: from unknown (HELO mail-oi1-f177.google.com) (yohgaki@ohgaki.net@209.85.167.177)
  by 0 with ESMTPA; 16 Apr 2019 10:38:15 -0000
Received: by mail-oi1-f177.google.com with SMTP id x188so16473937oia.13
        for <internals@lists.php.net>; Tue, 16 Apr 2019 03:38:15 -0700 (PDT)
X-Gm-Message-State: APjAAAX0JAdzJVHOIjnfpeTJ6zfdF5InEKW2Omqil6+3S7sEYFpZnEVB
	GbrRRZwWOXZYZ2Ht0BTHCWJ7A/ABBoDa3LWqMA==
X-Google-Smtp-Source: APXvYqzrSQ8QWcVbp1t7P2sOLYTq0c8jdIlpwS3oeSBjmvRP6HupIDkKW5xSje0+zkypef3hbJvWV4UCpkBESwu1A90=
X-Received: by 2002:aca:ba82:: with SMTP id k124mr23944662oif.110.1555411088916;
 Tue, 16 Apr 2019 03:38:08 -0700 (PDT)
MIME-Version: 1.0
References: <CAJRMtAG41c7tSDRO0H-pz+R=qxDva5h+7Q7mdkAUObN6fC+TPg@mail.gmail.com>
 <2e70065b-160b-7134-03ee-1a6025a6467c@gmail.com> <CAJRMtAEZugqtpSRE9nKUd9=QtS8wt9RzxBsnj00aHW9DxXD2gQ@mail.gmail.com>
 <92b1b774-7c4b-555d-671e-d58c1054bd14@gmail.com>
In-Reply-To: <92b1b774-7c4b-555d-671e-d58c1054bd14@gmail.com>
Date: Tue, 16 Apr 2019 19:37:32 +0900
X-Gmail-Original-Message-ID: <CAGa2bXZkLTkTRnBCL+0eesv_WJ+TtzGpXMB5mc+jLH661U+WWg@mail.gmail.com>
Message-ID: <CAGa2bXZkLTkTRnBCL+0eesv_WJ+TtzGpXMB5mc+jLH661U+WWg@mail.gmail.com>
To: Stanislav Malyshev <smalyshev@gmail.com>
Cc: Raymond Irving <xwisdom@gmail.com>, PHP Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="0000000000006f47400586a35dfa"
Subject: Re: [PHP-DEV] PHP deserialization techniques offer rich pickings for
 security researchers
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--0000000000006f47400586a35dfa
Content-Type: text/plain; charset="UTF-8"

On Mon, Apr 15, 2019 at 3:28 PM Stanislav Malyshev <smalyshev@gmail.com>
wrote:

> Hi!
>
> > Thanks for responding to this issue.
> >
> > Will calling getMetaData still parse and
> > execute malicious code?
>
> If it's contained in phar and serialized data and the surrounding code
> (I understand that most techniques mentioned in the article rely on
> certain vulnerable code being present) then yes.
>

This issue was discussed in this list before.
As long as PHP calls unserialize for phar metadata, object injection is
possible
which may allow malicious code execution.

https://github.com/php/php-src/blob/master/ext/phar/phar.c#L607

I'm not sure if Phar metadata requires object or not.
If not, Phar may use JSON. Or we may add safer unserialize that ignores
object
and reference for maximum compatibility.

Something has to be done, since we wouldn't fix memory issue(s) in
unserialization.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--0000000000006f47400586a35dfa--