The exploit described leverages a use-after-free vulnerability in PHP's unserialize function to achieve remote code execution. Here's a breakdown of the key steps and techniques used:
Vulnerability Overview
The core issue is that CachedData::unserialize() calls unserialize($data) without properly handling serialization locks, leading to shared state between the outer and inner parsers. This allows an attacker to create dangling pointers in the inner parser's object properties.
Exploitation Phases
Step 1: Leak a Heap Address
- Payload Structure:
- A top-level array containing:
- An instance of
CachedData - Spray strings (32)
- Back-references to spray slots
- An instance of
- A top-level array containing:
- Exploit Timeline:
- The outer parser creates the
CachedDataobject. - The inner parser shares state with the outer, leading to dangling pointers when the inner object's hash table is resized.
- A spray string reclaims the freed memory slot.
- Back-references are resolved by reading from the reclaimed memory.
- The outer parser creates the
Step 2: Build uaf_read
- Uses similar structure but different content in sprays and back-references.
- Allows controlled reads of arbitrary memory
Read the full article at Malware Analysis, News and Indicators - Latest topics
Want to create content about this topic? Use Nemati AI tools to generate articles, social posts, and more.
2
Contents
Ali NematiWritten by Ali
![[AINews] The Unreasonable Effectiveness of Closing the Loop](/_next/image?url=https%3A%2F%2Fmedia.nemati.ai%2Fmedia%2Fblog%2Fimages%2Farticles%2F600e22851bc7453b.webp&w=3840&q=75)
