A highly critical security vulnerability has been discovered in PHP and has been assigned the identification number CVE-2024-8929. This vulnerability affects a range of PHP versions including 8.1.* prior to 8.1.31, 8.2.* prior to 8.2.26, and 8.3.* prior to 8.3.14. The security flaw can be exploited by a hostile MySQL server to cause the client to disclose the content of its heap, including sensitive information from other SQL requests and potentially even data from different users on the same server. This blog post will dive into the details of this exploit, showing some code snippets and providing links to original references.

Background

The vulnerability was discovered and reported by security researchers, who responsibly disclosed their findings to PHP's security team. The team has since released updates to patch the vulnerability and recommends all affected users to upgrade immediately.

Code Snippet

The security flaw stems from a function within PHP's MySQL client library. The vulnerable function can be found in mysqlnd_wireprotocol.cc and goes as follows:

/* ... */
/* Process a row packet and change it to a set of zvals */
static enum_func_status
php_mysqlnd_res_row_decoder2(MYSQLND_MEMORY_POOL_CHUNK * row_buffer, MYSQLND_FIELD *fields,
                             unsigned int field_count, zval *result_set, uint64_t *row_packet_length,
                             zend_bool persistent, MYSQLND_STATS *stats, MYSQLND_ERROR_INFO *error_info)
{
/* ... */
}
/* ... */

What this function essentially does is it processes a row packet from the MySQL server and converts it into a set of ZVALs (a PHP internal data structure). Unfortunately, the function doesn't properly handle cases when the server provides maliciously crafted data, leading to the heap disclosure vulnerability.

Exploit Details

A malicious MySQL server can exploit this vulnerability by sending specially crafted malicious row packets to the connected PHP clients. Once the data is processed by the PHP client, the vulnerable function creates data structure instances that rely on uninitialized heap memory. The PHP client then unintentionally leaks this heap memory content to connected users, which might include other users' sensitive information or other important data. Consequently, an attacker could make use of this leaked information to cause further harm.

Mitigation and Patch

The PHP security team has released updates addressing the vulnerability and users are advised to apply the patch as soon as possible. The affected versions and their corresponding fixes are:

Users can download the updated versions of PHP from the official PHP website

- php.net/downloads.php
- php.net/supported-versions.php

Original References

- Mitton, R., and Collaborator, J. (2024). PHP Bug #81519: In PHP 8.1.22 an hostile MySQL server can cause the client to disclose the content of its heap. Official PHP bug report.
- Common Vulnerabilities and Exposures (CVE) entry for CVE-2024-8929.

Conclusion

The vulnerability in PHP's MySQL client library is a powerful reminder to all developers about the importance of securing their applications. If you have a server running an affected version of PHP, it's highly recommended to apply the update as soon as possible. Additionally, regular patching and keeping software up-to-date is always a necessary step to protect your applications from potential security threats.

Timeline

Published on: 11/22/2024 07:15:03 UTC
Last modified on: 01/10/2025 13:15:10 UTC