Hey, I am SpyD3r(@TarunkantG) and in this blog, I will be discussing the bug(the Segmentation-fault) I have found in php while playing with phar, couldn’t make this bug a security issue though :(. The issue was occurring when the same phar file gets included twice and this bug was affected in all versions of PHP.
When I tried to import a “phar” file (i.e using the phar wrapper) twice, php results in a segmentation fault. Attaching gdb, I noticed that the crash occurred in the
_php_stream_seek function. The issue was that all the arguments to this function were null (including the php_stream object). This leads to an invalid compare statement (accessing an invalid address), resulting in a crash. We tried analyzing this, but since we are novices with the php codebase, all the following could be wrong.
_php_stream_seek. The argument of
phar_stream_read which is a php_stream had the
stream->abstract->fp as NULL, instead of a valid
Basically, Null pointer dereference is taking place in the
_php_stream_seek because the php_stream that the
_php_stream_seek function is trying to access was closed afer the first
This could be dangerous, as Local File Inclusion(LFI) + Segmentation_fault will leads to RCE, as I disussed this in my previous blog, check it here. This can be exploited as sending php shell, at the time it gets segmentation fault will lead to make temporary php file in temp folder(which won’t get deleted) and can be triggered using LFI with brute-forcing for file.
But getting all this(File Upload vuln + Partial PHP code execution(we need this because we need to include phar file twice)) on one application in real-world is somewhat tough, so this bug is open now.
For creating phar file
Here is practical aspect of this, if you use this big php code base, it is easily possible that you created a file and includes two of other files and a chance there both of the other file includes same file. We see an example here.
#which includes b.php and c.php
b.php includes test.phar:
c.php also includes test.phar:
And on running
Expected result is:
Actual result is:
hello  Segmentation fault
The bug was reported in bugs.php.net, you can see all the comments and description there, follow the following link: https://bugs.php.net/bug.php?id=77432
I hope you find this blog worth to read.