ext-soap supports deduplicating objects in the XML graph through id and href. When traversing the XML graph, ext-soap will remember all plain PHP objects using the hash map SOAP_GLOBAL(ref_map), where the pointer to the libxml2 node acts as a key, and the PHP object as a value. This happens in soap_add_xml_ref().
Crucially, the reference count of the PHP object is not increased. Normally this is not a problem, as all objects in the XML graph are stored in the resulting object graph and cannot be freed.
soap_check_xml_ref() does the opposite of soap_add_xml_ref(); it will check whether some libxml2 node as already been evaluated and stored in SOAP_GLOBAL(ref_map).
The Apache map offers a mechanism to free objects between these two points by overwriting existing map entries.
class Handler {
public function test($map, $stale) {
global $result;
$result = $stale;
}
}
$envelope = <<<'XML' somekey Stale somekey XML;
$s = new SoapServer(null, ['uri' => 'urn:a']);
$s->setClass(Handler::class);
$s->handle($envelope);
var_dump($result);
This example will:
- evaluate the
mapnode - evaluate the
Staleobject, which includes calling callingsoap_add_xml_ref()to remember it inSOAP_GLOBAL(ref_map) - add the resulting object to a temporary map, which will be the result of the Apache map node
- overwrite the object immediately with
NULLfor theStaleobject only strongly referenced by the temporary map, with the reference inSOAP_GLOBAL(ref_map)becoming stale - have
SOAP_GLOBAL(ref_map), reusing the freed memory
After this code, $result will refer to the stale memory where Stale was previously allocated. The attacker has high control over this memory segment by subsequently allocating plain strings, leading to Remote Code Execution.
The solution is straight forward, namely increase the reference count before adding objects to SOAP_GLOBAL(ref_map), and configure a ZVAL_PTR_DTOR deallocator to release the objects when the procedure is done.