PHP SOAP Extension Use-After-Free Vulnerability in Apache Map Nodes Leading to Remote Code Execution

A use-after-free vulnerability has been identified in the PHP SOAP extension, specifically in versions 8.2.* prior to 8.2.31, 8.3.* prior to 8.3.31, 8.4.* prior to 8.4.21, and 8.5.* prior to 8.5.6. The issue arises in the object deduplication mechanism, which improperly manages object references by storing pointers in a global map without increasing their reference counts. This flaw can be exploited when an 'apache:Map' node contains duplicate keys, allowing an attacker to overwrite existing entries and create dangling pointers to freed PHP objects. By manipulating the SOAP request, this vulnerability can be leveraged to execute arbitrary code remotely.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where the affected PHP version is running.

Reproduction

To reproduce this vulnerability, send a SOAP request containing an 'apache:Map' node with duplicate keys. The first entry will be stored in the global reference map, while the second entry will overwrite it, freeing the original object but leaving a stale pointer in the map. A subsequent reference to the freed object can then be used to access the dangling pointer, leading to exploitation.

Remediation

Users can upgrade to PHP versions 8.2.31, 8.3.31, 8.4.21, or 8.5.6 to address this vulnerability.