The flaw, discovered by independent security researcher LCFR and coordinated via SSD Secure Disclosure, affects the core memory management of PHP and can be exploited to gain full read/write access to the interpreter’s memory, enabling attackers to execute code at the native level.
The vulnerability lies in how PHP’s extract() function manages memory when importing variables from an array into the current symbol table, particularly when the EXTR_REFS The flag is used.
This flag causes variables to be extracted as references, which in turn exposes a complex interaction between variable destruction, memory deallocation, and object destructors.
In PHP 5.x, the relevant code is found in the PHP_FUNCTION(extract) implementation:
cextract_refs = (extract_type & EXTR_REFS); // Set EXTR_REFS
...
if (extract_refs) {
// Path taken when EXTR_REFS is set
...
if (zend_hash_find(EG(active_symbol_table), Z_STRVAL(final_name), Z_STRLEN(final_name) + 1, (void ** ) & orig_var) == SUCCESS) {
zval_ptr_dtor(orig_var); // Attempt to remove and free the variable
*orig_var = *entry;
}
...
}
If the variable being extracted is an object, its __destruct() the method may be called during this process.
If the destructor unsets the same variable, it triggers a double-free scenario: the memory for the same variable is freed twice, corrupting the heap and leading to exploitable conditions.
PHP 7.x and 8.x split the logic into helper functions, but the core issue remains.
The function php_extract_ref_overwrite() in PHP 8.x, for example, similarly attempts to destroy existing variables before replacing them, leading to a use-after-free or double-free if the object’s destructor interferes.
Attackers can craft PHP code that manipulates the heap allocator’s free list by overlapping allocations of different types (such as strings and arrays), gaining arbitrary read/write access to PHP’s memory.
By leveraging this, they can:
A minimal proof-of-concept exploits the bug by defining a class with a destructor that unsets a global variable during extraction, causing the double-free:
phpclass GetFree {
public function __destruct() {
unset($GLOBALS["b"]);
}
}
$b = new GetFree();
$array = ["b" => "AB"];
extract($array, EXTR_REFS);
Zend, the PHP vendor, has acknowledged the issue and released a security advisory.
However, their initial response downplayed the risk, stating, “We do not generally consider code that is specifically crafted to cause crashes security issues.”
Nevertheless, a patch is in progress.
| Risk Factor | Description | Severity |
|---|---|---|
| Impact | Arbitrary code execution, memory corruption, full interpreter compromise | Critical |
| Attack Vector | Local code execution, but exploitable via crafted PHP scripts | High |
| Affected Systems | All platforms running PHP 5.x, 7.x, 8.x | Universal |
| Exploitability | Requires ability to run or inject PHP code (e.g., shared hosting, plugins) | High |
| Mitigation | Patch pending, avoid use of extract() with EXTR_REFS | Moderate |
This vulnerability underscores the dangers of complex memory management in dynamic languages like PHP.
Until patches are widely deployed, developers are urged to avoid using extract() the EXTR_REFS flag and to audit code for unsafe variable extraction patterns.
The risk of arbitrary code execution makes this a critical issue for all environments running PHP.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
The post “PHP extract() Function Flaw Allows Hackers to Execute Arbitrary Code” appeared first on Cyber Security News.
Culture Shock in Rockford hosted its 19th annual Record Store Day event Saturday, featuring new…
Warning! Spoilers for Invincible on Prime Video follow.Fans of Prime Video’s Invincible have started debating…
The community of Lena has launched a widespread recovery and debris cleanup effort following significant…
Lena Brewing Company in Lena, located on Highway 20, is currently operating on a generator…
Marvel Studios mastermind Kevin Feige has opened up about the decision to bring Robert Downey…
Project Hail Mary author Andy Weir has revealed his “only regret” about the movie, confirming…
This website uses cookies.