Critical PHP’s extract() Function Vulnerability Allows Arbitrary Code Execution

A critical vulnerability in PHP’s extract() function enables attackers to trigger memory corruption that can lead to arbitrary native code execution across multiple PHP versions. 

The vulnerability stems from a memory management issue that can be triggered by a specific usage pattern involving references and object destructors affecting all major PHP versions including 5.x, 7.x, and 8.x.

Critical PHP’s extract() Function Vulnerability

The vulnerability exists within PHP’s extract() function, specifically when used with the EXTR_REFS flag. 

This function imports variables from an array into the current symbol table, which can be manipulated to create a dangerous memory condition.

When extract() processes a variable that’s an object with a defined __destruct() method, attackers can trigger a race condition. 

The __destruct() method can unset the variable that extract() is currently operating on, leading to:

• A double-free condition in PHP 5.x versions.
• A use-after-free vulnerability in PHP 7.x and 8.x versions.

Security researchers demonstrated that this memory corruption can be reliably exploited to gain arbitrary code execution by overlapping a string and array zval, effectively giving attackers read/write access to PHP’s memory.

The attack follows a sophisticated pattern:

• Triggering the double-free/use-after-free with a crafted object.
• Manipulating PHP’s memory allocation to create overlapping memory structures.
• Leaking memory addresses of critical PHP internals like executor_globals.
• Locating disabled functions like system() in memory.
• Restoring functionality of disabled functions by overwriting internal structures.

Address Space Layout Randomization (ASLR) does not prevent this attack, as exploits can leak memory addresses at runtime by manipulating overlapped data structures.

The flaw has been identified by independent security researcher LCFR in collaboration with SSD Secure Disclosure.

Proof of Concept Code

A minimal proof of concept triggering the vulnerability:

When debugging with ASAN (AddressSanitizer), this code produces a heap-use-after-free error in PHP 8.x, confirming the vulnerability.

The PHP development team has addressed the issue through GitHub security advisory GHSA-4pwq-3fv3-gm94.

Web application administrators and PHP developers should:

• Update to the latest patched PHP version immediately.
• Avoid using extract() with user-controlled data.
• If extract() must be used, avoid the EXTR_REFS flag.
• Consider implementing additional application-level security controls.

This vulnerability underscores the risks associated with PHP’s dynamic features and memory management. 

Developers are urged to audit their use of extract(), apply security patches promptly, and adhere to secure coding practices to prevent exploitation of such critical flaws.

Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy