Lucene search

HistoryDec 14, 2013 - 12:00 a.m.

PHP 5.5.x < 5.5.7 OpenSSL openssl_x509_parse() Memory Corruption

2013-12-1400:00:00

www.tenable.com

According to its banner, the version of PHP 5.5.x installed on the remote host is a version prior to 5.5.7. It is, therefore, potentially affected by a memory corruption flaw in the way the openssl_x509_parse() function of the PHP OpenSSL extension parsed X.509 certificates. A remote attacker could use this flaw to provide a malicious, self-signed certificate or a certificate signed by a trusted authority to a PHP application using the aforementioned function. This could cause the application to crash or possibly allow the attacker to execute arbitrary code with the privileges of the user running the PHP interpreter.

Note that this plugin does not attempt to exploit the vulnerability, but instead relies only on PHP’s self-reported version number.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(71428);
  script_version("1.12");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id("CVE-2013-6420");
  script_bugtraq_id(64225);
  script_xref(name:"EDB-ID", value:"30395");

  script_name(english:"PHP 5.5.x < 5.5.7 OpenSSL openssl_x509_parse() Memory Corruption");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server uses a version of PHP that is potentially
affected by a memory corruption vulnerability.");
  script_set_attribute(attribute:"description", value:
"According to its banner, the version of PHP 5.5.x installed on the
remote host is a version prior to 5.5.7.  It is, therefore, potentially
affected by a memory corruption flaw in the way the openssl_x509_parse()
function of the PHP OpenSSL extension parsed X.509 certificates.  A
remote attacker could use this flaw to provide a malicious, self-signed
certificate or a certificate signed by a trusted authority to a PHP
application using the aforementioned function.  This could cause the
application to crash or possibly allow the attacker to execute arbitrary
code with the privileges of the user running the PHP interpreter. 

Note that this plugin does not attempt to exploit the vulnerability, but
instead relies only on PHP's self-reported version number.");
  script_set_attribute(attribute:"see_also", value:"http://www.php.net/ChangeLog-5.php#5.5.7");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2013/Dec/96");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1036830");
  script_set_attribute(attribute:"solution", value:
"Upgrade to PHP version 5.5.7 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2013-6420");

  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2013/12/02");
  script_set_attribute(attribute:"patch_publication_date", value:"2013/12/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/12/14");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:php:php");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2013-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("php_version.nasl");
  script_require_keys("www/PHP");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");

port = get_http_port(default:80, php:TRUE);

php = get_php_from_kb(
  port : port,
  exit_on_fail : TRUE
);

version = php["ver"];
source = php["src"];

backported = get_kb_item('www/php/'+port+'/'+version+'/backported');

if (report_paranoia < 2 && backported) audit(AUDIT_BACKPORT_SERVICE, port, "PHP "+version+" install");

# Check that it is the correct version of PHP
if (version =~ "^5(\.5)?$") exit(1, "The banner from the PHP install associated with port "+port+" - "+version+" - is not granular enough to make a determination.");
if (version !~ "^5\.5\.") audit(AUDIT_NOT_DETECT, "PHP version 5.5.x", port);

if (version =~ "^5\.5\.[0-6]($|[^0-9])")
{
  if (report_verbosity > 0)
  {
    report =
      '\n  Version source    : '+source +
      '\n  Installed version : '+version+
      '\n  Fixed version     : 5.5.7\n';
    security_hole(port:port, extra:report);
  }
  else security_hole(port);
  exit(0);
}
else audit(AUDIT_LISTEN_NOT_VULN, "PHP", port, version);

VendorProductVersionCPE
phpphpcpe:/a:php:php

Vendor	Product	Version	CPE
php	php		cpe:/a:php:php

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6420

www.php.net/ChangeLog-5.php#5.5.7

bugzilla.redhat.com/show_bug.cgi?id=1036830

seclists.org/fulldisclosure/2013/Dec/96

PHP 5.5.x < 5.5.7 OpenSSL openssl_x509_parse() Memory Corruption

References

Related