Tenable SecurityCenter Multiple PHP Vulnerabilities (TNS-2015-06)

2015-08-20T00:00:00
ID SECURITYCENTER_PHP_5_4_41.NASL
Type nessus
Reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2020-07-02T00:00:00

Description

The SecurityCenter application installed on the remote host is affected by multiple vulnerabilities in the bundled version of PHP that is prior to version 5.4.41. It is, therefore, affected by the following vulnerabilities :

  • A flaw in the phar_parse_tarfile function in ext/phar/tar.c could allow a denial of service via a crafted entry in a tar archive. (CVE-2015-4021)

  • An integer overflow condition exists in the ftp_genlist() function in ftp.c due to improper validation of user-supplied input. A remote attacker can exploit this to cause a heap-based buffer overflow, resulting in a denial of service condition or possible remote code execution. (CVE-2015-4022)

  • Multiple flaws exist related to using pathnames containing NULL bytes. A remote attacker can exploit these flaws, by combining the

                                        
                                            #TRUSTED a87417235c349c9281d27ed2f45f1c359602eb3a62a90b4d5ba9a68a5590a61eb11a98941dfeedf58ebdab2bd1aca26191013a8df280ddd1a216e830490f1ac9604e23dba3dbefe31b3271bda6bdd8fd49cc234e870acda0407093fc952edc57edc9e9db7c26b947f4e06032263eea2afd105245c47bea7808b8d0ed2e0b3c3d2c2ff68b6524e7ddfe28f4f30715388575eadef4188e1c186393f96d6646afa6ab44e376716ef924f2a17374d800ce7c8140c112abf9341655b55d91bca3bf7b302d8c90f8c3df50f8b88a8e3dcf079d1e21ce70b234d11e792f4722f20812ffda15a29cddc472a95ab98303f9eee18e7e7e2e9ff2c602d578708e5404ebbc4d64fe4215073635f3aa3e29fc211f303b657359c74c5a8f483439396c589ff6e24cb20a9687eaec3192ab6d77663d060ccb5eebbe5911f32f9f2ad377018cf90752f29613a3ab017df79578913c8f475b80d5a2e014a03e4d1d1a341809258bfa47ecfe557f097f8fcb72a1c5bffeae8de2ddf86bcf5d735ccec79ace1566bae51868a6e5730b4dcdf35a9d3690bcfa4e1f76dd014ca6c6833fd5ca6362f49b178c0132a6752f58c3b1212f524afbd06bcbca04a20abb06ec3c29ef14f7a5624a10f7d49d7f744587bc02b77a47dd745e03e77af8a3f2f1a2aa678b8e18677ffa84bf7b5ed49e09e756062d3115dd6afbb775f04d795f21caa50fc95b55bcc830
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(85566);
  script_version("1.18");
  script_cvs_date("Date: 2019/11/22");

  script_cve_id(
    "CVE-2006-7243",
    "CVE-2015-2325",
    "CVE-2015-2326",
    "CVE-2015-4021",
    "CVE-2015-4022",
    "CVE-2015-4024",
    "CVE-2015-4025",
    "CVE-2015-4026"
  );
  script_bugtraq_id(
    44951,
    74700,
    74902,
    74903,
    74904,
    75056,
    75174,
    75175
  );

  script_name(english:"Tenable SecurityCenter Multiple PHP Vulnerabilities (TNS-2015-06)");
  script_summary(english:"Checks the version of PHP in SecurityCenter.");

  script_set_attribute(attribute:"synopsis", value:
"The remote application is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The SecurityCenter application installed on the remote host is
affected by multiple vulnerabilities in the bundled version of PHP
that is prior to version 5.4.41. It is, therefore, affected by the
following vulnerabilities :

 - A flaw in the phar_parse_tarfile function in
    ext/phar/tar.c could allow a denial of service
    via a crafted entry in a tar archive.
    (CVE-2015-4021)

  - An integer overflow condition exists in the
    ftp_genlist() function in ftp.c due to improper
    validation of user-supplied input. A remote attacker can
    exploit this to cause a heap-based buffer overflow,
    resulting in a denial of service condition or possible
    remote code execution. (CVE-2015-4022)

  - Multiple flaws exist related to using pathnames
    containing NULL bytes. A remote attacker can exploit
    these flaws, by combining the '\0' character with a safe
    file extension, to bypass access restrictions. This had
    been previously fixed but was reintroduced by a
    regression in versions 5.4+. (CVE-2006-7243,
    CVE-2015-4025)

  - Multiple heap buffer overflow conditions exist in the
    bundled Perl-Compatible Regular Expression (PCRE)
    library due to improper validation of user-supplied
    input to the compile_branch() and pcre_compile2()
    functions. A remote attacker can exploit these
    conditions to cause a heap-based buffer overflow,
    resulting in a denial of service condition or the
    execution of arbitrary code. (CVE-2015-2325,
    CVE-2015-2326)

  - A security bypass vulnerability exists due to a flaw in
    the pcntl_exec implementation that truncates a pathname
    upon encountering the '\x00' character. A remote
    attacker can exploit this, via a crafted first argument,
    to bypass intended extension restrictions and execute
    arbitrary files. (CVE-2015-4026)

  - A flaw exists in the multipart_buffer_headers() function
    in rfc1867.c due to improper handling of
    multipart/form-data in HTTP requests. A remote attacker
    can exploit this flaw to cause a consumption of CPU
    resources, resulting in a denial of service condition.
    (CVE-2015-4024)");
  script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/tns-2015-06");
  script_set_attribute(attribute:"see_also", value:"https://secure.php.net/ChangeLog-5.php#5.4.41");
  script_set_attribute(attribute:"solution", value:
"Apply the relevant patch referenced in the vendor advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-4026");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2006/12/18");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/06/16");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/08/20");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:tenable:securitycenter");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("securitycenter_installed.nbin", "securitycenter_detect.nbin");
  script_require_keys("Host/SecurityCenter/Version", "installed_sw/SecurityCenter", "Host/local_checks_enabled");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("ssh_func.inc");
include("telnet_func.inc");
include("hostlevel_funcs.inc");
include("install_func.inc");


if(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS)
  enable_ssh_wrappers();
else disable_ssh_wrappers();

if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
sc_ver = get_kb_item("Host/SecurityCenter/Version");
port = 0;
if(empty_or_null(sc_ver))
{
  port = 443;
  install = get_single_install(app_name:"SecurityCenter", combined:TRUE, exit_if_unknown_ver:TRUE);
  sc_ver = install["version"];
}
if (! preg(pattern:"^(4\.[6789]|5)\.", string:sc_ver)) audit(AUDIT_INST_VER_NOT_VULN, "SecurityCenter", sc_ver);

# Establish running of local commands
if ( islocalhost() )
{
  if ( ! defined_func("pread") ) audit(AUDIT_NOT_DETECT, "pread");
  info_t = INFO_LOCAL;
}
else
{
  sock_g = ssh_open_connection();
  if (! sock_g) audit(AUDIT_HOST_NOT, "able to connect via the provided SSH credentials.");
  info_t = INFO_SSH;
}

line = info_send_cmd(cmd:"/opt/sc4/support/bin/php -v");
if (!line) line = info_send_cmd(cmd:"/opt/sc/support/bin/php -v");
if (!line)
{
  if(info_t == INFO_SSH) ssh_close_connection();
  audit(AUDIT_UNKNOWN_APP_VER, "PHP (within SecurityCenter)");
}

if(info_t == INFO_SSH) ssh_close_connection();

pattern = "PHP ([0-9.]+) ";
match =pregmatch(pattern:pattern, string:line);
if (isnull(match))
  audit(AUDIT_UNKNOWN_APP_VER, "PHP (within SecurityCenter)");

version = match[1];

if (version =~ "^5\.4\.") fix = "5.4.41";
else if (version =~ "^5\.5\.") fix = "5.5.25";
else if (version =~ "^5\.6\.") fix = "5.6.9";
else fix = "5.4.41"; # default to known php release branch used in advisory

if (ver_compare(ver:version, fix:fix, strict:FALSE) < 0)
{
  report = '\n' +
    '\n  SecurityCenter version     : ' + sc_ver +
    '\n  SecurityCenter PHP version : ' + version +
    '\n  Fixed PHP version          : ' + fix +
    '\n';
  security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);
  exit(0);
}
else audit(AUDIT_INST_VER_NOT_VULN, "PHP (within SecurityCenter)", version);