PHP 7.1.2 fsockopen Misbehavior

🗓️ 03 Apr 2017 00:00:00Reported by Fikri FadzilType

packetstorm🔗 packetstormsecurity.com👁 246 Views

PHP 7.1.2 fsockopen Misbehavior, Allows SSRF Attack

Reporter	Title	Published	Views	Family All 49
IBM Security Bulletins	Security Bulletin: API Connect Developer Portal is affected by a PHP vulnerability (CVE-2017-7272)	15 Jun 201807:09	–	ibm
BDU FSTEC	The vulnerability of the PHP programming language, related to insufficient validation of incoming requests, allows attackers to gain access to confidential data and compromise its integrity.	28 Mar 202300:00	–	bdu_fstec
CNVD	PHP Server-Side Request Forgery Security Bypass Vulnerability	30 Mar 201700:00	–	cnvd
CVE	CVE-2017-7272	27 Mar 201717:00	–	cve
Cvelist	CVE-2017-7272	27 Mar 201717:00	–	cvelist
Debian	[SECURITY] [DLA 1490-1] php5 security update	1 Sep 201813:12	–	debian
Debian	[SECURITY] [DLA 875-1] php5 security update	27 Mar 201723:05	–	debian
Debian CVE	CVE-2017-7272	27 Mar 201717:00	–	debiancve
Tenable Nessus	Debian DLA-875-1 : php5 security update	28 Mar 201700:00	–	nessus
Tenable Nessus	EulerOS 2.0 SP2 : php (EulerOS-SA-2019-2438)	4 Dec 201900:00	–	nessus

`SEC Consult Vulnerability Lab Security Advisory < 20170403-0 >  
=======================================================================  
title: Misbehavior of the "fsockopen" function  
product: PHP  
vulnerable version: 7.1.2  
fixed version:  
CVE number: CVE-2017-7272  
impact: Medium  
homepage: http://www.php.net/  
found: 2017-03-06  
by: Fikri Fadzil (Office Kuala Lumpur)  
SEC Consult Vulnerability Lab  
  
An integrated part of SEC Consult  
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow  
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich  
  
https://www.sec-consult.com  
  
=======================================================================  
  
Vendor description:  
-------------------  
"PHP is a popular general-purpose scripting language that is especially suited  
to web development. Fast, flexible and pragmatic, PHP powers everything from  
your blog to the most popular websites in the world."  
  
Source: http://www.php.net/  
  
  
Business recommendation:  
------------------------  
By making use of this issue, it is possible for an attacker to bypass current  
prevention mechanisms used to protect the "fsockopen" function in PHP to perform  
server-side request forgery attacks.  
  
SEC Consult recommends to check the developed or installed websites for any  
possibility to exploit any form of vulnerability due to this issue.  
  
  
Vulnerability overview/description:  
-----------------------------------  
The "fsockopen" function in PHP will respond differently if two port numbers  
are given at once. As many developers assume the function will prioritize the  
port number given to the second function parameter, an attacker may utilize this  
unpredictable behavior to e.g. conduct a server-side request forgery attack.  
  
  
Proof of concept:  
-----------------  
The "fsockopen" function in PHP will not use the port number given to the  
second parameter if the hostname already has a port number appended. The  
example below should explain misbehavior of the function.  
  
// This request will go to port 80  
fsockopen("192.168.184.132", 80);  
  
// This request will go to port 53  
fsockopen("192.168.184.132:53", 80);  
  
Instead of initiating a socket connection on port 80 as given in the second  
parameter, the function appears to use the port number 53 which is  
appended to the hostname.  
  
  
  
Vulnerable / tested versions:  
-----------------------------  
PHP version 7.0.11 and 7.1.2 have been tested and found to be vulnerable.  
  
Older PHP versions are potentially affected as well.  
  
  
Vendor contact timeline:  
------------------------  
2017-03-07: Reported the issue through PHP Bug Tracking System. (SecBug #74216)  
https://bugs.php.net/bug.php?id=74216  
2017-03-07: Changes were committed to the PHP's main repo in Github.  
  
https://github.com/php/php-src/commit/bab0b99f376dac9170ac81382a5ed526938d595a  
2017-04-03: Public disclosure of the advisory  
  
  
Solution:  
---------  
Patch:  
https://github.com/php/php-src/commit/bab0b99f376dac9170ac81382a5ed526938d595a  
  
  
Workaround:  
-----------  
It is recommended to restrict user input data for a hostname to not have a  
port number appended.  
  
  
Advisory URL:  
-------------  
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
SEC Consult Vulnerability Lab  
  
SEC Consult  
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow  
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich  
  
About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It  
ensures the continued knowledge gain of SEC Consult in the field of network  
and application security to stay ahead of the attacker. The SEC Consult  
Vulnerability Lab supports high-quality penetration testing and the evaluation  
of new offensive and defensive technologies for our customers. Hence our  
customers obtain the most current information about vulnerabilities and valid  
recommendation about the risk profile of new technologies.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://www.sec-consult.com/en/Career.htm  
  
Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Mail: research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
EOF Fikri Fadzil / @2017  
  
`

03 Apr 2017 00:00Current

EPSS0.03514