|
PHP Multiple Extensions Buffer Overflow Vulnerabilities
|
|
Secunia Advisory:
|
SA25735
|
|
|
Release Date:
|
2007-06-21
|
|
Last Update:
|
2007-09-03
|
|
Popularity:
|
9,309 views
|
|
|
Critical:
|
Less critical
|
|
Impact:
|
Security Bypass
|
|
Where:
|
Local system
|
|
Solution Status:
|
Unpatched
|
|
| Software: | PHP 5.2.x
|
|
|
Subscribe:
|
Instant alerts on relevant vulnerabilities 
|
| | CVE reference: | CVE-2007-3294
CVE-2007-4255
CVE-2007-4441
CVE-2007-4507
CVE-2007-4586
|
|
Description:
Some vulnerabilities have been discovered in the PHP tidy, snmp, mSQL, win32std, ntuser, and iisfunc extensions, which can be exploited by malicious users to bypass certain security restrictions.
1) A boundary error exists within the tidy extension when processing arguments passed to the "tidy_parse_string()" function. This can be exploited to cause a stack-based buffer overflow via an overly long string passed as the second argument to the affected function.
2) A boundary error exists within the snmp extension when processing arguments passed to the "snmpget()" function. This can be exploited to cause a stack-based buffer overflow via an overly long string passed as the third parameter to the affected function.
3) A boundary error exists within the "php_msql_do_connect()" function in the mSQL extension. This can be exploited to cause a stack-based buffer overflow via an overly long string passed as the first argument to the "msql_connect()" or "msql_pconnect()" functions.
4) A boundary error exists within the win32std extension when processing arguments passed to the "win_browse_file()" function. This can be exploited to cause a stack-based buffer overflow via an overly long string passed as the third parameter to the affected function.
5) A boundary error exists within the ntuser extension when processing arguments passed to the "ntuser_getuserlist()", "ntuser_getusergroups()", "ntuser_getdomaincontroller()" and "ntuser_getuserinfo()" functions. This can be exploited to cause a stack-based buffer overflow via an overly long string passed as the first argument to an affected function.
6) A boundary error exists within the iisfunc extension when processing arguments passed to the "iis_getservicestate()" function. This can be exploited to cause a stack-based buffer overflow via an overly long string passed as the first argument to the affected function.
Successful exploitation of these vulnerabilities allows execution of arbitrary code, which may lead to security restrictions (e.g. the "disable_functions" directive) being bypassed, but requires that the extensions are installed.
The vulnerabilities are confirmed in the 5.2.3 win32 installer. Other versions may also be affected.
Solution:
Grant only trusted users permissions to execute PHP code.
Provided and/or discovered by:
1,2) Discovered by rgod.
3) Discovered by nima_501.
4) Discovered by boecke.
5) Discovered by shinnai.
6) Discovered by boecke.
Changelog:
2007-06-22: Added CVE reference.
2007-07-23: Added vulnerability #2.
2007-08-07: Added vulnerability #3 and updated "Title".
2007-08-09: Added CVE reference.
2007-08-20: Added vulnerability #4.
2007-08-22: Added CVE reference.
2007-08-24: Added vulnerability #5.
2007-08-28: Added vulnerability #6.
2007-09-03: Added CVE reference.
Original Advisory:
1) http://milw0rm.com/exploits/4080
2) http://milw0rm.com/exploits/4204
4) http://milw0rm.com/exploits/4293
5) http://milw0rm.com/exploits/4304
6) http://milw0rm.com/exploits/4318
|
|
|
Track this Secunia Advisory
|
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released.
Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.
|
|
|
About this Secunia Advisory
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
|
|
Today
|
New advisories:
|
33 |
|
New vulnerabilities:
|
55 |
|
Updated advisories:
|
56 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
 Solutions | More...
|
|
