exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Hardened-PHP Project Security Advisory 2006-02.113

Hardened-PHP Project Security Advisory 2006-02.113
Posted Jan 15, 2006
Authored by Stefan Esser, Hardened-PHP Project | Site hardened-php.net

Hardened-PHP Project Security Advisory - PHP5 comes with the new mysqli extension, which recently got a new error reporting feature using exceptions. When an exception for such an error is thrown the error message is used as format string. Depending on the situation and configuration, f.e. a malicious MySQL server or an erroneous SQL query (f.e. through SQL injection) can result in PHP reporting a (partly) user supplied error message, which can result in triggering the format string vulnerability, which can lead to remote code execution. Versions 5.1 through 5.1.1 are affected. PHP4 is not affected.

tags | advisory, remote, php, code execution, sql injection
SHA-256 | 18ec3642ab2d62fd5a42bd5d1437d23a8fe3f61f1cff06e814d6b1aa5c3b93ad

Hardened-PHP Project Security Advisory 2006-02.113

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hardened-PHP Project
www.hardened-php.net

-= Security Advisory =-


Advisory: PHP ext/mysqli Format String Vulnerability
Release Date: 2006/01/12
Last Modified: 2006/01/12
Author: Stefan Esser [sesser@hardened-php.net]

Application: PHP5.1 <= 5.1.1
Not Affected: PHP4, PHP 5.0.x
PHP 5.1.x with Hardening-Patch
Severity: A format string vulnerability in the exception handling
of the new mysqli extension may result in remote code
execution
Risk: Low
Vendor Status: Vendor has released a bugfixed version
References: http://www.hardened-php.net/advisory_022006.113.html


Overview:

PHP is a widely-used general-purpose scripting language that is
especially suited for Web development and can be embedded into HTML.

During the development of the Hardening-Patch which adds security
hardening features to the PHP codebase, several vulnerabilities
within PHP were discovered. This advisory describes one of these
flaws concerning a weakness in the mysqli extension.

PHP5 comes with the new mysqli extension, which recently got a new
error reporting feature using exceptions. When an exception for such
an error is thrown the error message is used as format string.
Depending on the situation and configuration, f.e. a malicious MySQL
server or an erroneous SQL query (f.e. through SQL injection) can
result in PHP reporting a (partly) user supplied error message, which
can result in triggering the format string vulnerability, which can
lead to remote code execution.


Details:

PHP's new mysqli extension recently got a new error reporting mode
that is using PHP exceptions to report errors generated by the SQL
server or errors that occured when a connection cannot be established.

Because of a flaw in the way the format string functions where called
when such an exception is thrown the error message is used as format
string and might contain format string specifiers. Because this error
message is generated by the mysql client library or the remote mysql
server there are a number of ways a local or remote attacker can
influence the content of the message to cause arbitrary format strings
to be parsed.

By default the reporting mode will not report failed SQL queries
through this mechanism, but when it is enabled SQL injection
vulnerabilities can be used by remote attackers to feed arbitrary
format strings to PHP's internal implementation of the format string
functions. These functions also support the %n specifier and therefore
can be exploited in ways similar to the standard fmt string exploits.
(With the little problem that the %n implementation in PHP is buggy
and therefore does not behave in the normal way).

In the default reporting mode an attacker has to be either local and
try to connect to invalid hostnames or remote with control over the
error messages returned by the mysql server. (malicious server or
man in the middle attack). In all cases there is the potential for
attacker controlled memory corruption that could even lead to remote
code execution. The vulnerability is rated low risk, because it is
believed to be hard for an external attacker to abuse this remotely.

PHP servers using our Hardening-Patch are not exploitable because
since the very beginning of the patch we have the %n format string
specifier disabled, to protect against unknown format string
vulnerabilites.


Proof of Concept:

The Hardened-PHP project is not going to release exploits for this
vulnerability to the public.


Recommendation:

It is strongly recommended to upgrade to the latest appropriate PHP
release as soon as possible, because it does not only fix this
vulnerability, but finally comes with a HTTP Response Splitting
protection.

Additionally we always recommend to run PHP with the Hardening-Patch
applied, because this vulnerability once again proved that our users
are protected against unknown vulnerabilities before they become
public knowledge.


GPG-Key:

http://www.hardened-php.net/hardened-php-signature-key.asc

pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1


Copyright 2006 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFDxpDMRDkUzAqGSqERAvRPAJ9rl/UP6jYWv4gvhA5WBgETAG4UKQCfVmnQ
pynps3w+tBa+wi0y1WQ7rUo=
=rdnA
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    14 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    12 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close