Vulnerabilities > CVE-2008-2829 - Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
php_imap.c in PHP 5.2.5, 5.2.6, 4.x, and other versions, uses obsolete API calls that allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long IMAP request, which triggers an "rfc822.c legacy routine buffer overflow" error message, related to the rfc822_write_address function.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-628-1.NASL description It was discovered that PHP did not properly check the length of the string parameter to the fnmatch function. An attacker could cause a denial of service in the PHP interpreter if a script passed untrusted input to the fnmatch function. (CVE-2007-4782) Maksymilian Arciemowicz discovered a flaw in the cURL library that allowed safe_mode and open_basedir restrictions to be bypassed. If a PHP application were tricked into processing a bad file:// request, an attacker could read arbitrary files. (CVE-2007-4850) Rasmus Lerdorf discovered that the htmlentities and htmlspecialchars functions did not correctly stop when handling partial multibyte sequences. A remote attacker could exploit this to read certain areas of memory, possibly gaining access to sensitive information. This issue affects Ubuntu 8.04 LTS, and an updated fix is included for Ubuntu 6.06 LTS, 7.04 and 7.10. (CVE-2007-5898) It was discovered that the output_add_rewrite_var function would sometimes leak session id information to forms targeting remote URLs. Malicious remote sites could use this information to gain access to a PHP application user last seen 2020-06-01 modified 2020-06-02 plugin id 33575 published 2008-07-24 reporter Ubuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/33575 title Ubuntu 6.06 LTS / 7.04 / 7.10 / 8.04 LTS : php5 vulnerabilities (USN-628-1) NASL family SuSE Local Security Checks NASL id SUSE_APACHE2-MOD_PHP5-5787.NASL description This update fixes a buffer overflow in php_imap.c that uses an old IMAP API. This bug can be exploited to execute arbitrary code remotely via long IMAP requests. (CVE-2008-2829) last seen 2020-06-01 modified 2020-06-02 plugin id 35004 published 2008-12-02 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/35004 title openSUSE 10 Security Update : apache2-mod_php5 (apache2-mod_php5-5787) NASL family SuSE Local Security Checks NASL id SUSE_11_0_APACHE2-MOD_PHP5-081114.NASL description This update fixes a buffer overflow in php_imap.c that uses an old IMAP API. This bug can be exploited to execute arbitrary code remotely via long IMAP requests. (CVE-2008-2829) last seen 2020-06-01 modified 2020-06-02 plugin id 39914 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/39914 title openSUSE Security Update : apache2-mod_php5 (apache2-mod_php5-310) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200811-05.NASL description The remote host is affected by the vulnerability described in GLSA-200811-05 (PHP: Multiple vulnerabilities) Several vulnerabilitites were found in PHP: PHP ships a vulnerable version of the PCRE library which allows for the circumvention of security restrictions or even for remote code execution in case of an application which accepts user-supplied regular expressions (CVE-2008-0674). Multiple crash issues in several PHP functions have been discovered. Ryan Permeh reported that the init_request_info() function in sapi/cgi/cgi_main.c does not properly consider operator precedence when calculating the length of PATH_TRANSLATED (CVE-2008-0599). An off-by-one error in the metaphone() function may lead to memory corruption. Maksymilian Arciemowicz of SecurityReason Research reported an integer overflow, which is triggerable using printf() and related functions (CVE-2008-1384). Andrei Nigmatulin reported a stack-based buffer overflow in the FastCGI SAPI, which has unknown attack vectors (CVE-2008-2050). Stefan Esser reported that PHP does not correctly handle multibyte characters inside the escapeshellcmd() function, which is used to sanitize user input before its usage in shell commands (CVE-2008-2051). Stefan Esser reported that a short-coming in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 34787 published 2008-11-17 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/34787 title GLSA-200811-05 : PHP: Multiple vulnerabilities NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2008-128.NASL description A number of vulnerabilities have been found and corrected in PHP : php-cgi in PHP prior to 5.2.6 does not properly calculate the length of PATH_TRANSLATED, which has unknown impact and attack vectors (CVE-2008-0599). The escapeshellcmd() API function in PHP prior to 5.2.6 has unknown impact and context-dependent attack vectors related to incomplete multibyte characters (CVE-2008-2051). Weaknesses in the GENERATE_SEED macro in PHP prior to 4.4.8 and 5.2.5 were discovered that could produce a zero seed in rare circumstances on 32bit systems and generations a portion of zero bits during conversion due to insufficient precision on 64bit systems (CVE-2008-2107, CVE-2008-2108). The IMAP module in PHP uses obsolete API calls that allow context-dependent attackers to cause a denial of service (crash) via a long IMAP request (CVE-2008-2829). In addition, the updated packages provide a number of bug fixes. The updated packages have been patched to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 36486 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/36486 title Mandriva Linux Security Advisory : php (MDVSA-2008:128) NASL family CGI abuses NASL id PHP_5_2_7.NASL description According to its banner, the version of PHP installed on the remote host is prior to 5.2.7. It is, therefore, affected by multiple vulnerabilities : - There is a buffer overflow flaw in the bundled PCRE library that allows a denial of service attack. (CVE-2008-2371) - Multiple directory traversal vulnerabilities exist in functions such as last seen 2020-06-01 modified 2020-06-02 plugin id 35043 published 2008-12-05 reporter This script is Copyright (C) 2008-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/35043 title PHP 5 < 5.2.7 Multiple Vulnerabilities NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2008-126.NASL description A number of vulnerabilities have been found and corrected in PHP : PHP 5.2.1 would allow context-dependent attackers to read portions of heap memory by executing certain scripts with a serialized data input string beginning with last seen 2020-06-01 modified 2020-06-02 plugin id 37584 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/37584 title Mandriva Linux Security Advisory : php (MDVSA-2008:126) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_27D01223C45711DDA7210030843D3802.NASL description Secunia reports : Some vulnerabilities have been reported in PHP, where some have an unknown impact and others can potentially be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. An input validation error exists within the last seen 2020-06-01 modified 2020-06-02 plugin id 35051 published 2008-12-08 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/35051 title FreeBSD : php -- multiple vulnerabilities (27d01223-c457-11dd-a721-0030843d3802) NASL family Fedora Local Security Checks NASL id FEDORA_2009-3848.NASL description Update to PHP 5.2.9 A heap-based buffer overflow flaw was found in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 38957 published 2009-06-01 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/38957 title Fedora 9 : maniadrive-1.2-13.fc9 / php-5.2.9-2.fc9 (2009-3848) NASL family Fedora Local Security Checks NASL id FEDORA_2009-3768.NASL description Update to PHP 5.2.9 A heap-based buffer overflow flaw was found in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 38956 published 2009-06-01 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/38956 title Fedora 10 : maniadrive-1.2-13.fc10 / php-5.2.9-2.fc10 (2009-3768) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2008-339-01.NASL description New php packages are available for Slackware 12.0, 12.1, and -current to fix security issues, as well as make improvements and fix bugs. last seen 2020-06-01 modified 2020-06-02 plugin id 35035 published 2008-12-05 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/35035 title Slackware 12.0 / 12.1 / current : php (SSA:2008-339-01) NASL family MacOS X Local Security Checks NASL id MACOSX_10_5_7.NASL description The remote host is running a version of Mac OS X 10.5.x that is prior to 10.5.7. Mac OS X 10.5.7 contains security fixes for the following products : - Apache - ATS - BIND - CFNetwork - CoreGraphics - Cscope - CUPS - Disk Images - enscript - Flash Player plug-in - Help Viewer - iChat - International Components for Unicode - IPSec - Kerberos - Kernel - Launch Services - libxml - Net-SNMP - Network Time - Networking - OpenSSL - PHP - QuickDraw Manager - ruby - Safari - Spotlight - system_cmds - telnet - Terminal - WebKit - X11 last seen 2020-06-01 modified 2020-06-02 plugin id 38744 published 2009-05-13 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/38744 title Mac OS X 10.5.x < 10.5.7 Multiple Vulnerabilities NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2008-127.NASL description A number of vulnerabilities have been found and corrected in PHP : The htmlentities() and htmlspecialchars() functions in PHP prior to 5.2.5 accepted partial multibyte sequences, which has unknown impact and attack vectors (CVE-2007-5898). The output_add_rewrite_var() function in PHP prior to 5.2.5 rewrites local forms in which the ACTION attribute references a non-local URL, which could allow a remote attacker to obtain potentially sensitive information by reading the requests for this URL (CVE-2007-5899). php-cgi in PHP prior to 5.2.6 does not properly calculate the length of PATH_TRANSLATED, which has unknown impact and attack vectors (CVE-2008-0599). The escapeshellcmd() API function in PHP prior to 5.2.6 has unknown impact and context-dependent attack vectors related to incomplete multibyte characters (CVE-2008-2051). Weaknesses in the GENERATE_SEED macro in PHP prior to 4.4.8 and 5.2.5 were discovered that could produce a zero seed in rare circumstances on 32bit systems and generations a portion of zero bits during conversion due to insufficient precision on 64bit systems (CVE-2008-2107, CVE-2008-2108). The IMAP module in PHP uses obsolete API calls that allow context-dependent attackers to cause a denial of service (crash) via a long IMAP request (CVE-2008-2829). In addition, this update also corrects an issue with some float to string conversions. The updated packages have been patched to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 38042 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/38042 title Mandriva Linux Security Advisory : php (MDVSA-2008:127)
Seebug
bulletinFamily | exploit |
description | CVE-2008-2829 PHP发生缓冲区溢出漏洞,因为它未能执行边界检查,然后复制用户提供的数据不够大内存缓冲器。 攻击者可以利用这一问题向执行任意机器代码的背景下,受影响的网络服务器。利用尝试失败有可能会崩溃的Web服务器,使服务的合法用户。 的PHP 5.2.6及以前的版本是受到此漏洞的影响。 Ubuntu Ubuntu Linux 8.04 LTS sparc Ubuntu Ubuntu Linux 8.04 LTS powerpc Ubuntu Ubuntu Linux 8.04 LTS lpia Ubuntu Ubuntu Linux 8.04 LTS i386 Ubuntu Ubuntu Linux 8.04 LTS amd64 Ubuntu Ubuntu Linux 7.10 sparc Ubuntu Ubuntu Linux 7.10 powerpc Ubuntu Ubuntu Linux 7.10 lpia Ubuntu Ubuntu Linux 7.10 i386 Ubuntu Ubuntu Linux 7.10 amd64 Ubuntu Ubuntu Linux 7.04 sparc Ubuntu Ubuntu Linux 7.04 powerpc Ubuntu Ubuntu Linux 7.04 i386 Ubuntu Ubuntu Linux 7.04 amd64 Ubuntu Ubuntu Linux 6.06 LTS sparc Ubuntu Ubuntu Linux 6.06 LTS powerpc Ubuntu Ubuntu Linux 6.06 LTS i386 Ubuntu Ubuntu Linux 6.06 LTS amd64 Turbolinux Turbolinux Server 10.0 Turbolinux Turbolinux Server 11 x64 Turbolinux Turbolinux Server 11 Turbolinux Turbolinux Server 10.0.0 x64 Turbolinux Appliance Server Workgroup Edition 1.0 Turbolinux Appliance Server Hosting Edition 1.0 Turbolinux Appliance Server 3.0 x64 Turbolinux Appliance Server 3.0 Turbolinux Appliance Server 2.0 Slackware Linux 12.1 Slackware Linux 12.0 Slackware Linux -current PHP PHP 5.2.6 PHP PHP 5.2.5 PHP PHP 5.2.4 PHP PHP 5.2.3 PHP PHP 5.2.2 PHP PHP 5.2.1 + Ubuntu Ubuntu Linux 7.04 sparc + Ubuntu Ubuntu Linux 7.04 powerpc + Ubuntu Ubuntu Linux 7.04 i386 + Ubuntu Ubuntu Linux 7.04 amd64 PHP PHP 5.1.6 + Ubuntu Ubuntu Linux 6.10 sparc + Ubuntu Ubuntu Linux 6.10 powerpc + Ubuntu Ubuntu Linux 6.10 i386 + Ubuntu Ubuntu Linux 6.10 amd64 PHP PHP 5.1.5 PHP PHP 5.1.4 PHP PHP 5.1.3 PHP PHP 5.1.3 PHP PHP 5.1.2 + Ubuntu Ubuntu Linux 6.06 LTS sparc + Ubuntu Ubuntu Linux 6.06 LTS powerpc + Ubuntu Ubuntu Linux 6.06 LTS i386 + Ubuntu Ubuntu Linux 6.06 LTS amd64 PHP PHP 5.1.1 PHP PHP 5.1 PHP PHP 5.0.5 PHP PHP 5.0.4 PHP PHP 5.0.3 + Trustix Secure Linux 2.2 PHP PHP 5.0.2 PHP PHP 5.0.1 PHP PHP 5.0 candidate 3 PHP PHP 5.0 candidate 2 PHP PHP 5.0 candidate 1 PHP PHP 5.2 + Debian Linux 4.0 sparc + Debian Linux 4.0 s/390 + Debian Linux 4.0 powerpc + Debian Linux 4.0 mipsel + Debian Linux 4.0 mips + Debian Linux 4.0 m68k + Debian Linux 4.0 ia-64 + Debian Linux 4.0 ia-32 + Debian Linux 4.0 hppa + Debian Linux 4.0 arm + Debian Linux 4.0 amd64 + Debian Linux 4.0 alpha + Debian Linux 4.0 MandrakeSoft Linux Mandrake 2008.1 x86_64 MandrakeSoft Linux Mandrake 2008.1 MandrakeSoft Linux Mandrake 2008.0 x86_64 MandrakeSoft Linux Mandrake 2008.0 MandrakeSoft Linux Mandrake 2007.1 x86_64 MandrakeSoft Linux Mandrake 2007.1 Gentoo Linux Updates are available; please see the references for more information. <a href=www.php.net target=_blank>www.php.net</a> |
id | SSV:4538 |
last seen | 2017-11-19 |
modified | 2008-12-10 |
published | 2008-12-10 |
reporter | Root |
title | PHP 'rfc822_write_address()' 功能缓冲区溢出漏洞 |
Statements
contributor | Mark J Cox |
lastmodified | 2008-07-24 |
organization | Red Hat |
statement | Not vulnerable. This issue did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. For more details see: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2829 |
References
- http://bugs.php.net/bug.php?id=42862
- http://lists.apple.com/archives/security-announce/2009/May/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html
- http://marc.info/?l=bugtraq&m=124654546101607&w=2
- http://marc.info/?l=bugtraq&m=125631037611762&w=2
- http://osvdb.org/46641
- http://secunia.com/advisories/31200
- http://secunia.com/advisories/32746
- http://secunia.com/advisories/35074
- http://secunia.com/advisories/35306
- http://secunia.com/advisories/35650
- http://security.gentoo.org/glsa/glsa-200811-05.xml
- http://support.apple.com/kb/HT3549
- http://wiki.rpath.com/Advisories:rPSA-2009-0035
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:126
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:127
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:128
- http://www.openwall.com/lists/oss-security/2008/06/19/6
- http://www.openwall.com/lists/oss-security/2008/06/24/2
- http://www.securityfocus.com/archive/1/501376/100/0/threaded
- http://www.securityfocus.com/bid/29829
- http://www.ubuntu.com/usn/usn-628-1
- http://www.us-cert.gov/cas/techalerts/TA09-133A.html
- http://www.vupen.com/english/advisories/2009/1297
- https://bugs.gentoo.org/show_bug.cgi?id=221969
- https://exchange.xforce.ibmcloud.com/vulnerabilities/43357
- https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01451.html
- https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01465.html