Vulnerabilities > CVE-2009-3294 - Use of Externally-Controlled Format String vulnerability in PHP

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
php
CWE-134
nessus
NVD
Published: 2009-09-22
Updated: 2022-09-01

Summary

The popen API function in TSRM/tsrm_win32.c in PHP before 5.2.11 and 5.3.x before 5.3.1, when running on certain Windows operating systems, allows context-dependent attackers to cause a denial of service (crash) via a crafted (1) "e" or (2) "er" string in the second argument (aka mode), possibly related to the _fdopen function in the Microsoft C runtime library. NOTE: this might not cross privilege boundaries except in rare cases in which the mode argument is accessible to an attacker outside of an application that uses the popen function.

Vulnerable Configurations

Part Description Count
Application
Php
62
OS
Microsoft
3

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Format String Injection
    An attacker includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An attacker can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the attacker can write to the program stack.
  • String Format Overflow in syslog()
    This attack targets the format string vulnerabilities in the syslog() function. An attacker would typically inject malicious input in the format string parameter of the syslog function. This is a common problem, and many public vulnerabilities and associated exploits have been posted.

Nessus

NASL familyCGI abuses
NASL idPHP_5_2_11.NASL
descriptionAccording to its banner, the version of PHP installed on the remote host is older than 5.2.11. Such versions may be affected by several security issues : - An unspecified error occurs in certificate validation inside
last seen2020-06-01
modified2020-06-02
plugin id41014
published2009-09-18
reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/41014
titlePHP < 5.2.11 Multiple Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(41014);
  script_version("1.18");
  script_cvs_date("Date: 2018/07/24 18:56:10");

  script_cve_id(
    "CVE-2009-3291",
    "CVE-2009-3292",
    "CVE-2009-3293",
    "CVE-2009-3294",
    "CVE-2009-4018",
    "CVE-2009-5016"
  );
  script_bugtraq_id(36449, 44889);
  script_xref(name:"Secunia", value:"36791");

  script_name(english:"PHP < 5.2.11 Multiple Vulnerabilities");
  script_summary(english:"Checks version of PHP");

  script_set_attribute(
    attribute:"synopsis",
    value:
"The remote web server uses a version of PHP that is affected by
multiple flaws."
  );
  script_set_attribute(
    attribute:"description",
    value:
"According to its banner, the version of PHP installed on the remote
host is older than 5.2.11.  Such versions may be affected by several
security issues :

  - An unspecified error occurs in certificate validation
    inside 'php_openssl_apply_verification_policy'.

  - An unspecified input validation vulnerability affects
    the color index in 'imagecolortransparent()'.

  - An unspecified input validation vulnerability affects
    exif processing.

  - Calling 'popen()' with an invalid mode can cause a
    crash under Windows. (Bug #44683)

  - An integer overflow in 'xml_utf8_decode()' can make it
    easier to bypass cross-site scripting and SQL injection 
    protection mechanisms using a specially crafted string 
    with a long UTF-8 encoding. (Bug #49687)

  - 'proc_open()' can bypass 'safe_mode_protected_env_vars'.
    (Bug #49026)"
  );

  script_set_attribute(
    attribute:"see_also",
    value:"http://www.php.net/ChangeLog-5.php#5.2.11"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.php.net/releases/5_2_11.php"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://news.php.net/php.internals/45597"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.php.net/ChangeLog-5.php#5.2.11"
  );
  script_set_attribute(
    attribute:"solution",
    value:"Upgrade to PHP version 5.2.11 or later."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(20, 134, 264);

  script_set_attribute(attribute:"patch_publication_date", value:"2009/09/16");
  script_set_attribute(attribute:"plugin_publication_date", value:"2009/09/18");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:php:php");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");

  script_dependencies("php_version.nasl");
  script_require_ports("Services/www", 80);
  script_require_keys("www/PHP");
  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("audit.inc");
include("webapp_func.inc");

port = get_http_port(default:80, php:TRUE);

php = get_php_from_kb(
  port : port,
  exit_on_fail : TRUE
);

version = php["ver"];
source = php["src"];

backported = get_kb_item('www/php/'+port+'/'+version+'/backported');

if (report_paranoia < 2 && backported)
  audit(AUDIT_BACKPORT_SERVICE, port, "PHP "+version+" install");

if (version =~ "^[0-4]\." || 
    version =~ "^5\.[01]\." || 
    version =~ "^5\.2\.([0-9]|10)($|[^0-9])"
)
{
  if (report_verbosity > 0)
  {
    report =
      '\n  Version source     : '+source +
      '\n  Installed version  : '+version+
      '\n  Fixed version      : 5.2.11\n';
    security_hole(port:port, extra:report);
  }
  else security_hole(port);
  exit(0);
}
else audit(AUDIT_LISTEN_NOT_VULN, "PHP", port, version);

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 36449 CVE ID: CVE-2009-3291,CVE-2009-3292,CVE-2009-3293,CVE-2009-3294 PHP是广泛使用的通用目的脚本语言,特别适合于Web开发,可嵌入到HTML中。 PHP的5.2.11之前版本的多个函数中存在安全漏洞,可能允许远程攻击者导致拒绝服务或完全入侵用户系统。 1) PHP的php_openssl_apply_verification_policy函数没有正确的执行证书验证,可能允许攻击者通过伪造的证书执行欺骗攻击。 2) imagecolortransparent函数没有正确的对颜色索引执行过滤检查。 3) 当运行在某些Windows操作系统上时,TSRM/tsrm_win32.c文件中的popen API函数允许攻击者通过第二个参数中的特制e或er字符串导致拒绝服务。 PHP 5.2.x 厂商补丁: PHP --- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://www.php.net/releases/5_2_11.php
idSSV:12389
last seen2017-11-19
modified2009-09-23
published2009-09-23
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-12389
titlePHP 5.2.11版本修复多个安全漏洞

Statements

contributorTomas Hoger
lastmodified2009-09-24
organizationRed Hat
statementNot vulnerable. This issue did not affect the versions of php as shipped with Red Hat Enterprise Linux 3, 4, or 5, and Red Hat Application Stack v2.

References