Vulnerabilities > CVE-2015-8616 - Unspecified vulnerability in PHP 7.0.0

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
php
nessus
NVD
Published: 2016-01-19
Updated: 2016-01-22

Summary

Use-after-free vulnerability in the Collator::sortWithSortKeys function in ext/intl/collator/collator_sort.c in PHP 7.x before 7.0.1 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact by leveraging the relationships between a key buffer and a destroyed array. <a href="http://cwe.mitre.org/data/definitions/416.html">CWE-416: Use After Free</a>

Vulnerable Configurations

Part Description Count
Application
Php
1

Nessus

NASL familyCGI abuses
NASL idPHP_7_0_1.NASL
descriptionAccording to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.1. It is, therefore, affected by multiple vulnerabilities : - A use-after-free error exists in the collator_sort_with_sort_keys() function due to improper clearing of pointers when destroying an array. An unauthenticated, remote attacker can exploit this to dereference already freed memory, resulting in the execution of arbitrary code. (CVE-2015-8616) - A format string flaw exists in the zend_throw_or_error() function due to improper sanitization of format string specifiers (e.g. %s and %x) in user-supplied input. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2015-8617) - A flaw exists in the php_password_make_salt() function due to a fall back to password salt generation in an insecure manner when attempts to read random bytes from the operating system
last seen2020-06-01
modified2020-06-02
plugin id87599
published2015-12-22
reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/87599
titlePHP 7.0.x < 7.0.1 Multiple Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(87599);
  script_version("1.13");
  script_cvs_date("Date: 2019/11/22");

  script_cve_id("CVE-2015-8616", "CVE-2015-8617");
  script_bugtraq_id(79655, 79672);
  script_xref(name:"EDB-ID", value:"139082");

  script_name(english:"PHP 7.0.x < 7.0.1 Multiple Vulnerabilities");
  script_summary(english:"Checks the version of PHP.");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server uses a version of PHP that is affected by
multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"According to its banner, the version of PHP running on the remote web
server is 7.0.x prior to 7.0.1. It is, therefore, affected by multiple
vulnerabilities :

  - A use-after-free error exists in the
    collator_sort_with_sort_keys() function due to improper
    clearing of pointers when destroying an array. An
    unauthenticated, remote attacker can exploit this to
    dereference already freed memory, resulting in the
    execution of arbitrary code. (CVE-2015-8616)

  - A format string flaw exists in the zend_throw_or_error()
    function due to improper sanitization of format string
    specifiers (e.g. %s and %x) in user-supplied input. An
    unauthenticated, remote attacker can exploit this to
    execute arbitrary code. (CVE-2015-8617)

  - A flaw exists in the php_password_make_salt() function
    due to a fall back to password salt generation in an
    insecure manner when attempts to read random bytes from
    the operating system's cryptographically secure
    pseudo-random number generator (CSPRING) fail. An
    attacker can exploit this to more easily predict the
    generated password salt.

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.");
  script_set_attribute(attribute:"see_also", value:"http://php.net/ChangeLog-7.php#7.0.1");
  script_set_attribute(attribute:"see_also", value:"https://bugs.php.net/bug.php?id=71105");
  script_set_attribute(attribute:"see_also", value:"https://bugs.php.net/bug.php?id=71020");
  script_set_attribute(attribute:"solution", value:
"Upgrade to PHP version 7.0.1 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-8617");

  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/12/07");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/12/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/12/22");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:php:php");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("php_version.nasl");
  script_require_keys("www/PHP");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");

port = get_http_port(default:80, php:TRUE);

php = get_php_from_kb(
  port : port,
  exit_on_fail : TRUE
);

version = php["ver"];
source = php["src"];

backported = get_kb_item('www/php/'+port+'/'+version+'/backported');

if (report_paranoia < 2 && backported)
  audit(AUDIT_BACKPORT_SERVICE, port, "PHP "+version+" install");

# Check that it is the correct version of PHP
if (version =~ "^7(\.0)?$")
  audit(AUDIT_VER_NOT_GRANULAR, "PHP", port, version);
if (version !~ "^7\.0\.") audit(AUDIT_NOT_DETECT, "PHP version 7.0.0", port);

# Allow RCs/Beta/etc to be checked.
if (version =~ "^7\.0\.0([^0-9]|$)")
{
  if (report_verbosity > 0)
  {
    report =
      '\n  Version source    : ' + source +
      '\n  Installed version : ' + version +
      '\n  Fixed version     : 7.0.1' +
      '\n';
    security_hole(port:port, extra:report);
  }
  else security_hole(port);
  exit(0);
}
else audit(AUDIT_LISTEN_NOT_VULN, "PHP", port, version);

References