Vulnerabilities > CVE-2015-8617 - Use of Externally-Controlled Format String vulnerability in PHP 7.0.1

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
php
CWE-134
critical
nessus
exploit available
NVD
Published: 2016-01-19
Updated: 2017-09-10

Summary

Format string vulnerability in the zend_throw_or_error function in Zend/zend_execute_API.c in PHP 7.x before 7.0.1 allows remote attackers to execute arbitrary code via format string specifiers in a string that is misused as a class name, leading to incorrect error handling.

Vulnerable Configurations

Part Description Count
Application
Php
1

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Format String Injection
    An attacker includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An attacker can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the attacker can write to the program stack.
  • String Format Overflow in syslog()
    This attack targets the format string vulnerabilities in the syslog() function. An attacker would typically inject malicious input in the format string parameter of the syslog function. This is a common problem, and many public vulnerabilities and associated exploits have been posted.

Exploit-Db

descriptionPHP 7.0.0 - Format String Vulnerability. CVE-2015-8617. Dos exploits for multiple platform
idEDB-ID:39082
last seen2016-02-04
modified2015-12-23
published2015-12-23
reporterAndrew Kramer
sourcehttps://www.exploit-db.com/download/39082/
titlePHP 7.0.0 - Format String Vulnerability

Nessus

NASL familyCGI abuses
NASL idPHP_7_0_1.NASL
descriptionAccording to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.1. It is, therefore, affected by multiple vulnerabilities : - A use-after-free error exists in the collator_sort_with_sort_keys() function due to improper clearing of pointers when destroying an array. An unauthenticated, remote attacker can exploit this to dereference already freed memory, resulting in the execution of arbitrary code. (CVE-2015-8616) - A format string flaw exists in the zend_throw_or_error() function due to improper sanitization of format string specifiers (e.g. %s and %x) in user-supplied input. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2015-8617) - A flaw exists in the php_password_make_salt() function due to a fall back to password salt generation in an insecure manner when attempts to read random bytes from the operating system
last seen2020-06-01
modified2020-06-02
plugin id87599
published2015-12-22
reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/87599
titlePHP 7.0.x < 7.0.1 Multiple Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(87599);
  script_version("1.13");
  script_cvs_date("Date: 2019/11/22");

  script_cve_id("CVE-2015-8616", "CVE-2015-8617");
  script_bugtraq_id(79655, 79672);
  script_xref(name:"EDB-ID", value:"139082");

  script_name(english:"PHP 7.0.x < 7.0.1 Multiple Vulnerabilities");
  script_summary(english:"Checks the version of PHP.");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server uses a version of PHP that is affected by
multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"According to its banner, the version of PHP running on the remote web
server is 7.0.x prior to 7.0.1. It is, therefore, affected by multiple
vulnerabilities :

  - A use-after-free error exists in the
    collator_sort_with_sort_keys() function due to improper
    clearing of pointers when destroying an array. An
    unauthenticated, remote attacker can exploit this to
    dereference already freed memory, resulting in the
    execution of arbitrary code. (CVE-2015-8616)

  - A format string flaw exists in the zend_throw_or_error()
    function due to improper sanitization of format string
    specifiers (e.g. %s and %x) in user-supplied input. An
    unauthenticated, remote attacker can exploit this to
    execute arbitrary code. (CVE-2015-8617)

  - A flaw exists in the php_password_make_salt() function
    due to a fall back to password salt generation in an
    insecure manner when attempts to read random bytes from
    the operating system's cryptographically secure
    pseudo-random number generator (CSPRING) fail. An
    attacker can exploit this to more easily predict the
    generated password salt.

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.");
  script_set_attribute(attribute:"see_also", value:"http://php.net/ChangeLog-7.php#7.0.1");
  script_set_attribute(attribute:"see_also", value:"https://bugs.php.net/bug.php?id=71105");
  script_set_attribute(attribute:"see_also", value:"https://bugs.php.net/bug.php?id=71020");
  script_set_attribute(attribute:"solution", value:
"Upgrade to PHP version 7.0.1 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-8617");

  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/12/07");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/12/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/12/22");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:php:php");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("php_version.nasl");
  script_require_keys("www/PHP");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");

port = get_http_port(default:80, php:TRUE);

php = get_php_from_kb(
  port : port,
  exit_on_fail : TRUE
);

version = php["ver"];
source = php["src"];

backported = get_kb_item('www/php/'+port+'/'+version+'/backported');

if (report_paranoia < 2 && backported)
  audit(AUDIT_BACKPORT_SERVICE, port, "PHP "+version+" install");

# Check that it is the correct version of PHP
if (version =~ "^7(\.0)?$")
  audit(AUDIT_VER_NOT_GRANULAR, "PHP", port, version);
if (version !~ "^7\.0\.") audit(AUDIT_NOT_DETECT, "PHP version 7.0.0", port);

# Allow RCs/Beta/etc to be checked.
if (version =~ "^7\.0\.0([^0-9]|$)")
{
  if (report_verbosity > 0)
  {
    report =
      '\n  Version source    : ' + source +
      '\n  Installed version : ' + version +
      '\n  Fixed version     : 7.0.1' +
      '\n';
    security_hole(port:port, extra:report);
  }
  else security_hole(port);
  exit(0);
}
else audit(AUDIT_LISTEN_NOT_VULN, "PHP", port, version);

References