php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #71704 php_snmp_error() Format String Vulnerability
Submitted: 2016-03-02 19:14 UTC Modified: 2016-04-25 17:07 UTC
From: andrew at jmpesp dot org Assigned: ab (profile)
Status: Closed Package: SNMP related
PHP Version: 5.5.33 OS: Any
Private report: No CVE-ID: 2016-4071
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: andrew at jmpesp dot org
New email:
PHP Version: OS:

 

 [2016-03-02 19:14 UTC] andrew at jmpesp dot org 
Description:
------------
A format string vulnerability exists in php_snmp_error() at ext/snmp/snmp.c:533, because snmp_object->snmp_errstr is passed directly to zend_throw_exception_ex() without a "%s".  This issue appears to be present across all PHP versions.  In testing, I have been able to leverage this vulnerability for full code-execution by abusing PHP's internal "%Z" (zval) format specifier.  In the interest of brevity I am not attaching that exploit to this report, but would be happy to provide it if wanted/needed.


This patch should solve it:

--- php-7.0.3/ext/snmp/snmp.c	2016-02-28 10:30:45.575024313 +0000
+++ php-7.0.3_patched/ext/snmp/snmp.c	2016-03-02 19:04:15.037952227 +0000
@@ -530,7 +530,7 @@
 	}
 
 	if (object && (snmp_object->exceptions_enabled & type)) {
-		zend_throw_exception_ex(php_snmp_exception_ce, type, snmp_object->snmp_errstr);
+		zend_throw_exception_ex(php_snmp_exception_ce, type, "%s", snmp_object->snmp_errstr);
 	} else {
 		va_start(args, format);
 		php_verror(docref, "", E_WARNING, format, args);





Test script:
---------------
<?php
$session = new SNMP(SNMP::VERSION_3, "127.0.0.1", "public");
$session->exceptions_enabled = SNMP::ERRNO_ANY;  // important!
try {
	$session->get("%x%x%x%x%x%x%x%x");
} catch (SNMPException $e) {
	echo $e->getMessage();
}
?>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-03-21 04:22 UTC] stas@php.net
-Assigned To: +Assigned To: ab
 [2016-03-21 04:22 UTC] stas@php.net 
6e25966544fb1d2f3d7596e060ce9c9269bbdcf8 in security repo
 [2016-03-29 06:46 UTC] stas@php.net
-PHP Version: Irrelevant +PHP Version: 5.5.33
 [2016-03-29 06:53 UTC] stas@php.net 
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6e25966544fb1d2f3d7596e060ce9c9269bbdcf8
Log: Fixed bug #71704 php_snmp_error() Format String Vulnerability
 [2016-03-29 06:53 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-03-29 06:55 UTC] stas@php.net 
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9c19a08b9daed6bae3071dd25742f59a59618823
Log: Fixed bug #71704 php_snmp_error() Format String Vulnerability
 [2016-03-29 09:30 UTC] ab@php.net 
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9c19a08b9daed6bae3071dd25742f59a59618823
Log: Fixed bug #71704 php_snmp_error() Format String Vulnerability
 [2016-03-29 09:30 UTC] ab@php.net 
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6e25966544fb1d2f3d7596e060ce9c9269bbdcf8
Log: Fixed bug #71704 php_snmp_error() Format String Vulnerability
 [2016-04-25 17:07 UTC] remi@php.net
-CVE-ID: +CVE-ID: 2016-4071
 [2016-07-20 11:32 UTC] davey@php.net 
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6e25966544fb1d2f3d7596e060ce9c9269bbdcf8
Log: Fixed bug #71704 php_snmp_error() Format String Vulnerability
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 09:01:32 2024 UTC