php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #71704 php_snmp_error() Format String Vulnerability
Submitted: 2016-03-02 19:14 UTC Modified: 2016-04-25 17:07 UTC
From: andrew at jmpesp dot org Assigned: ab
Status: Closed Package: SNMP related
PHP Version: 5.5.33 OS: Any
Private report: No CVE-ID: 2016-4071
 [2016-03-02 19:14 UTC] andrew at jmpesp dot org
Description:
------------
A format string vulnerability exists in php_snmp_error() at ext/snmp/snmp.c:533, because snmp_object->snmp_errstr is passed directly to zend_throw_exception_ex() without a "%s".  This issue appears to be present across all PHP versions.  In testing, I have been able to leverage this vulnerability for full code-execution by abusing PHP's internal "%Z" (zval) format specifier.  In the interest of brevity I am not attaching that exploit to this report, but would be happy to provide it if wanted/needed.


This patch should solve it:

--- php-7.0.3/ext/snmp/snmp.c	2016-02-28 10:30:45.575024313 +0000
+++ php-7.0.3_patched/ext/snmp/snmp.c	2016-03-02 19:04:15.037952227 +0000
@@ -530,7 +530,7 @@
 	}
 
 	if (object && (snmp_object->exceptions_enabled & type)) {
-		zend_throw_exception_ex(php_snmp_exception_ce, type, snmp_object->snmp_errstr);
+		zend_throw_exception_ex(php_snmp_exception_ce, type, "%s", snmp_object->snmp_errstr);
 	} else {
 		va_start(args, format);
 		php_verror(docref, "", E_WARNING, format, args);





Test script:
---------------
<?php
$session = new SNMP(SNMP::VERSION_3, "127.0.0.1", "public");
$session->exceptions_enabled = SNMP::ERRNO_ANY;  // important!
try {
	$session->get("%x%x%x%x%x%x%x%x");
} catch (SNMPException $e) {
	echo $e->getMessage();
}
?>




Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-03-21 04:22 UTC] stas@php.net
-Assigned To: +Assigned To: ab
 [2016-03-21 04:22 UTC] stas@php.net
6e25966544fb1d2f3d7596e060ce9c9269bbdcf8 in security repo
 [2016-03-29 06:46 UTC] stas@php.net
-PHP Version: Irrelevant +PHP Version: 5.5.33
 [2016-03-29 06:53 UTC] stas@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6e25966544fb1d2f3d7596e060ce9c9269bbdcf8
Log: Fixed bug #71704 php_snmp_error() Format String Vulnerability
 [2016-03-29 06:53 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-03-29 06:55 UTC] stas@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9c19a08b9daed6bae3071dd25742f59a59618823
Log: Fixed bug #71704 php_snmp_error() Format String Vulnerability
 [2016-03-29 09:30 UTC] ab@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9c19a08b9daed6bae3071dd25742f59a59618823
Log: Fixed bug #71704 php_snmp_error() Format String Vulnerability
 [2016-03-29 09:30 UTC] ab@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6e25966544fb1d2f3d7596e060ce9c9269bbdcf8
Log: Fixed bug #71704 php_snmp_error() Format String Vulnerability
 [2016-04-25 17:07 UTC] remi@php.net
-CVE-ID: +CVE-ID: 2016-4071
 [2016-07-20 11:32 UTC] davey@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6e25966544fb1d2f3d7596e060ce9c9269bbdcf8
Log: Fixed bug #71704 php_snmp_error() Format String Vulnerability
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Fri Feb 24 01:01:37 2017 UTC