Exploitalert - Database of Exploits

PHP ext/mysqli Format String Vulnerability

CVE	Category	Price	Severity
CVE-2016-7395	CWE-134	$500	Critical

Author	Risk	Exploitation Type	Date
unknown	High	Remote	2006-01-28

CPE
cpe:cpe:/a:php:mysqli

CVSS	EPSS	EPSSP
CVSS:4.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	0.02192	0.50148

CVSS vector description

Metric	Value	Metric Description	Value Description
Attack vector	Adjacent	AV	The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone). One example of an Adjacent attack would be an ARP (IPv4) or neighbor discovery flood leading to a denial of service on the local LAN segment (e.g., CVE-2013-6014).
Attack Complexity	Low	AC	The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required	None	PR	The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
User Interaction	None	UI	The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope	Unchanged	S	An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality	High	C	There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity	High	I	There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability	High	A	There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.

http://cxsecurity.com/ascii/WLB-2006010026

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hardened-PHP Project www.hardened-php.net -= Security Advisory =- Advisory: PHP ext/mysqli Format String Vulnerability Release Date: 2006/01/12 Last Modified: 2006/01/12 Author: Stefan Esser [sesser (at) hardened-php (dot) net [email concealed]] Application: PHP5.1 <= 5.1.1 Not Affected: PHP4, PHP 5.0.x PHP 5.1.x with Hardening-Patch Severity: A format string vulnerability in the exception handling of the new mysqli extension may result in remote code execution Risk: Low Vendor Status: Vendor has released a bugfixed version References: http://www.hardened-php.net/advisory_022006.113.html Overview: PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. During the development of the Hardening-Patch which adds security hardening features to the PHP codebase, several vulnerabilities within PHP were discovered. This advisory describes one of these flaws concerning a weakness in the mysqli extension. PHP5 comes with the new mysqli extension, which recently got a new error reporting feature using exceptions. When an exception for such an error is thrown the error message is used as format string. Depending on the situation and configuration, f.e. a malicious MySQL server or an erroneous SQL query (f.e. through SQL injection) can result in PHP reporting a (partly) user supplied error message, which can result in triggering the format string vulnerability, which can lead to remote code execution. Details: PHP's new mysqli extension recently got a new error reporting mode that is using PHP exceptions to report errors generated by the SQL server or errors that occured when a connection cannot be established. Because of a flaw in the way the format string functions where called when such an exception is thrown the error message is used as format string and might contain format string specifiers. Because this error message is generated by the mysql client library or the remote mysql server there are a number of ways a local or remote attacker can influence the content of the message to cause arbitrary format strings to be parsed. By default the reporting mode will not report failed SQL queries through this mechanism, but when it is enabled SQL injection vulnerabilities can be used by remote attackers to feed arbitrary format strings to PHP's internal implementation of the format string functions. These functions also support the %n specifier and therefore can be exploited in ways similar to the standard fmt string exploits. (With the little problem that the %n implementation in PHP is buggy and therefore does not behave in the normal way). In the default reporting mode an attacker has to be either local and try to connect to invalid hostnames or remote with control over the error messages returned by the mysql server. (malicious server or man in the middle attack). In all cases there is the potential for attacker controlled memory corruption that could even lead to remote code execution. The vulnerability is rated low risk, because it is believed to be hard for an external attacker to abuse this remotely. PHP servers using our Hardening-Patch are not exploitable because since the very beginning of the patch we have the %n format string specifier disabled, to protect against unknown format string vulnerabilites. Proof of Concept: The Hardened-PHP project is not going to release exploits for this vulnerability to the public. Recommendation: It is strongly recommended to upgrade to the latest appropriate PHP release as soon as possible, because it does not only fix this vulnerability, but finally comes with a HTTP Response Splitting protection. Additionally we always recommend to run PHP with the Hardening-Patch applied, because this vulnerability once again proved that our users are protected against unknown vulnerabilities before they become public knowledge. GPG-Key: http://www.hardened-php.net/hardened-php-signature-key.asc pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1 Copyright 2006 Stefan Esser. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQFDxpDMRDkUzAqGSqERAvRPAJ9rl/UP6jYWv4gvhA5WBgETAG4UKQCfVmnQ pynps3w+tBa+wi0y1WQ7rUo= =rdnA -----END PGP SIGNATURE-----

Impressum