PHP ext/mysqli格式串处理漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1196355 漏洞类型 格式化字符串
发布时间 2006-01-13 更新时间 2006-01-17
CVE编号 CVE-2006-0200 CNNVD-ID CNNVD-200601-148
漏洞平台 N/A CVSS评分 9.3
|漏洞来源
https://cxsecurity.com/issue/WLB-2006010026
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200601-148
|漏洞详情
PHP是广泛使用的通用目的脚本语言,特别适合于Web开发,可嵌入到HTML中。PHP5的mysqli扩展在处理错误信息的输出时存在格式串处理问题,远程攻击者可能利用此漏洞在服务器上执行任意指令,PHP5捆绑了新的mysqli扩展,可使用异常信息得到错误报告。在发送这种错误的异常信息时,会将错误消息用作格式串。在某些条件和配置中,恶意的MySQL服务器或错误的SQL查询(如通过SQL注入)可以触发格式串漏洞,导致远程执行代码。
|漏洞EXP
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hardened-PHP Project
                        www.hardened-php.net

-= Security  Advisory =-

Advisory: PHP ext/mysqli Format String Vulnerability
 Release Date: 2006/01/12
Last Modified: 2006/01/12
       Author: Stefan Esser [sesser (at) hardened-php (dot) net [email concealed]]

Application: PHP5.1 <= 5.1.1
 Not Affected: PHP4, PHP 5.0.x
               PHP 5.1.x with Hardening-Patch
     Severity: A format string vulnerability in the exception handling
               of the new mysqli extension may result in remote code
               execution
         Risk: Low
Vendor Status: Vendor has released a bugfixed version
   References: http://www.hardened-php.net/advisory_022006.113.html

Overview:

PHP is a widely-used general-purpose scripting language that is
   especially suited for Web development and can be embedded into HTML.

During the development of the Hardening-Patch which adds security 
   hardening features to the PHP codebase, several vulnerabilities 
   within PHP were discovered. This advisory describes one of these 
   flaws concerning a weakness in the mysqli extension.
   
   PHP5 comes with the new mysqli extension, which recently got a new
   error reporting feature using exceptions. When an exception for such
   an error is thrown the error message is used as format string.
   Depending on the situation and configuration, f.e. a malicious MySQL 
   server or an erroneous SQL query (f.e. through SQL injection) can
   result in PHP reporting a (partly) user supplied error message, which
   can result in triggering the format string vulnerability, which can
   lead to remote code execution.

Details:

PHP's new mysqli extension recently got a new error reporting mode
   that is using PHP exceptions to report errors generated by the SQL
   server or errors that occured when a connection cannot be established.
   
   Because of a flaw in the way the format string functions where called
   when such an exception is thrown the error message is used as format 
   string and might contain format string specifiers. Because this error
   message is generated by the mysql client library or the remote mysql
   server there are a number of ways a local or remote attacker can 
   influence the content of the message to cause arbitrary format strings
   to be parsed.
   
   By default the reporting mode will not report failed SQL queries 
   through this mechanism, but when it is enabled SQL injection 
   vulnerabilities can be used by remote attackers to feed arbitrary
   format strings to PHP's internal implementation of the format string
   functions. These functions also support the %n specifier and therefore
   can be exploited in ways similar to the standard fmt string exploits.
   (With the little problem that the %n implementation in PHP is buggy
   and therefore does not behave in the normal way).
   
   In the default reporting mode an attacker has to be either local and
   try to connect to invalid hostnames or remote with control over the
   error messages returned by the mysql server. (malicious server or
   man in the middle attack). In all cases there is the potential for
   attacker controlled memory corruption that could even lead to remote 
   code execution. The vulnerability is rated low risk, because it is
   believed to be hard for an external attacker to abuse this remotely.

PHP servers using our Hardening-Patch are not exploitable because 
   since the very beginning of the patch we have the %n format string 
   specifier disabled, to protect against unknown format string 
   vulnerabilites.

Proof of Concept:

The Hardened-PHP project is not going to release exploits for this
   vulnerability to the public.

Recommendation:

It is strongly recommended to upgrade to the latest appropriate PHP 
   release as soon as possible, because it does not only fix this
   vulnerability, but finally comes with a HTTP Response Splitting 
   protection. 
   
   Additionally we always recommend to run PHP with the Hardening-Patch
   applied, because this vulnerability once again proved that our users
   are protected against unknown vulnerabilities before they become
   public knowledge.

GPG-Key:

http://www.hardened-php.net/hardened-php-signature-key.asc

pub  1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
   Key fingerprint = 066F A6D0 E57E 9936 9082  7E52 4439 14CC 0A86 4AA1

Copyright 2006 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFDxpDMRDkUzAqGSqERAvRPAJ9rl/UP6jYWv4gvhA5WBgETAG4UKQCfVmnQ
pynps3w+tBa+wi0y1WQ7rUo=
=rdnA
-----END PGP SIGNATURE-----
|参考资料

来源:XF
名称:php-extmysqli-format-string(24095)
链接:http://xforce.iss.net/xforce/xfdb/24095
来源:BID
名称:16219
链接:http://www.securityfocus.com/bid/16219
来源:www.php.net
链接:http://www.php.net/release_5_1_2.php
来源:VUPEN
名称:ADV-2006-0177
链接:http://www.frsirt.com/english/advisories/2006/0177
来源:SECUNIA
名称:18431
链接:http://secunia.com/advisories/18431
来源:BUGTRAQ
名称:20060112Advisory02/2006:PHPext/mysqliFormatStringVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/421705/100/0/threaded
来源:MISC
链接:http://www.hardened-php.net/advisory_022006.113.html
来源:VUPEN
名称:ADV-2006-0369
链接:http://www.frsirt.com/english/advisories/2006/0369
来源:SECTRACK
名称:1015485
链接:http://securitytracker.com/id?1015485
来源:SREASON
名称:337
链接:http://securityreason.com/securityalert/337