SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   PHP Vendors:   PHP Group
PHP mysqli Extension Error Mode Format String Flaw May Let Users Execute Arbitrary Code
SecurityTracker Alert ID:  1015485
SecurityTracker URL:  http://securitytracker.com/id/1015485
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 12 2006
Impact:   Execution of arbitrary code via local system, Execution of arbitrary code via network, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.1 - 5.1.1
Description:   A vulnerability was reported in Php in the mysqli extension. A user may be able to execute arbitrary code on the target system.

The mysqli extension error reporting mode contains a format string vulnerability. When errors generated by the SQL server or connections to the SQL server are reported via this mode and when the error message contains format string specifiers, arbitrary code may be executed on the target system if the user can affect the error message.

The specific impact depends on the application using this extension and on the system configuration.

A local user can exploit this flaw by attempting to connect to invalid hostnames. A remote user can exploit this flaw if the user has control over the error messages returned by the relevant SQL server.

PHP 4 is not affected.

Stefan Esser of the Hardened-PHP Project reported this vulnerability.

The original advisory is available at:

http://www.hardened-php.net/advisory_022006.113.htmls

Impact:   A user may be able to execute arbitrary code on the target system.
Solution:   The vendor has issued a fixed version (5.1.2), available at:

http://www.php.net/downloads.php

Vendor URL:  www.php.net/ (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] Advisory 02/2006: PHP ext/mysqli Format String

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                        Hardened-PHP Project
                        www.hardened-php.net

                      -= Security  Advisory =-


     Advisory: PHP ext/mysqli Format String Vulnerability
 Release Date: 2006/01/12
Last Modified: 2006/01/12
       Author: Stefan Esser [sesser@hardened-php.net]

  Application: PHP5.1 <= 5.1.1
 Not Affected: PHP4, PHP 5.0.x
               PHP 5.1.x with Hardening-Patch
     Severity: A format string vulnerability in the exception handling
               of the new mysqli extension may result in remote code
               execution
         Risk: Low
Vendor Status: Vendor has released a bugfixed version
   References: http://www.hardened-php.net/advisory_022006.113.html


Overview:

   PHP is a widely-used general-purpose scripting language that is
   especially suited for Web development and can be embedded into HTML.

   During the development of the Hardening-Patch which adds security 
   hardening features to the PHP codebase, several vulnerabilities 
   within PHP were discovered. This advisory describes one of these 
   flaws concerning a weakness in the mysqli extension.
   
   PHP5 comes with the new mysqli extension, which recently got a new
   error reporting feature using exceptions. When an exception for such
   an error is thrown the error message is used as format string.
   Depending on the situation and configuration, f.e. a malicious MySQL 
   server or an erroneous SQL query (f.e. through SQL injection) can
   result in PHP reporting a (partly) user supplied error message, which
   can result in triggering the format string vulnerability, which can
   lead to remote code execution.


Details:

   PHP's new mysqli extension recently got a new error reporting mode
   that is using PHP exceptions to report errors generated by the SQL
   server or errors that occured when a connection cannot be established.
   
   Because of a flaw in the way the format string functions where called
   when such an exception is thrown the error message is used as format 
   string and might contain format string specifiers. Because this error
   message is generated by the mysql client library or the remote mysql
   server there are a number of ways a local or remote attacker can 
   influence the content of the message to cause arbitrary format strings
   to be parsed.
   
   By default the reporting mode will not report failed SQL queries 
   through this mechanism, but when it is enabled SQL injection 
   vulnerabilities can be used by remote attackers to feed arbitrary
   format strings to PHP's internal implementation of the format string
   functions. These functions also support the %n specifier and therefore
   can be exploited in ways similar to the standard fmt string exploits.
   (With the little problem that the %n implementation in PHP is buggy
   and therefore does not behave in the normal way).
   
   In the default reporting mode an attacker has to be either local and
   try to connect to invalid hostnames or remote with control over the
   error messages returned by the mysql server. (malicious server or
   man in the middle attack). In all cases there is the potential for
   attacker controlled memory corruption that could even lead to remote 
   code execution. The vulnerability is rated low risk, because it is
   believed to be hard for an external attacker to abuse this remotely.

   PHP servers using our Hardening-Patch are not exploitable because 
   since the very beginning of the patch we have the %n format string 
   specifier disabled, to protect against unknown format string 
   vulnerabilites.


Proof of Concept:

   The Hardened-PHP project is not going to release exploits for this
   vulnerability to the public.


Recommendation:

   It is strongly recommended to upgrade to the latest appropriate PHP 
   release as soon as possible, because it does not only fix this
   vulnerability, but finally comes with a HTTP Response Splitting 
   protection. 
   
   Additionally we always recommend to run PHP with the Hardening-Patch
   applied, because this vulnerability once again proved that our users
   are protected against unknown vulnerabilities before they become
   public knowledge.


GPG-Key:

   http://www.hardened-php.net/hardened-php-signature-key.asc

   pub  1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
   Key fingerprint = 066F A6D0 E57E 9936 9082  7E52 4439 14CC 0A86 4AA1


Copyright 2006 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFDxpDMRDkUzAqGSqERAvRPAJ9rl/UP6jYWv4gvhA5WBgETAG4UKQCfVmnQ
pynps3w+tBa+wi0y1WQ7rUo=
=rdnA
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC