CVE-2004-1019
CVSS10.0
发布时间 :2005-01-10 00:00:00
修订时间 :2016-10-25 21:59:02
NMCOP    

[原文]The deserialization code in PHP before 4.3.10 and PHP 5.x up to 5.0.2 allows remote attackers to cause a denial of service and execute arbitrary code via untrusted data to the unserialize function that may trigger "information disclosure, double-free and negative reference index array underflow" results.


[CNNVD]PHP unserialize() 代码执行漏洞(CNNVD-200501-207)

        PHP是一种使用较为流行的Web脚本语言。
        PHP4.3.10之前版本及5.x系列至5.0.2版本中串并转换代码存在缺陷,可导致拒绝服务或执行任意代码。
        远程攻击者可通过提交不可信的数据给unserialize函数,利用此漏洞。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-20 [输入验证不恰当]

- CPE (受影响的平台与产品)

cpe:/a:php:php:4.0
cpe:/a:php:php:3.0.1PHP PHP 3.0.1
cpe:/a:php:php:3.0.11PHP PHP 3.0.11
cpe:/a:php:php:3.0.10PHP PHP 3.0.10
cpe:/a:php:php:3.0.2PHP PHP 3.0.2
cpe:/a:openpkg:openpkg:current
cpe:/a:openpkg:openpkg:2.1OpenPKG 2.1
cpe:/a:openpkg:openpkg:2.2OpenPKG 2.2
cpe:/a:php:php:4.0.1:patch2
cpe:/a:php:php:4.0.1PHP PHP 4.0.1
cpe:/a:php:php:4.1.1PHP PHP 4.1.1
cpe:/a:php:php:4.1.2PHP PHP 4.1.2
cpe:/a:php:php:4.3.1PHP PHP 4.3.1
cpe:/a:php:php:4.3.2PHP PHP 4.3.2
cpe:/a:php:php:4.3.3PHP PHP 4.3.3
cpe:/a:php:php:4.3.4PHP PHP 4.3.4
cpe:/a:php:php:5.0:rc3
cpe:/a:php:php:5.0:rc2
cpe:/a:php:php:5.0:rc1
cpe:/a:php:php:5.0.0PHP PHP 5.0.0
cpe:/o:trustix:secure_linux:2.2Trustix Secure Linux 2.2
cpe:/o:trustix:secure_linux:2.0Trustix Secure Linux 2.0
cpe:/o:trustix:secure_linux:2.1Trustix Secure Linux 2.1
cpe:/a:php:php:3.0.9PHP PHP 3.0.9
cpe:/a:php:php:3.0.18PHP PHP 3.0.18
cpe:/a:php:php:4.0.7:rc2
cpe:/a:php:php:3.0PHP PHP 3.0
cpe:/a:php:php:4.0.7:rc1
cpe:/a:php:php:4.0.7:rc3
cpe:/o:ubuntu:ubuntu_linux:4.1::ia64
cpe:/a:php:php:5.0.1PHP PHP 5.0.1
cpe:/a:php:php:5.0.2PHP PHP 5.0.2
cpe:/a:php:php:4.1.0PHP PHP 4.1.0
cpe:/a:php:php:4.0.2PHP PHP 4.0.2
cpe:/a:php:php:4.2.0PHP PHP 4.2.0
cpe:/a:php:php:4.0.1:patch1
cpe:/a:php:php:4.0.3PHP PHP 4.0.3
cpe:/a:php:php:4.2.1PHP PHP 4.2.1
cpe:/a:php:php:4.0.4PHP PHP 4.0.4
cpe:/a:php:php:4.2.2PHP PHP 4.2.2
cpe:/a:php:php:4.0.3:patch1
cpe:/a:php:php:4.0.5PHP PHP 4.0.5
cpe:/a:php:php:4.2.3PHP PHP 4.2.3
cpe:/a:php:php:4.0.6PHP PHP 4.0.6
cpe:/a:php:php:4.0.7PHP PHP 4.0.7
cpe:/a:php:php:3.0.15PHP PHP 3.0.15
cpe:/a:php:php:3.0.5PHP PHP 3.0.5
cpe:/a:php:php:3.0.14PHP PHP 3.0.14
cpe:/a:php:php:3.0.6PHP PHP 3.0.6
cpe:/a:php:php:3.0.13PHP PHP 3.0.13
cpe:/a:php:php:3.0.3PHP PHP 3.0.3
cpe:/a:php:php:3.0.12PHP PHP 3.0.12
cpe:/a:php:php:3.0.4PHP PHP 3.0.4
cpe:/a:php:php:3.0.17PHP PHP 3.0.17
cpe:/a:php:php:3.0.7PHP PHP 3.0.7
cpe:/a:php:php:3.0.16PHP PHP 3.0.16
cpe:/a:php:php:3.0.8PHP PHP 3.0.8
cpe:/a:php:php:4.3
cpe:/o:ubuntu:ubuntu_linux:4.1::ppc
cpe:/a:php:php:4.3.5PHP PHP 4.3.5
cpe:/a:php:php:4.3.6PHP PHP 4.3.6
cpe:/a:php:php:4.3.7PHP PHP 4.3.7
cpe:/a:php:php:4.3.8PHP PHP 4.3.8
cpe:/a:php:php:4.3.9PHP PHP 4.3.9
cpe:/a:php:php:4.2::dev

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:10511The deserialization code in PHP before 4.3.10 and PHP 5.x up to 5.0.2 allows remote attackers to cause a denial of service and execute arbit...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1019
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1019
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200501-207
(官方数据源) CNNVD

- 其它链接及资源

http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00029.html
(UNKNOWN)  SUSE  SUSE-SU-2015:0365
http://lists.opensuse.org/opensuse-updates/2015-02/msg00079.html
(UNKNOWN)  SUSE  openSUSE-SU-2015:0325
http://marc.info/?l=bugtraq&m=110314318531298&w=2
(UNKNOWN)  BUGTRAQ  20041215 Advisory 01/2004: Multiple vulnerabilities in PHP 4/5
http://msgs.securepoint.com/cgi-bin/get/bugtraq0412/157.html
(UNKNOWN)  OPENPKG  OpenPKG-SA-2004.053
http://www.hardened-php.net/advisories/012004.txt
(UNKNOWN)  MISC  http://www.hardened-php.net/advisories/012004.txt
http://www.mandriva.com/security/advisories?name=MDKSA-2004:151
(UNKNOWN)  MANDRAKE  MDKSA-2004:151
http://www.novell.com/linux/security/advisories/2005_02_php4_mod_php4.html
(UNKNOWN)  SUSE  SUSE-SA:2005:002
http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html
(UNKNOWN)  CONFIRM  http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html
http://www.php.net/release_4_3_10.php
(UNKNOWN)  CONFIRM  http://www.php.net/release_4_3_10.php
http://www.redhat.com/support/errata/RHSA-2004-687.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2004:687
http://www.redhat.com/support/errata/RHSA-2005-032.html
(UNKNOWN)  REDHAT  RHSA-2005:032
http://www.redhat.com/support/errata/RHSA-2005-816.html
(UNKNOWN)  REDHAT  RHSA-2005:816
http://www.securityfocus.com/advisories/9028
(UNKNOWN)  HP  HPSBMA01212
http://xforce.iss.net/xforce/xfdb/18514
(UNKNOWN)  XF  php-unserialize-code-execution(18514)
https://bugzilla.fedora.us/show_bug.cgi?id=2344
(UNKNOWN)  FEDORA  FLSA:2344

- 漏洞信息

PHP unserialize() 代码执行漏洞
危急 设计错误
2005-01-10 00:00:00 2005-10-20 00:00:00
远程※本地  
        PHP是一种使用较为流行的Web脚本语言。
        PHP4.3.10之前版本及5.x系列至5.0.2版本中串并转换代码存在缺陷,可导致拒绝服务或执行任意代码。
        远程攻击者可通过提交不可信的数据给unserialize函数,利用此漏洞。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://www.php.net/downloads.php

- 漏洞信息 (F35361)

012004.txt (PacketStormID:F35361)
2004-12-30 00:00:00
Stefan Esser  hardened-php.net
advisory,remote,arbitrary,local,php,vulnerability
CVE-2004-1018,CVE-2004-1019,CVE-2004-1063,CVE-2004-1064
[点击下载]

Hardened-PHP Project Security Advisory - Several vulnerabilities within PHP allow local and remote execution of arbitrary code. PHP4 versions 4.3.9 and below and PHP5 version 5.0.2 and below are affected.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                        Hardened-PHP Project
                        www.hardened-php.net

                      -= Security  Advisory =-



     Advisory: Multiple vulnerabilities within PHP 4/5
 Release Date: 2004/12/15
Last Modified: 2004/12/15
       Author: Stefan Esser [sesser@php.net]

  Application: PHP4 <= 4.3.9
               PHP5 <= 5.0.2
     Severity: Several vulnerabilities within PHP allow 
               local and remote execution of arbitrary code
         Risk: Critical
Vendor Status: Vendor has released bugfixed versions.
   References: http://www.hardened-php.net/advisories/012004.txt


Overview:

   PHP is a widely-used general-purpose scripting language that is 
   especially suited for Web development and can be embedded into HTML.

   During the development of Hardened-PHP which adds security hardening
   features to the PHP codebase, several vulnerabilities within PHP 
   were discovered that reach from bufferoverflows, over information 
   leak vulnerabilities and path truncation vulnerabilities to
   safe_mode restriction bypass vulnerabilities.
   

Details:

   [01 - pack() - integer overflow leading to heap bufferoverflow ]
   
   Insufficient validation of the parameters passed to pack() can
   lead to a heap overflow which can be used to execute arbitrary
   code from within a PHP script. This enables an attacker to
   bypass safe_mode restrictions and execute arbitrary code with
   the permissions of the webserver. Due to the nature of this
   function it is unlikely that a script accidently exposes it to
   remote attackers.
   
   [02 - unpack() - integer overflow leading to heap info leak ]

   Insufficient validation of the parameters passed to unpack() can
   lead to a heap information leak which can be used to retrieve
   secret data from the apache process. Additionally a skilled
   local attacker could use this vulnerability in combination with
   01 to bypass heap canary protection systems. Similiar to 01 this
   function is usually not used on user supplied data within
   webapplications.

   [03 - safe_mode_exec_dir bypass in multithreaded PHP ]
   
   When safe_mode is activated within PHP, it is only allowed to
   execute commands within the configured safe_mode_exec_dir. 
   Unfourtunately PHP does prepend a "cd [currentdir] ;" to any
   executed command when a PHP is running on a multithreaded unix
   webserver (f.e. some installations of Apache2). Because the name
   of the current directory is prepended directly a local attacker
   may bypass safe_mode_exec_dir restrictions by injecting shell-
   commands into the current directory name.
   
   [04 - safe_mode bypass through path truncation ]
   
   The safe_mode checks silently truncated the file path at MAXPATHLEN
   bytes before passing it to realpath(). In combination with certain
   malfunctional implementations of realpath() f.e. within glibc this
   allows crafting a filepath that pass the safe_mode check although
   it points to a file that should fail the safe_mode check.
   
   [05 - path truncation in realpath() ]
   
   PHP uses realpath() within several places to get the real path
   of files. Unfourtunately some implementations of realpath() silently
   truncate overlong filenames (f.e. OpenBSD, and older NetBSD/FreeBSD)
   This can lead to arbitrary file include vulnerabilities if something
   like "include "modules/$userinput/config.inc.php"; is used on such
   systems.
   
   [06 - unserialize() - wrong handling of negative references ]
   
   The variable unserializer could be fooled with negative references
   to add false zvalues to hashtables. When those hashtables get
   destroyed this can lead to efree()s of arbitrary memory addresses
   which can result in arbitrary code execution. (Unless Hardened-PHP's
   memory manager canaries are activated)
   
   [07 - unserialize() - wrong handling of references to freed data ]
   
   Additionally to bug 07 the previous version of the variable 
   unserializer allowed setting references to already freed entries in
   the variable hash. A skilled attacker can exploit this to create 
   an universal string that will pass execution to an arbitrary 
   memory address when it is passed to unserialize(). For AMD64 systems
   a string was developed that directly passes execution to code 
   contained in the string itself.
   
   It is necessary to understand that these strings can exploit a 
   bunch of popular PHP applications remotely because they pass f.e.
   cookie content to unserialize().
   
   Examples of vulnerable scripts:
   
      - phpBB2
      - Invision Board
      - vBulletin
      - Woltlab Burning Board 2.x
      - Serendipity Weblog
      - phpAds(New)
      - ...


Proof of Concept:

   The Hardened-PHP project is not going to release exploits for any 
   of these vulnerabilities to the public.


CVE Information:

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the name CAN-2004-1018 to issues 01, 02, the name 
   CAN-2004-1019 to issues 06, 07, the name CAN-2004-1063 to issue 03
   and the name CAN-2004-1064 to issues 04, 05.


Recommendation:

   It is strongly recommended to upgrade to the new PHP-Releases as
   soon as possible, because a lot of PHP applications expose the
   easy to exploit unserialize() vulnerability to remote attackers.
   Additionally we always recommend to run PHP with the Hardened-PHP
   patch applied.
   

GPG-Key:

   http://www.hardened-php.net/hardened-php-signature-key.asc

   pub  1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
   Key fingerprint = 066F A6D0 E57E 9936 9082  7E52 4439 14CC 0A86 4AA1


Copyright 2004 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFBwDo7RDkUzAqGSqERAgVxAKC0LnTE49y5HFjeXpwXrZmAjuCL8gCgpQUl
rtmmBfJ3iv9Ksb/xtnyflD0=
=lzXX
-----END PGP SIGNATURE-----

    

- 漏洞信息

12415
PHP unserialize() Function Negative Reference Arbitrary Code Execution
Loss of Integrity
Vendor Verified

- 漏洞描述

PHP contains a flaw that may allow a remote attacker to gain elevated privileges. The issue is due to the deserialization code not properly sanitizing user-supplied input. This may allow an attacker to pass crafted content to the unserialize function and cause a denial of service or execute arbitrary code.

- 时间线

2004-12-15 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 4.3.10 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站