CVE-2004-1065
CVSS10.0
发布时间 :2005-01-10 00:00:00
修订时间 :2010-08-21 00:21:44
NMCOS    

[原文]Buffer overflow in the exif_read_data function in PHP before 4.3.10 and PHP 5.x up to 5.0.2 allows remote attackers to execute arbitrary code via a long section name in an image file.


[CNNVD]PHP exif_read_data() 缓冲区溢出漏洞(CNNVD-200501-060)

        PHP是一种流行的WEB服务器端编程语言。
        PHP 4.3.10之前版本及5.x至5.0.2版本中exif_read_data函数存在缓冲区溢出漏洞。
        远程攻击者可利用一个包含超长section name的图片文件,执行任意代码。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:php:php:3.0.17PHP PHP 3.0.17
cpe:/a:php:php:3.0.13PHP PHP 3.0.13
cpe:/a:php:php:4.0.1PHP PHP 4.0.1
cpe:/a:openpkg:openpkg:2.1OpenPKG 2.1
cpe:/a:php:php:4.3.1PHP PHP 4.3.1
cpe:/a:php:php:4.3.7PHP PHP 4.3.7
cpe:/a:php:php:3.0.1PHP PHP 3.0.1
cpe:/a:php:php:4.2.0PHP PHP 4.2.0
cpe:/a:php:php:5.0.1PHP PHP 5.0.1
cpe:/a:php:php:3.0.14PHP PHP 3.0.14
cpe:/a:php:php:4.2.2PHP PHP 4.2.2
cpe:/a:php:php:5.0:rc1
cpe:/a:php:php:4.0.7:rc3
cpe:/a:openpkg:openpkg:2.2OpenPKG 2.2
cpe:/a:php:php:4.0.2PHP PHP 4.0.2
cpe:/a:php:php:4.0.6PHP PHP 4.0.6
cpe:/a:php:php:5.0:rc3
cpe:/a:php:php:4.1.2PHP PHP 4.1.2
cpe:/a:php:php:4.0.5PHP PHP 4.0.5
cpe:/o:trustix:secure_linux:2.0Trustix Secure Linux 2.0
cpe:/a:php:php:4.2::dev
cpe:/o:trustix:secure_linux:2.1Trustix Secure Linux 2.1
cpe:/a:php:php:4.3.6PHP PHP 4.3.6
cpe:/a:php:php:4.0.1:patch2
cpe:/a:php:php:4.3
cpe:/a:php:php:4.0.4PHP PHP 4.0.4
cpe:/a:php:php:3.0.15PHP PHP 3.0.15
cpe:/a:php:php:4.3.4PHP PHP 4.3.4
cpe:/a:php:php:3.0.9PHP PHP 3.0.9
cpe:/o:ubuntu:ubuntu_linux:4.1::ia64
cpe:/a:openpkg:openpkg:current
cpe:/a:php:php:4.0.3PHP PHP 4.0.3
cpe:/o:ubuntu:ubuntu_linux:4.1::ppc
cpe:/a:php:php:5.0:rc2
cpe:/a:php:php:4.3.2PHP PHP 4.3.2
cpe:/a:php:php:4.3.3PHP PHP 4.3.3
cpe:/o:trustix:secure_linux:2.2Trustix Secure Linux 2.2
cpe:/a:php:php:3.0.16PHP PHP 3.0.16
cpe:/a:php:php:4.0.1:patch1
cpe:/a:php:php:3.0.2PHP PHP 3.0.2
cpe:/a:php:php:4.0.3:patch1
cpe:/a:php:php:3.0.5PHP PHP 3.0.5
cpe:/a:php:php:3.0.7PHP PHP 3.0.7
cpe:/a:php:php:4.0.7:rc2
cpe:/a:php:php:5.0.0PHP PHP 5.0.0
cpe:/a:php:php:5.0.2PHP PHP 5.0.2
cpe:/a:php:php:4.2.1PHP PHP 4.2.1
cpe:/a:php:php:4.0
cpe:/a:php:php:3.0.11PHP PHP 3.0.11
cpe:/a:php:php:4.1.1PHP PHP 4.1.1
cpe:/a:php:php:3.0.6PHP PHP 3.0.6
cpe:/a:php:php:4.0.7PHP PHP 4.0.7
cpe:/a:php:php:3.0.10PHP PHP 3.0.10
cpe:/a:php:php:3.0.12PHP PHP 3.0.12
cpe:/a:php:php:4.0.7:rc1
cpe:/a:php:php:3.0.8PHP PHP 3.0.8
cpe:/a:php:php:3.0.18PHP PHP 3.0.18
cpe:/a:php:php:4.3.8PHP PHP 4.3.8
cpe:/a:php:php:3.0.3PHP PHP 3.0.3
cpe:/a:php:php:4.1.0PHP PHP 4.1.0
cpe:/a:php:php:3.0PHP PHP 3.0
cpe:/a:php:php:4.3.9PHP PHP 4.3.9
cpe:/a:php:php:3.0.4PHP PHP 3.0.4
cpe:/a:php:php:4.3.5PHP PHP 4.3.5
cpe:/a:php:php:4.2.3PHP PHP 4.2.3

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:10877Buffer overflow in the exif_read_data function in PHP before 4.3.10 and PHP 5.x up to 5.0.2 allows remote attackers to execute arbitrary cod...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1065
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1065
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200501-060
(官方数据源) CNNVD

- 其它链接及资源

http://www.redhat.com/support/errata/RHSA-2004-687.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2004:687
https://bugzilla.fedora.us/show_bug.cgi?id=2344
(UNKNOWN)  FEDORA  FLSA:2344
http://xforce.iss.net/xforce/xfdb/18517
(UNKNOWN)  XF  php-exifreaddata-bo(18517)
http://www.redhat.com/support/errata/RHSA-2005-032.html
(UNKNOWN)  REDHAT  RHSA-2005:032
http://www.php.net/release_4_3_10.php
(UNKNOWN)  CONFIRM  http://www.php.net/release_4_3_10.php
http://www.novell.com/linux/security/advisories/2005_02_php4_mod_php4.html
(UNKNOWN)  SUSE  SUSE-SA:2005:002
http://msgs.securepoint.com/cgi-bin/get/bugtraq0412/157.html
(UNKNOWN)  OPENPKG  OpenPKG-SA-2004.053
http://www.securityfocus.com/advisories/9028
(UNKNOWN)  HP  HPSBMA01212
http://www.mandriva.com/security/advisories?name=MDKSA-2004:151
(UNKNOWN)  MANDRAKE  MDKSA-2004:151

- 漏洞信息

PHP exif_read_data() 缓冲区溢出漏洞
危急 缓冲区溢出
2005-01-10 00:00:00 2005-10-20 00:00:00
远程  
        PHP是一种流行的WEB服务器端编程语言。
        PHP 4.3.10之前版本及5.x至5.0.2版本中exif_read_data函数存在缓冲区溢出漏洞。
        远程攻击者可利用一个包含超长section name的图片文件,执行任意代码。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://www.php.net/downloads.php

- 漏洞信息

12602
PHP exif_read_data Section Name Command Execution
Vendor Verified

- 漏洞描述

Unknown or Incomplete

- 时间线

2004-11-23 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 4.3.10 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

PHP JPEG Image Buffer Overflow Vulnerability
Boundary Condition Error 11992
Yes No
2004-12-16 12:00:00 2009-07-12 09:26:00
Ilia Alshanetsky disclosed this vulnerability.

- 受影响的程序版本

Ubuntu Ubuntu Linux 4.1 ppc
Ubuntu Ubuntu Linux 4.1 ia64
Ubuntu Ubuntu Linux 4.1 ia32
Turbolinux Turbolinux Workstation 8.0
Turbolinux Turbolinux Server 10.0
Turbolinux Turbolinux Server 8.0
Turbolinux Turbolinux Desktop 10.0
Turbolinux Home
Trustix Secure Linux 2.2
Trustix Secure Linux 2.1
Trustix Secure Linux 2.0
Trustix Secure Enterprise Linux 2.0
SGI ProPack 3.0
RedHat Linux 9.0 i386
RedHat Linux 7.3 i386
Red Hat Fedora Core1
PHP PHP 5.0.2
PHP PHP 5.0.1
PHP PHP 5.0 candidate 3
PHP PHP 5.0 candidate 2
PHP PHP 5.0 candidate 1
PHP PHP 5.0 .0
PHP PHP 4.3.9
PHP PHP 4.3.8
+ Mandriva Linux Mandrake 10.1 x86_64
+ Mandriva Linux Mandrake 10.1
+ S.u.S.E. Linux Personal 9.2
+ Turbolinux Turbolinux Server 10.0
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
PHP PHP 4.3.7
PHP PHP 4.3.6
PHP PHP 4.3.5
PHP PHP 4.3.4
PHP PHP 4.3.3
+ S.u.S.E. Linux Personal 9.0 x86_64
+ S.u.S.E. Linux Personal 9.0
+ Turbolinux Home
+ Turbolinux Turbolinux 10 F...
+ Turbolinux Turbolinux Desktop 10.0
PHP PHP 4.3.2
PHP PHP 4.3.1
PHP PHP 4.3
PHP PHP 4.2.3
PHP PHP 4.2.2
PHP PHP 4.2.1
- FreeBSD FreeBSD 4.6
- FreeBSD FreeBSD 4.5
- FreeBSD FreeBSD 4.4
- FreeBSD FreeBSD 4.3
+ Slackware Linux 8.1
PHP PHP 4.2 .0
PHP PHP 4.2 -dev
PHP PHP 4.1.2
PHP PHP 4.1.1
PHP PHP 4.1 .0
+ S.u.S.E. Linux 8.0 i386
+ S.u.S.E. Linux 8.0
PHP PHP 4.0.7 RC3
PHP PHP 4.0.7 RC2
PHP PHP 4.0.7 RC1
PHP PHP 4.0.7
PHP PHP 4.0.6
PHP PHP 4.0.5
PHP PHP 4.0.4
PHP PHP 4.0.3 pl1
+ S.u.S.E. Linux 6.4 ppc
+ S.u.S.E. Linux 6.4 i386
+ S.u.S.E. Linux 6.4 alpha
+ S.u.S.E. Linux 6.4
PHP PHP 4.0.3
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 IA-32
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
+ Sun Cobalt Control Station 4100CS
+ Sun Cobalt Qube3 Japanese 4000WGJ
+ Sun Cobalt Qube3 Japanese w/ Caching and RAID 4100WGJ
+ Sun Cobalt Qube3 Japanese w/Caching 4010WGJ
+ Sun Cobalt RaQ XTR 3500R
+ Sun Cobalt RaQ XTR Japanese 3500R-ja
PHP PHP 4.0.2
PHP PHP 4.0.1 pl2
PHP PHP 4.0.1 pl1
PHP PHP 4.0.1
+ Sun Cobalt Qube3 4000WG
+ Sun Cobalt Qube3 w/ Caching and RAID 4100WG
+ Sun Cobalt Qube3 w/Caching 4010WG
+ Sun Cobalt RaQ4 3001R
+ Sun Cobalt RaQ4 Japanese RAID 3100R-ja
+ Sun Cobalt RaQ4 RAID 3100R
PHP PHP 4.0 0
PHP PHP 3.0.18
PHP PHP 3.0.17
+ S.u.S.E. Linux 7.1 x86
+ S.u.S.E. Linux 7.1 sparc
+ S.u.S.E. Linux 7.1 ppc
+ S.u.S.E. Linux 7.1 alpha
+ S.u.S.E. Linux 7.1
+ S.u.S.E. Linux 7.0 sparc
+ S.u.S.E. Linux 7.0 ppc
+ S.u.S.E. Linux 7.0 i386
+ S.u.S.E. Linux 7.0 alpha
+ S.u.S.E. Linux 7.0
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.1
PHP PHP 3.0.16
PHP PHP 3.0.15
PHP PHP 3.0.14
PHP PHP 3.0.13
PHP PHP 3.0.12
PHP PHP 3.0.11
PHP PHP 3.0.10
PHP PHP 3.0.9
PHP PHP 3.0.8
PHP PHP 3.0.7
PHP PHP 3.0.6
PHP PHP 3.0.5
PHP PHP 3.0.4
PHP PHP 3.0.3
PHP PHP 3.0.2
PHP PHP 3.0.1
PHP PHP 3.0 0
PHP PHP 3.0 .16
PHP PHP 3.0 .13
PHP PHP 3.0 .12
PHP PHP 3.0 .11
PHP PHP 3.0 .10
OpenPKG OpenPKG 2.2
OpenPKG OpenPKG 2.1
OpenPKG OpenPKG Current
HP System Management Homepage 2.0.2
HP System Management Homepage 2.0.1
HP System Management Homepage 2.0
Conectiva Linux 10.0
Conectiva Linux 9.0
Apple Mac OS X Server 10.3.7
Apple Mac OS X Server 10.3.6
Apple Mac OS X Server 10.3.5
Apple Mac OS X Server 10.3.4
Apple Mac OS X Server 10.3.3
Apple Mac OS X Server 10.3.2
Apple Mac OS X Server 10.3.1
Apple Mac OS X Server 10.3
Apple Mac OS X Server 10.2.8
Apple Mac OS X Server 10.2.7
Apple Mac OS X Server 10.2.6
Apple Mac OS X Server 10.2.5
Apple Mac OS X Server 10.2.4
Apple Mac OS X Server 10.2.3
Apple Mac OS X Server 10.2.2
Apple Mac OS X Server 10.2.1
Apple Mac OS X Server 10.2
Apple Mac OS X Server 10.1.5
Apple Mac OS X Server 10.1.4
Apple Mac OS X Server 10.1.3
Apple Mac OS X Server 10.1.2
Apple Mac OS X Server 10.1.1
Apple Mac OS X Server 10.1
Apple Mac OS X Server 10.0
Apple Mac OS X 10.3.7
Apple Mac OS X 10.3.6
Apple Mac OS X 10.3.5
Apple Mac OS X 10.3.4
Apple Mac OS X 10.3.3
Apple Mac OS X 10.3.2
Apple Mac OS X 10.3.1
Apple Mac OS X 10.3
Apple Mac OS X 10.2.8
Apple Mac OS X 10.2.7
Apple Mac OS X 10.2.6
Apple Mac OS X 10.2.5
Apple Mac OS X 10.2.4
Apple Mac OS X 10.2.3
Apple Mac OS X 10.2.2
Apple Mac OS X 10.2.1
Apple Mac OS X 10.2
Apple Mac OS X 10.1.5
Apple Mac OS X 10.1.4
Apple Mac OS X 10.1.3
Apple Mac OS X 10.1.2
Apple Mac OS X 10.1.1
Apple Mac OS X 10.1
Apple Mac OS X 10.1
Apple Mac OS X 10.0.4
Apple Mac OS X 10.0.3
Apple Mac OS X 10.0.2
Apple Mac OS X 10.0.1
Apple Mac OS X 10.0 3
Apple Mac OS X 10.0
PHP PHP 5.0.3
+ Trustix Secure Linux 2.2
PHP PHP 4.3.10
+ Gentoo Linux
+ Red Hat Fedora Core3
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
+ Trustix Secure Linux 1.5
HP System Management Homepage 2.1
Apple Mac OS X Server 10.3.8
Apple Mac OS X 10.3.8

- 不受影响的程序版本

PHP PHP 5.0.3
+ Trustix Secure Linux 2.2
PHP PHP 4.3.10
+ Gentoo Linux
+ Red Hat Fedora Core3
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
+ Trustix Secure Linux 1.5
HP System Management Homepage 2.1
Apple Mac OS X Server 10.3.8
Apple Mac OS X 10.3.8

- 漏洞讨论

It is reported that PHP is susceptible to a buffer overflow vulnerability in handling JPEG images. This issue is due to a failure of the application to properly bounds check user-supplied image data prior to copying it into a fixed-size memory buffer.

This vulnerability allows remote attackers to alter the proper flow of execution of the application, potentially resulting in the execution of attacker-supplied machine code in the context of the web server executing the PHP interpreter.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 解决方案

Conectiva has released advisory CLA-2005:915 along with fixes dealing with this and other issues. Please see the referenced advisory for more information.

Turbolinux has released advisory TLSA-2005-01-13 along with fixes dealing with this and other issues. Please see the referenced advisory for more information.

Ubuntu Linux has released advisory USN-40-1 along with fixes to address this, and other issues. Please see the referenced advisory for further information.

OpenPKG has released advisory OpenPKG-SA-2004.053 to address these, and other issues. Please see the referenced advisory for further information.

Mandrake has released advisory MDKSA-2004:151 to address this issue. Please see the attached advisory for details on obtaining and applying fixes.

Gentoo has released updates to address this issue. Updates may be applied by running the following commands as the superuser:

(for PHP)
emerge --sync
emerge --ask --oneshot --verbose ">=dev-php/php-4.3.10"

(for mod_php)
emerge --sync
emerge --ask --oneshot --verbose ">=dev-php/mod_php-4.3.10"

(for php_cgi)
emerge --sync
emerge --ask --oneshot --verbose ">=dev-php/php-cgi-4.3.10"

The vendor has released updates to address these issues:

Trustix Secure Linux has released an advisory (TSLSA-2004-0066) along with fixes dealing with this issue. Please see the referenced advisory for more information.

Red Hat has released Red Hat Enterprise Linux advisory RHSA-2004:687-05 to address various issues including this in PHP. Please see the referenced advisory for more information.

Fedora has released advisories FEDORA-2004-567 and FEDORA-2004-568 to address various PHP issues in Fedora Core 2 and Fedora Core 3. Please see the referenced advisories for more information.

Conectiva has released an advisory (CLSA-2005:915) to address issues in PHP. Please see the advisory in Web references for more information.

SGI has released advisory 20050101-01-U to address various issues in SGI Advanced Linux Environment 3. This advisory includes updated SGI ProPack 3 Service Pack 3 packages. Please see the referenced advisory for more information.

S.u.S.E. Linux has made an advisory (SUSE-SA:2005:002) available dealing with this issue. Please see the referenced advisory for more information.

Apple Computers has released advisory APPLE-SA-2005-01-25 along with a security update dealing with this and other issues. Please see the referenced advisory for more information.

Apple Computers has released Mac OS X version 10.3.8 dealing with this issue. This upgrade includes the security patches shipped with the referenced security update.

Fedora has released Fedora Legacy advisory FLSA:2344 to address various issues in Red Hat Linux 7.3, Red Hat Linux 9.0 and Fedora Core 1 for the i386 architecture. Please see the referenced advisory for more information.

HP has released advisory HPSBMA01212 to address various issue affecting System Management Homepage. Please see the referenced advisory for more information.

HP has released revision 1 of advisory HPSBMA01212 to address various issue affecting System Management Homepage. Please see the referenced advisory for more information.

Revised HP advisory HPSBMA01212 (SSRT5998 Rev.2 HP System Management Homepage(v2.0.x) Denial of Service (DoS) and XSS) including updated resolutions is available. Please see the referenced advisory for more information.


Apple Mac OS X 10.2.8

Apple Mac OS X Server 10.2.8

Apple Mac OS X Server 10.3.7

Apple Mac OS X 10.3.7

SGI ProPack 3.0

PHP PHP 4.0 0

PHP PHP 4.0.1

PHP PHP 4.0.1 pl2

PHP PHP 4.0.2

PHP PHP 4.0.3 pl1

PHP PHP 4.0.3

PHP PHP 4.0.5

PHP PHP 4.0.7 RC1

PHP PHP 4.0.7 RC2

PHP PHP 4.0.7

PHP PHP 4.1 .0

PHP PHP 4.2 -dev

PHP PHP 4.2.1

PHP PHP 4.3

PHP PHP 4.3.2

PHP PHP 4.3.3

PHP PHP 4.3.5

PHP PHP 4.3.6

PHP PHP 4.3.8

PHP PHP 4.3.9

PHP PHP 5.0 .0

PHP PHP 5.0 candidate 1

PHP PHP 5.0.1

PHP PHP 5.0.2

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站