CVE-2016-4071
published 2016-05-20CVE-2016-4071: Format string vulnerability in the php_snmp_error function in ext/snmp/snmp.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote…
PriorityP272critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
19.45%
97.0th percentile
Format string vulnerability in the php_snmp_error function in ext/snmp/snmp.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers to execute arbitrary code via format string specifiers in an SNMP::get call.
Affected
62 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | mac_os_x | <= 10.11.4 | — |
| apple | os_x_el_capitan_v10.11.5_and_security_update_2016-003 | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is only triggerable when SNMP exceptions are enabled on the SNMP object (exceptions_enabled = SNMP::ERRNO_ANY). Monitor PHP applications that set this flag and pass user-controlled data to SNMP::get(). ↗
- →The exploit uses a two-stage approach: first leaking a pointer via 'w00t%lxw00t' marker in the format string, then triggering code execution. Look for SNMP exception messages containing hex pointer values flanked by the string 'w00t'. ↗
- →The vulnerable code path is php_snmp_error() in ext/snmp/snmp.c where snmp_object->snmp_errstr is passed directly to zend_throw_exception_ex() without a '%s' format argument. Patch reference: commit 6e25966544fb1d2f3d7596e060ce9c9269bbdcf8. ↗
- ·The vulnerability is only exploitable when SNMP exception processing is enabled on the PHP SNMP object. Disabling exceptions prevents exploitation. ↗
- ·If the leaked pointer contains null bytes or percent signs (after subtracting 0x10), the exploit will fail and bail out. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu7.3HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
PHP vulnerabilities
vendor_ubuntu·2016-05-24·CVSS 7.3
CVE-2015-8865 [HIGH] PHP vulnerabilities
Title: PHP vulnerabilities
Summary: Several security issues were fixed in PHP.
It was discovered that the PHP Fileinfo component incorrectly handled
certain magic files. An attacker could use this issue to cause PHP to
crash, resulting in a denial of service, or possibly execute arbitrary
code. This issue only affected Ubuntu 16.04 LTS. (CVE-2015-8865)
Hans Jerry Illikainen discovered that the PHP Zip extension incorrectly
handled certain malformed Zip archives. A remote attacker could use this
issue to cause PHP to crash, resulting in a denial of service, or possibly
execute arbitrary code. This issue only affected Ubuntu 16.04 LTS.
(CVE-2016-3078)
It was discovered that PHP incorrectly handled invalid indexes in the
SplDoublyLinkedList class. An attacker could use this issue to cause
Red Hat
php: Format string vulnerability in php_snmp_error()
vendor_redhat·2016-03-02·CVSS 9.8
CVE-2016-4071 [CRITICAL] CWE-134 php: Format string vulnerability in php_snmp_error()
php: Format string vulnerability in php_snmp_error()
Format string vulnerability in the php_snmp_error function in ext/snmp/snmp.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers to execute arbitrary code via format string specifiers in an SNMP::get call.
Mitigation: Do not enable exceptions when using the SNMP object.
Package: php (Red Hat Enterprise Linux 5) - Not affected
Package: php53 (Red Hat Enterprise Linux 5) - Not affected
Package: php (Red Hat Enterprise Linux 6) - Not affected
Package: php (Red Hat Enterprise Linux 7) - Affected
Package: php54-php (Red Hat Software Collections) - Will not fix
Package: php55-php (Red Hat Software Collections) - Will not fix
Apple
CVE-2016-4071: OS X El Capitan v10.11.5 and Security Update 2016-003
vendor_apple·CVSS 9.8
CVE-2016-4071 [CRITICAL] CVE-2016-4071: OS X El Capitan v10.11.5 and Security Update 2016-003
Apple Security Update: About the security content of OS X El Capitan v10.11.5 and Security Update 2016-003
Product: OS X El Capitan v10.11.5 and Security Update 2016-003
CVE: CVE-2016-4071
Component: CVE-2016-4071
GHSA
GHSA-g8wv-2fpc-qgf8: Format string vulnerability in the php_snmp_error function in ext/snmp/snmp
ghsa_unreviewed·2022-05-14
CVE-2016-4071 [CRITICAL] CWE-20 GHSA-g8wv-2fpc-qgf8: Format string vulnerability in the php_snmp_error function in ext/snmp/snmp
Format string vulnerability in the php_snmp_error function in ext/snmp/snmp.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers to execute arbitrary code via format string specifiers in an SNMP::get call.
OSV
php5, php7.0 vulnerabilities
osv·2016-05-24·CVSS 7.3
CVE-2015-8865 [HIGH] php5, php7.0 vulnerabilities
php5, php7.0 vulnerabilities
It was discovered that the PHP Fileinfo component incorrectly handled
certain magic files. An attacker could use this issue to cause PHP to
crash, resulting in a denial of service, or possibly execute arbitrary
code. This issue only affected Ubuntu 16.04 LTS. (CVE-2015-8865)
Hans Jerry Illikainen discovered that the PHP Zip extension incorrectly
handled certain malformed Zip archives. A remote attacker could use this
issue to cause PHP to crash, resulting in a denial of service, or possibly
execute arbitrary code. This issue only affected Ubuntu 16.04 LTS.
(CVE-2016-3078)
It was discovered that PHP incorrectly handled invalid indexes in the
SplDoublyLinkedList class. An attacker could use this issue to cause PHP to
crash, resulting in a denial of service, or
OSV
CVE-2016-4071: Format string vulnerability in the php_snmp_error function in ext/snmp/snmp
osv·2016-04-25·CVSS 9.8
CVE-2016-4071 [CRITICAL] CVE-2016-4071: Format string vulnerability in the php_snmp_error function in ext/snmp/snmp
Format string vulnerability in the php_snmp_error function in ext/snmp/snmp.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers to execute arbitrary code via format string specifiers in an SNMP::get call.
No detection rules found.
Bugzilla
CVE-2016-4071 php: Format string vulnerability in php_snmp_error() [fedora-all]
bugzilla·2016-04-01·CVSS 9.8
CVE-2016-4071 [CRITICAL] CVE-2016-4071 php: Format string vulnerability in php_snmp_error() [fedora-all]
CVE-2016-4071 php: Format string vulnerability in php_snmp_error() [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions o
Bugzilla
CVE-2016-4071 php: Format string vulnerability in php_snmp_error()
bugzilla·2016-04-01·CVSS 9.8
CVE-2016-4071 [CRITICAL] CVE-2016-4071 php: Format string vulnerability in php_snmp_error()
CVE-2016-4071 php: Format string vulnerability in php_snmp_error()
A format string vulnerability was found in php_snmp_error() in ext/snmp/snmp.c, possibly leading to code execution. snmp_object->snmp_errstr is passed directly to zend_throw_exception_ex() without a "%s".
Upstream bug:
https://bugs.php.net/bug.php?id=71704
Upstream patch:
https://git.php.net/?p=php-src.git;a=commit;h=6e25966544fb1d2f3d7596e060ce9c9269bbdcf8
Discussion:
Created php tracking bugs for this issue:
Affects: fedora-all [bug 1323112]
---
php-5.6.20-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
---
php-5.6.20-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in th
http://lists.apple.com/archives/security-announce/2016/May/msg00004.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-05/msg00031.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-05/msg00033.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-05/msg00056.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2750.htmlhttp://www.debian.org/security/2016/dsa-3560http://www.openwall.com/lists/oss-security/2016/04/24/1http://www.php.net/ChangeLog-5.phphttp://www.php.net/ChangeLog-7.phphttp://www.securityfocus.com/bid/85800http://www.ubuntu.com/usn/USN-2952-1http://www.ubuntu.com/usn/USN-2952-2https://bugs.php.net/bug.php?id=71704https://git.php.net/?p=php-src.git%3Ba=commit%3Bh=6e25966544fb1d2f3d7596e060ce9c9269bbdcf8https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722https://security.gentoo.org/glsa/201611-22https://support.apple.com/HT206567https://www.exploit-db.com/exploits/39645/http://lists.apple.com/archives/security-announce/2016/May/msg00004.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-05/msg00031.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-05/msg00033.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-05/msg00056.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2750.htmlhttp://www.debian.org/security/2016/dsa-3560http://www.openwall.com/lists/oss-security/2016/04/24/1http://www.php.net/ChangeLog-5.phphttp://www.php.net/ChangeLog-7.phphttp://www.securityfocus.com/bid/85800http://www.ubuntu.com/usn/USN-2952-1http://www.ubuntu.com/usn/USN-2952-2https://bugs.php.net/bug.php?id=71704https://git.php.net/?p=php-src.git%3Ba=commit%3Bh=6e25966544fb1d2f3d7596e060ce9c9269bbdcf8https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722https://security.gentoo.org/glsa/201611-22https://support.apple.com/HT206567https://www.exploit-db.com/exploits/39645/
2016-05-20
Published