cbcvebase.
CVE-2016-4071
published 2016-05-20

CVE-2016-4071: Format string vulnerability in the php_snmp_error function in ext/snmp/snmp.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote…

PriorityP272critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
19.45%
97.0th percentile
Format string vulnerability in the php_snmp_error function in ext/snmp/snmp.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers to execute arbitrary code via format string specifiers in an SNMP::get call.

Affected

62 ranges· showing 25
VendorProductVersion rangeFixed in
applemac_os_x<= 10.11.4
appleos_x_el_capitan_v10.11.5_and_security_update_2016-003
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp

Detection & IOCsextracted from sources · hover to see the quote

command$session->exceptions_enabled = SNMP::ERRNO_ANY; $session->get($format_string);
commandstr_repeat("%d", 13) . $stack_pivot_2 . "Xw00t%lxw00t"
commandstr_repeat("%d", 13) . "%Z"
pathext/snmp/snmp.c
  • The vulnerability is only triggerable when SNMP exceptions are enabled on the SNMP object (exceptions_enabled = SNMP::ERRNO_ANY). Monitor PHP applications that set this flag and pass user-controlled data to SNMP::get().
  • The exploit uses a two-stage approach: first leaking a pointer via 'w00t%lxw00t' marker in the format string, then triggering code execution. Look for SNMP exception messages containing hex pointer values flanked by the string 'w00t'.
  • The vulnerable code path is php_snmp_error() in ext/snmp/snmp.c where snmp_object->snmp_errstr is passed directly to zend_throw_exception_ex() without a '%s' format argument. Patch reference: commit 6e25966544fb1d2f3d7596e060ce9c9269bbdcf8.
  • ·The vulnerability is only exploitable when SNMP exception processing is enabled on the PHP SNMP object. Disabling exceptions prevents exploitation.
  • ·If the leaked pointer contains null bytes or percent signs (after subtracting 0x10), the exploit will fail and bail out.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu7.3HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.