cbcvebase.
CVE-2017-16642
published 2017-11-07

CVE-2017-16642: In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x before 7.1.11, an error in the date extension's timelib_meridian handling of 'front of' and 'back of'…

PriorityP261high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
26.37%
97.7th percentile
In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x before 7.1.11, an error in the date extension's timelib_meridian handling of 'front of' and 'back of' directives could be used by attackers able to supply date strings to leak information from the interpreter, related to ext/date/lib/parse_date.c out-of-bounds reads affecting the php_parse_date function. NOTE: this is a different issue than CVE-2017-11145.

Affected

7 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
debiandebian_linux
debiandebian_linux
phpphp< 5.6.325.6.32
phpphp>= 7.0.0 < 7.0.257.0.25
phpphp>= 7.1.0 < 7.1.117.1.11
php5php5>= 0 < 5.5.9+dfsg-1ubuntu4.235.5.9+dfsg-1ubuntu4.23

Detection & IOCsextracted from sources · hover to see the quote

pathext/date/lib/parse_date.c
  • The vulnerability is triggered via wddx_deserialize() processing date strings containing 'front of' or 'back of' directives, causing a heap out-of-bounds read in timelib_meridian(). Monitor for calls to wddx_deserialize() with untrusted input containing these date directive strings.
  • The crash occurs at parse_date.c:410 in timelib_meridian, called from scan() -> timelib_strtotime() -> php_parse_date() -> php_wddx_process_data(). Stack traces matching this call chain indicate exploitation attempts.
  • Affected PHP versions are before 5.6.32, 7.x before 7.0.25, and 7.1.x before 7.1.11. Detect vulnerable PHP instances by version fingerprinting.
  • The exploit PoC uses a WDDX-formatted XML payload containing the date string 'frONt of 0 0' (case-insensitive). Inspect WDDX deserialization inputs for 'front of' or 'back of' date directive patterns.
  • ·The build configuration used in the PoC enables WDDX and AddressSanitizer; the vulnerability is reproducible without ASan but the crash output shown is ASan-instrumented. The --enable-wddx compile flag is required for the wddx_deserialize() attack vector.
  • ·Other vectors beyond wddx_deserialize() that call php_parse_date() on untrusted input are also affected, not just the WDDX extension.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.