cbcvebase.
CVE-2018-7584
published 2018-03-01

CVE-2018-7584: In PHP through 5.6.33, 7.0.x before 7.0.28, 7.1.x through 7.1.14, and 7.2.x through 7.2.2, there is a stack-based buffer under-read while parsing an HTTP…

PriorityP277critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
87.88%
99.7th percentile
In PHP through 5.6.33, 7.0.x before 7.0.28, 7.1.x through 7.1.14, and 7.2.x through 7.2.2, there is a stack-based buffer under-read while parsing an HTTP response in the php_stream_url_wrap_http_ex function in ext/standard/http_fopen_wrapper.c. This subsequently results in copying a large string.

Affected

15 ranges
VendorProductVersion rangeFixed in
applemacos_high_sierra_10.13.5_security_update_2018-003_sierra_security_update_2018-0
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debiandebian_linux
debiandebian_linux
phpphp<= 5.6.33
phpphp>= 7.0.0 < 7.0.287.0.28
phpphp7.1.0 – 7.1.14
phpphp7.2.0 – 7.2.2
php5php5>= 0 < 5.6.34-r05.6.34-r0
php5php5>= 0 < 5.6.34-r05.6.34-r0
php5php5>= 0 < 5.5.9+dfsg-1ubuntu4.245.5.9+dfsg-1ubuntu4.24

Detection & IOCsextracted from sources · hover to see the quote

pathext/standard/http_fopen_wrapper.c
  • Trigger condition: a malformed HTTP response where the first line contains no '\r' before '\n' (e.g. payload bytes 30 30 30 30 30 30 30 30 30 31 30 30 0a 0a) causes tmp_line_len to decrement to -1, resulting in an abnormally large string copy in php_stream_url_wrap_http_ex.
  • Vulnerable function is php_stream_url_wrap_http_ex at http_fopen_wrapper.c line 723; monitor PHP processes making outbound HTTP requests to attacker-controlled servers returning crafted responses.
  • Affected PHP versions: through 5.6.33, 7.0.x before 7.0.28, 7.1.x through 7.1.14, and 7.2.x through 7.2.2. Detect these versions in your environment as unpatched targets.
  • The PoC uses a netcat listener on port 8080 to serve the malformed HTTP response; watch for PHP processes connecting to non-standard HTTP ports (e.g. 8080) and receiving abnormally short/malformed response headers.
  • ·The stack-buffer under-read only manifests when PHP parses an HTTP response where the response line lacks a proper '\r\n' terminator; exploitation requires PHP to initiate an HTTP request (e.g. via file_get_contents, fopen wrappers) to an attacker-controlled server.
  • ·Under ASAN the bug produces a segfault/abort; on production (non-ASAN) builds the under-read may silently copy stack data, making crash-based detection unreliable.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.