ID CVE-2006-4020
Summary scanf.c in PHP 5.1.4 and earlier, and 4.4.3 and earlier, allows context-dependent attackers to execute arbitrary code via a sscanf PHP function call that performs argument swapping, which increments an index past the end of an array and triggers a buffer over-read.
References
Vulnerable Configurations
  • PHP 4.0.0
    cpe:2.3:a:php:php:4.0
  • PHP PHP 4.0 Beta 1
    cpe:2.3:a:php:php:4.0:beta1
  • PHP PHP 4.0 Beta 2
    cpe:2.3:a:php:php:4.0:beta2
  • PHP PHP 4.0 Beta 3
    cpe:2.3:a:php:php:4.0:beta3
  • PHP PHP 4.0 Beta 4
    cpe:2.3:a:php:php:4.0:beta4
  • PHP PHP 4.0 Beta 4 Patch Level 1
    cpe:2.3:a:php:php:4.0:beta_4_patch1
  • cpe:2.3:a:php:php:4.0:rc1
    cpe:2.3:a:php:php:4.0:rc1
  • cpe:2.3:a:php:php:4.0:rc2
    cpe:2.3:a:php:php:4.0:rc2
  • PHP PHP 4.0.0
    cpe:2.3:a:php:php:4.0.0
  • PHP PHP 4.0.1
    cpe:2.3:a:php:php:4.0.1
  • cpe:2.3:a:php:php:4.0.1:patch1
    cpe:2.3:a:php:php:4.0.1:patch1
  • cpe:2.3:a:php:php:4.0.1:patch2
    cpe:2.3:a:php:php:4.0.1:patch2
  • PHP PHP 4.0.2
    cpe:2.3:a:php:php:4.0.2
  • PHP PHP 4.0.3
    cpe:2.3:a:php:php:4.0.3
  • cpe:2.3:a:php:php:4.0.3:patch1
    cpe:2.3:a:php:php:4.0.3:patch1
  • PHP PHP 4.0.4
    cpe:2.3:a:php:php:4.0.4
  • cpe:2.3:a:php:php:4.0.4:patch1
    cpe:2.3:a:php:php:4.0.4:patch1
  • PHP PHP 4.0.5
    cpe:2.3:a:php:php:4.0.5
  • PHP PHP 4.0.6
    cpe:2.3:a:php:php:4.0.6
  • PHP PHP 4.0.7
    cpe:2.3:a:php:php:4.0.7
  • cpe:2.3:a:php:php:4.0.7:rc1
    cpe:2.3:a:php:php:4.0.7:rc1
  • cpe:2.3:a:php:php:4.0.7:rc2
    cpe:2.3:a:php:php:4.0.7:rc2
  • cpe:2.3:a:php:php:4.0.7:rc3
    cpe:2.3:a:php:php:4.0.7:rc3
  • PHP PHP 4.1.0
    cpe:2.3:a:php:php:4.1.0
  • PHP PHP 4.1.1
    cpe:2.3:a:php:php:4.1.1
  • PHP PHP 4.1.2
    cpe:2.3:a:php:php:4.1.2
  • cpe:2.3:a:php:php:4.2:-:dev
    cpe:2.3:a:php:php:4.2:-:dev
  • PHP PHP 4.2.0
    cpe:2.3:a:php:php:4.2.0
  • PHP PHP 4.2.1
    cpe:2.3:a:php:php:4.2.1
  • PHP PHP 4.2.2
    cpe:2.3:a:php:php:4.2.2
  • PHP PHP 4.2.3
    cpe:2.3:a:php:php:4.2.3
  • PHP PHP 4.3.0
    cpe:2.3:a:php:php:4.3.0
  • PHP PHP 4.3.1
    cpe:2.3:a:php:php:4.3.1
  • PHP PHP 4.3.2
    cpe:2.3:a:php:php:4.3.2
  • PHP PHP 4.3.3
    cpe:2.3:a:php:php:4.3.3
  • PHP PHP 4.3.4
    cpe:2.3:a:php:php:4.3.4
  • PHP PHP 4.3.5
    cpe:2.3:a:php:php:4.3.5
  • PHP PHP 4.3.6
    cpe:2.3:a:php:php:4.3.6
  • PHP PHP 4.3.7
    cpe:2.3:a:php:php:4.3.7
  • PHP PHP 4.3.8
    cpe:2.3:a:php:php:4.3.8
  • PHP PHP 4.3.9
    cpe:2.3:a:php:php:4.3.9
  • PHP PHP 4.3.10
    cpe:2.3:a:php:php:4.3.10
  • PHP PHP 4.3.11
    cpe:2.3:a:php:php:4.3.11
  • PHP PHP 4.4.0
    cpe:2.3:a:php:php:4.4.0
  • PHP PHP 4.4.1
    cpe:2.3:a:php:php:4.4.1
  • PHP PHP 4.4.2
    cpe:2.3:a:php:php:4.4.2
  • PHP PHP 4.4.3
    cpe:2.3:a:php:php:4.4.3
  • cpe:2.3:a:php:php:5.0:rc1
    cpe:2.3:a:php:php:5.0:rc1
  • cpe:2.3:a:php:php:5.0:rc2
    cpe:2.3:a:php:php:5.0:rc2
  • cpe:2.3:a:php:php:5.0:rc3
    cpe:2.3:a:php:php:5.0:rc3
  • PHP PHP 5.0.0
    cpe:2.3:a:php:php:5.0.0
  • PHP PHP 5.0.0 Beta1
    cpe:2.3:a:php:php:5.0.0:beta1
  • PHP PHP 5.0.0 Beta2
    cpe:2.3:a:php:php:5.0.0:beta2
  • PHP PHP 5.0.0 Beta3
    cpe:2.3:a:php:php:5.0.0:beta3
  • PHP PHP 5.0.0 Beta4
    cpe:2.3:a:php:php:5.0.0:beta4
  • PHP PHP 5.0.0 RC1
    cpe:2.3:a:php:php:5.0.0:rc1
  • PHP PHP 5.0.0 RC2
    cpe:2.3:a:php:php:5.0.0:rc2
  • PHP PHP 5.0.0 RC3
    cpe:2.3:a:php:php:5.0.0:rc3
  • PHP PHP 5.0.1
    cpe:2.3:a:php:php:5.0.1
  • PHP PHP 5.0.2
    cpe:2.3:a:php:php:5.0.2
  • PHP PHP 5.0.3
    cpe:2.3:a:php:php:5.0.3
  • PHP PHP 5.0.4
    cpe:2.3:a:php:php:5.0.4
  • PHP PHP 5.0.5
    cpe:2.3:a:php:php:5.0.5
  • PHP PHP 5.1.0
    cpe:2.3:a:php:php:5.1.0
  • PHP PHP 5.1.1
    cpe:2.3:a:php:php:5.1.1
  • PHP PHP 5.1.2
    cpe:2.3:a:php:php:5.1.2
  • PHP 5.1.4
    cpe:2.3:a:php:php:5.1.4
CVSS
Base: 4.6 (as of 09-08-2006 - 10:11)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
exploit-db via4
description PHP <= 4.4.3 / 5.1.4 (sscanf) Local Buffer Overflow Exploit. CVE-2006-4020. Local exploit for linux platform
id EDB-ID:2193
last seen 2016-01-31
modified 2006-08-16
published 2006-08-16
reporter Andi
source https://www.exploit-db.com/download/2193/
title PHP <= 4.4.3 / 5.1.4 sscanf Local Buffer Overflow Exploit
nessus via4
  • NASL family CGI abuses
    NASL id PHP_4_4_4.NASL
    description According to its banner, the version of PHP installed on the remote host is older than 4.4.4. As such, it is potentially affected by the following vulnerabilities : - The c-client library 2000, 2001, or 2004 for PHP does not check the safe_mode or open_basedir functions. (CVE-2006-1017) - A buffer overflow exists in the sscanf function. (CVE-2006-4020)
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 17710
    published 2011-11-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17710
    title PHP < 4.4.4 Multiple Vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_APACHE2-MOD_PHP5-2102.NASL
    description - the CURL module lacked checks for control characters (CVE-2006-2563)) - str_repeat() contained an integer overflow - ext/wddx contained a buffer overflow - memory_limit() lacked checks for integer overflows - a bug in sscanf() could potentially be exploited to execute arbitrary code. (CVE-2006-4020) - an uninitialized varable caused apache to crash during startup - corrupt gif images could crash php
    last seen 2019-02-21
    modified 2012-05-17
    plugin id 29374
    published 2007-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29374
    title SuSE 10 Security Update : PHP5 (ZYPP Patch Number 2102)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2006-0730.NASL
    description Updated PHP packages that fix a security issue are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. Users of PHP should upgrade to these updated packages which contain backported patches to correct these issues. These packages also contain a fix for a bug where certain input strings to the metaphone() function could cause memory corruption. From Red Hat Security Advisory 2006:0730 : The Hardened-PHP Project discovered an overflow in the PHP htmlentities() and htmlspecialchars() routines. If a PHP script used the vulnerable functions to parse UTF-8 data, a remote attacker sending a carefully crafted request could trigger the overflow and potentially execute arbitrary code as the 'apache' user. (CVE-2006-5465) From Red Hat Security Advisory 2006:0669 : A response-splitting issue was discovered in the PHP session handling. If a remote attacker can force a carefully crafted session identifier to be used, a cross-site-scripting or response-splitting attack could be possible. (CVE-2006-3016) A buffer overflow was discovered in the PHP sscanf() function. If a script used the sscanf() function with positional arguments in the format string, a remote attacker sending a carefully crafted request could execute arbitrary code as the 'apache' user. (CVE-2006-4020) An integer overflow was discovered in the PHP wordwrap() and str_repeat() functions. If a script running on a 64-bit server used either of these functions on untrusted user data, a remote attacker sending a carefully crafted request might be able to cause a heap overflow. (CVE-2006-4482) A buffer overflow was discovered in the PHP gd extension. If a script was set up to process GIF images from untrusted sources using the gd extension, a remote attacker could cause a heap overflow. (CVE-2006-4484) An integer overflow was discovered in the PHP memory allocation handling. On 64-bit platforms, the 'memory_limit' setting was not enforced correctly, which could allow a denial of service attack by a remote user. (CVE-2006-4486)
    last seen 2019-02-21
    modified 2018-08-13
    plugin id 67421
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67421
    title Oracle Linux 4 : php (ELSA-2006-0730 / ELSA-2006-0669)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200608-28.NASL
    description The remote host is affected by the vulnerability described in GLSA-200608-28 (PHP: Arbitary code execution) The sscanf() PHP function contains an array boundary error that can be exploited to dereference a NULL pointer. This can possibly allow the bypass of the safe mode protection by executing arbitrary code. Impact : A remote attacker might be able to exploit this vulnerability in PHP applications making use of the sscanf() function, potentially resulting in the execution of arbitrary code or the execution of scripted contents in the context of the affected site. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 22290
    published 2006-08-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22290
    title GLSA-200608-28 : PHP: Arbitary code execution
  • NASL family SuSE Local Security Checks
    NASL id SUSE_APACHE2-MOD_PHP5-2039.NASL
    description - the CURL module lacked checks for control characters (CVE-2006-2563)) - str_repeat() contained an integer overflow - ext/wddx contained a buffer overflow - memory_limit() lacked checks for integer overflows - a bug in sscanf() could potentially be exploited to execute arbitrary code (CVE-2006-4020) - an uninitialized varable caused apache to crash during startup - corrupt gif images could crash php
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27146
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27146
    title openSUSE 10 Security Update : apache2-mod_php5 (apache2-mod_php5-2039)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2006-0682.NASL
    description Updated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 2.1. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A response-splitting issue was discovered in the PHP session handling. If a remote attacker can force a carefully crafted session identifier to be used, a cross-site-scripting or response-splitting attack could be possible. (CVE-2006-3016) A buffer overflow was discovered found in the PHP sscanf() function. If a script used the sscanf() function with positional arguments in the format string, a remote attacker sending a carefully crafted request could execute arbitrary code as the 'apache' user. (CVE-2006-4020) An integer overflow was discovered in the PHP wordwrap() and str_repeat() functions. If a script running on a 64-bit server used either of these functions on untrusted user data, a remote attacker sending a carefully crafted request might be able to cause a heap overflow. (CVE-2006-4482) An integer overflow was discovered in the PHP memory allocation handling. On 64-bit platforms, the 'memory_limit' setting was not enforced correctly, which could allow a denial of service attack by a remote user. (CVE-2006-4486) Users of PHP should upgrade to these updated packages which contain backported patches to correct these issues. These packages also contain a fix for a bug where certain input strings to the metaphone() function could cause memory corruption.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 22444
    published 2006-09-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22444
    title RHEL 2.1 : php (RHSA-2006:0682)
  • NASL family CGI abuses
    NASL id PHP_5_1_5.NASL
    description According to its banner, the version of PHP 5.x installed on the remote host is older than 5.1.5. Such versions may be affected by the following vulnerabilities : - The c-client library 2000, 2001, or 2004 for PHP does not check the safe_mode or open_basedir functions. (CVE-2006-1017) - A buffer overflow exists in the sscanf function. (CVE-2006-4020) - The file_exists and imap_reopen functions do not check for the safe_mode and open_basedir settings, which allows local users to bypass the settings. (CVE-2006-4481) - Multiple heap-based buffer overflows exist in the str_repeat and wordwrap functions in ext/standard/string.c. (CVE-2006-4482) - The cURL extension files permit the CURLOPT_FOLLOWLOCATION option when open_basedir or safe_mode is enabled, which allows attackers to perform unauthorized actions. (CVE-2006-4483) - A buffer overflow vulnerability exists in the LWZReadByte_ function in ext/gd/libgd/gd_gif_in.c in the GD extension. (CVE-2006-4484) - The stripos function is affected by an out-of-bounds read. (CVE-2006-4485)
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 17713
    published 2011-11-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17713
    title PHP 5.1.x < 5.1.5 Multiple Vulnerabilities
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2006-0669.NASL
    description Updated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A response-splitting issue was discovered in the PHP session handling. If a remote attacker can force a carefully crafted session identifier to be used, a cross-site-scripting or response-splitting attack could be possible. (CVE-2006-3016) A buffer overflow was discovered in the PHP sscanf() function. If a script used the sscanf() function with positional arguments in the format string, a remote attacker sending a carefully crafted request could execute arbitrary code as the 'apache' user. (CVE-2006-4020) An integer overflow was discovered in the PHP wordwrap() and str_repeat() functions. If a script running on a 64-bit server used either of these functions on untrusted user data, a remote attacker sending a carefully crafted request might be able to cause a heap overflow. (CVE-2006-4482) A buffer overflow was discovered in the PHP gd extension. If a script was set up to process GIF images from untrusted sources using the gd extension, a remote attacker could cause a heap overflow. (CVE-2006-4484) An integer overflow was discovered in the PHP memory allocation handling. On 64-bit platforms, the 'memory_limit' setting was not enforced correctly, which could allow a denial of service attack by a remote user. (CVE-2006-4486) Users of PHP should upgrade to these updated packages which contain backported patches to correct these issues. These packages also contain a fix for a bug where certain input strings to the metaphone() function could cause memory corruption.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 22423
    published 2006-09-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22423
    title CentOS 3 / 4 : php (CESA-2006:0669)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-342-1.NASL
    description The sscanf() function did not properly check array boundaries. In applications which use sscanf() with argument swapping, a remote attacker could potentially exploit this to crash the affected web application or even execute arbitrary code with the application's privileges. (CVE-2006-4020) The file_exists() and imap_reopen() functions did not perform proper open_basedir and safe_mode checks which could allow local scripts to bypass intended restrictions. (CVE-2006-4481) On 64 bit systems the str_repeat() and wordwrap() functions did not properly check buffer boundaries. Depending on the application, this could potentially be exploited to execute arbitrary code with the applications' privileges. This only affects the amd64 and sparc platforms. (CVE-2006-4482) A buffer overflow was discovered in the LWZReadByte_() function of the GIF image file parser. By tricking a PHP application into processing a specially crafted GIF image, a remote attacker could exploit this to execute arbitrary code with the application's privileges. (CVE-2006-4484). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 27921
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27921
    title Ubuntu 5.04 / 5.10 / 6.06 LTS : php4, php5 vulnerabilities (USN-342-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2006-0669.NASL
    description Updated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A response-splitting issue was discovered in the PHP session handling. If a remote attacker can force a carefully crafted session identifier to be used, a cross-site-scripting or response-splitting attack could be possible. (CVE-2006-3016) A buffer overflow was discovered in the PHP sscanf() function. If a script used the sscanf() function with positional arguments in the format string, a remote attacker sending a carefully crafted request could execute arbitrary code as the 'apache' user. (CVE-2006-4020) An integer overflow was discovered in the PHP wordwrap() and str_repeat() functions. If a script running on a 64-bit server used either of these functions on untrusted user data, a remote attacker sending a carefully crafted request might be able to cause a heap overflow. (CVE-2006-4482) A buffer overflow was discovered in the PHP gd extension. If a script was set up to process GIF images from untrusted sources using the gd extension, a remote attacker could cause a heap overflow. (CVE-2006-4484) An integer overflow was discovered in the PHP memory allocation handling. On 64-bit platforms, the 'memory_limit' setting was not enforced correctly, which could allow a denial of service attack by a remote user. (CVE-2006-4486) Users of PHP should upgrade to these updated packages which contain backported patches to correct these issues. These packages also contain a fix for a bug where certain input strings to the metaphone() function could cause memory corruption.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 22443
    published 2006-09-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22443
    title RHEL 3 / 4 : php (RHSA-2006:0669)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2006-144.NASL
    description A vulnerability was discovered in the sscanf function that could allow attackers in certain circumstances to execute arbitrary code via argument swapping which incremented an index past the end of an array and triggered a buffer over-read. Updated packages have been patched to correct these issues.
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 23893
    published 2006-12-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=23893
    title Mandrake Linux Security Advisory : php (MDKSA-2006:144)
oval via4
accepted 2013-04-29T04:11:12.491-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
description scanf.c in PHP 5.1.4 and earlier, and 4.4.3 and earlier, allows context-dependent attackers to execute arbitrary code via a sscanf PHP function call that performs argument swapping, which increments an index past the end of an array and triggers a buffer over-read.
family unix
id oval:org.mitre.oval:def:11062
status accepted
submitted 2010-07-09T03:56:16-04:00
title scanf.c in PHP 5.1.4 and earlier, and 4.4.3 and earlier, allows context-dependent attackers to execute arbitrary code via a sscanf PHP function call that performs argument swapping, which increments an index past the end of an array and triggers a buffer over-read.
version 23
redhat via4
advisories
  • rhsa
    id RHSA-2006:0669
  • rhsa
    id RHSA-2006:0682
  • rhsa
    id RHSA-2006:0688
  • rhsa
    id RHSA-2006:0736
refmap via4
bid 19415
bugtraq 20060804 php local buffer underflow could lead to arbitary code execution
confirm
gentoo GLSA-200608-28
mandriva MDKSA-2006:144
misc http://www.plain-text.info/sscanf_bug.txt
sectrack 1016984
secunia
  • 21403
  • 21467
  • 21546
  • 21608
  • 21683
  • 21768
  • 21847
  • 22004
  • 22039
  • 22069
  • 22440
  • 22487
  • 22538
  • 23247
sgi 20061001-01-P
sreason 1341
suse
  • SUSE-SA:2006:052
  • SUSE-SR:2006:019
  • SUSE-SR:2006:020
  • SUSE-SR:2006:022
ubuntu USN-342-1
vupen ADV-2006-3193
Last major update 07-03-2011 - 21:40
Published 08-08-2006 - 16:04
Last modified 30-10-2018 - 12:25
Back to Top