ID CVE-2015-4643
Summary Integer overflow in the ftp_genlist function in ext/ftp/ftp.c in PHP before 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 allows remote FTP servers to execute arbitrary code via a long reply to a LIST command, leading to a heap-based buffer overflow. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-4022.
References
Vulnerable Configurations
  • Debian Linux 7.0
    cpe:2.3:o:debian:debian_linux:7.0
  • Debian Linux 8.0 (Jessie)
    cpe:2.3:o:debian:debian_linux:8.0
  • Red Hat Enterprise Linux Desktop 6.0
    cpe:2.3:o:redhat:enterprise_linux_desktop:6.0
  • RedHat Enterprise Linux Desktop 7.0
    cpe:2.3:o:redhat:enterprise_linux_desktop:7.0
  • Red Hat Enterprise Linux Server 6.0
    cpe:2.3:o:redhat:enterprise_linux_server:6.0
  • RedHat Enterprise Linux Server 7.0
    cpe:2.3:o:redhat:enterprise_linux_server:7.0
  • cpe:2.3:o:redhat:enterprise_linux_server_aus:6.6
    cpe:2.3:o:redhat:enterprise_linux_server_aus:6.6
  • Red Hat Enterprise Linux Advanced mission critical Update Support (AUS) 7.3
    cpe:2.3:o:redhat:enterprise_linux_server_aus:7.3
  • Red Hat Enterprise Linux Server Advanced mission critical Update Support (AUS) 7.4
    cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4
  • Red Hat Enterprise Linux Server Advanced mission critical Update Support (AUS) 7.6
    cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6
  • cpe:2.3:o:redhat:enterprise_linux_server_eus:6.6
    cpe:2.3:o:redhat:enterprise_linux_server_eus:6.6
  • cpe:2.3:o:redhat:enterprise_linux_server_eus:7.1
    cpe:2.3:o:redhat:enterprise_linux_server_eus:7.1
  • Red Hat Enterprise Linux Server EUS 7.2
    cpe:2.3:o:redhat:enterprise_linux_server_eus:7.2
  • Red Hat Enterprise Linux Server Extended Update Support (EUS) 7.3
    cpe:2.3:o:redhat:enterprise_linux_server_eus:7.3
  • Red Hat Enterprise Linux Server Extended Update Support (EUS) 7.4
    cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4
  • Red Hat Enterprise Linux Server Extended Update Support (EUS) 7.5
    cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5
  • Red Hat Enterprise Linux Server Extended Update Support (EUS) 7.6
    cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6
  • Red Hat Enterprise Linux Server Telecommunications Update Service (TUS) 6.6
    cpe:2.3:o:redhat:enterprise_linux_server_tus:6.6
  • cpe:2.3:o:redhat:enterprise_linux_server_tus:7.3
    cpe:2.3:o:redhat:enterprise_linux_server_tus:7.3
  • Red Hat Enterprise Linux Server Telecommunications Update Service (TUS) 7.6
    cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6
  • Red Hat Enterprise Linux Workstation 6.0
    cpe:2.3:o:redhat:enterprise_linux_workstation:6.0
  • RedHat Enterprise Linux Workstation 7.0
    cpe:2.3:o:redhat:enterprise_linux_workstation:7.0
  • Oracle Linux 6.0
    cpe:2.3:o:oracle:linux:6.0
  • Oracle Linux 7.0
    cpe:2.3:o:oracle:linux:7:0
CVSS
Base: 7.5 (as of 22-06-2016 - 09:55)
Impact:
Exploitability:
CWE CWE-119
CAPEC
  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
  • Overflow Binary Resource File
    An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the attacker access to the execution stack and execute arbitrary code in the target process. This attack pattern is a variant of standard buffer overflow attacks using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The attacker is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application, for the victim to download. The attacker then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow.
  • Buffer Overflow via Symbolic Links
    This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
  • Overflow Variables and Tags
    This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.
  • Buffer Overflow via Parameter Expansion
    In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
  • Buffer Overflow in an API Call
    This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An attacker who has access to an API may try to embed malicious code in the API function call and exploit a buffer overflow vulnerability in the function's implementation. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.
  • Buffer Overflow in Local Command-Line Utilities
    This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2015-561.NASL
    description Upstream reports that six security-related issues in PHP were fixed in this release, as well as several security issues in bundled sqlite library (CVE-2015-3414 , CVE-2015-3415 , CVE-2015-3416). All PHP 5.4 users are encouraged to upgrade to this version. Please see the upstream release notes for full details.
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 84623
    published 2015-07-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84623
    title Amazon Linux AMI : php54 (ALAS-2015-561)
  • NASL family Firewalls
    NASL id PFSENSE_SA-15_06.NASL
    description According to its self-reported version number, the remote pfSense install is prior to 2.2.3. It is, therefore, affected by multiple vulnerabilities as stated in the referenced vendor advisories.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 106495
    published 2018-01-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106495
    title pfSense < 2.2.3 Multiple Vulnerabilities (SA-15_07) (Logjam)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2015-198-02.NASL
    description New php packages are available for Slackware 14.0, 14.1, and -current to fix security issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 84830
    published 2015-07-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84830
    title Slackware 14.0 / 14.1 / current : php (SSA:2015-198-02) (BACKRONYM)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-307.NASL
    description - CVE-2015-3307 The phar_parse_metadata function in ext/phar/phar.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote attackers to cause a denial of service (heap metadata corruption) or possibly have unspecified other impact via a crafted tar archive. - CVE-2015-3411 + CVE-2015-3412 Fixed bug #69353 (Missing null byte checks for paths in various PHP extensions) - CVE-2015-4021 The phar_parse_tarfile function in ext/phar/tar.c in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 does not verify that the first character of a filename is different from the \0 character, which allows remote attackers to cause a denial of service (integer underflow and memory corruption) via a crafted entry in a tar archive. - CVE-2015-4022 Integer overflow in the ftp_genlist function in ext/ftp/ftp.c in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 allows remote FTP servers to execute arbitrary code via a long reply to a LIST command, leading to a heap-based buffer overflow. - CVE-2015-4025 PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 truncates a pathname upon encountering a \x00 character in certain situations, which allows remote attackers to bypass intended extension restrictions and access files or directories with unexpected names via a crafted argument to (1) set_include_path, (2) tempnam, (3) rmdir, or (4) readlink. NOTE: this vulnerability exists because of an incomplete fix for CVE-2006-7243. - CVE-2015-4026 The pcntl_exec implementation in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 truncates a pathname upon encountering a \x00 character, which might allow remote attackers to bypass intended extension restrictions and execute files with unexpected names via a crafted first argument. NOTE: this vulnerability exists because of an incomplete fix for CVE-2006-7243. - CVE-2015-4147 The SoapClient::__call method in ext/soap/soap.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 does not verify that __default_headers is an array, which allows remote attackers to execute arbitrary code by providing crafted serialized data with an unexpected data type, related to a 'type confusion' issue. - CVE-2015-4148 The do_soap_call function in ext/soap/soap.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 does not verify that the uri property is a string, which allows remote attackers to obtain sensitive information by providing crafted serialized data with an int data type, related to a 'type confusion' issue. - CVE-2015-4598 Incorrect handling of paths with NULs - CVE-2015-4599 Type confusion vulnerability in exception::getTraceAsString - CVE-2015-4600 + CVE-2015-4601 Added type checks - CVE-2015-4602 Type Confusion Infoleak Vulnerability in unserialize() with SoapFault - CVE-2015-4604 + CVE-2015-4605 denial of service when processing a crafted file with Fileinfo (already fixed in CVE-2015-temp-68819.patch) - CVE-2015-4643 Improved fix for bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow) - CVE-2015-4644 Fixed bug #69667 (segfault in php_pgsql_meta_data) - CVE-2015-5589 Segfault in Phar::convertToData on invalid file - CVE-2015-5590 Buffer overflow and stack smashing error in phar_fix_filepath NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-06
    plugin id 85808
    published 2015-09-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85808
    title Debian DLA-307-1 : php5 security update
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_CDFF0AF2149211E5A1CF002590263BF5.NASL
    description The PHP project reports : DOM and GD : - Fixed bug #69719 (Incorrect handling of paths with NULs). FTP : - Improved fix for bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow). (CVE-2015-4643) Postgres : - Fixed bug #69667 (segfault in php_pgsql_meta_data). (CVE-2015-4644)
    last seen 2019-02-21
    modified 2018-12-19
    plugin id 84326
    published 2015-06-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84326
    title FreeBSD : php5 -- multiple vulnerabilities (cdff0af2-1492-11e5-a1cf-002590263bf5)
  • NASL family CGI abuses
    NASL id PHP_5_5_26.NASL
    description According to its banner, the version of PHP 5.5.x running on the remote web server is prior to 5.5.26. It is, therefore, affected by multiple vulnerabilities : - Multiple heap buffer overflow conditions exist in the bundled Perl-Compatible Regular Expression (PCRE) library due to improper validation of user-supplied input to the compile_branch() and pcre_compile2() functions. A remote attacker can exploit these conditions to cause a heap-based buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2015-2325, CVE-2015-2326) - A denial of service vulnerability exists in the bundled SQLite component due to improper handling of quotes in collation sequence names. A remote attacker can exploit this to cause uninitialized memory access, resulting in denial of service condition. (CVE-2015-3414) - A denial of service vulnerability exists in the bundled SQLite component due to an improper implementation of comparison operators in the sqlite3VdbeExec() function in vdbe.c. A remote attacker can exploit this to cause an invalid free operation, resulting in a denial of service condition. (CVE-2015-3415) - A denial of service vulnerability exists in the bundled SQLite component due to improper handling of precision and width values during floating-point conversions in the sqlite3VXPrintf() function in printf.c. A remote attacker can exploit this to cause a stack-based buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2015-3416) - A security bypass vulnerability exists due to a failure in multiple extensions to check for NULL bytes in a path when processing or reading a file. A remote attacker can exploit this, by combining the '\0' character with a safe file extension, to bypass access restrictions. (CVE-2015-4598) - An arbitrary command injection vulnerability exists due to a flaw in the php_escape_shell_arg() function in exec.c. A remote attacker can exploit this, via the escapeshellarg() PHP method, to inject arbitrary operating system commands. (CVE-2015-4642) - A heap buffer overflow condition exists in the ftp_genlist() function in ftp.c. due to improper validation of user-supplied input. A remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2015-4643) - A denial of service vulnerability exists due to a NULL pointer dereference flaw in the build_tablename() function in pgsql.c. An authenticated, remote attacker can exploit this to cause an application crash. (CVE-2015-4644) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2018-09-17
    plugin id 84363
    published 2015-06-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84363
    title PHP 5.5.x < 5.5.26 Multiple Vulnerabilities
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3344.NASL
    description Multiple vulnerabilities have been discovered in the PHP language : - CVE-2015-4598 thoger at redhat dot com discovered that paths containing a NUL character were improperly handled, thus allowing an attacker to manipulate unexpected files on the server. - CVE-2015-4643 Max Spelsberg discovered an integer overflow flaw leading to a heap-based buffer overflow in PHP's FTP extension, when parsing listings in FTP server responses. This could lead to a a crash or execution of arbitrary code. - CVE-2015-4644 A denial of service through a crash could be caused by a segfault in the php_pgsql_meta_data function. - CVE-2015-5589 kwrnel at hotmail dot com discovered that PHP could crash when processing an invalid phar file, thus leading to a denial of service. - CVE-2015-5590 jared at enhancesoft dot com discovered a buffer overflow in the phar_fix_filepath function, that could causes a crash or execution of arbitrary code. - Additionally, several other vulnerabilites were fixed : sean dot heelan at gmail dot com discovered a problem in the unserialization of some items, that could lead to arbitrary code execution. stewie at mail dot ru discovered that the phar extension improperly handled zip archives with relative paths, which would allow an attacker to overwrite files outside of the destination directory. taoguangchen at icloud dot com discovered several use-after-free vulnerabilities that could lead to arbitrary code execution.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 85664
    published 2015-08-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85664
    title Debian DSA-3344-1 : php5 - security update
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2015-1135.NASL
    description Updated php packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. A flaw was found in the way the PHP module for the Apache httpd web server handled pipelined requests. A remote attacker could use this flaw to trigger the execution of a PHP script in a deinitialized interpreter, causing it to crash or, possibly, execute arbitrary code. (CVE-2015-3330) A flaw was found in the way PHP parsed multipart HTTP POST requests. A specially crafted request could cause PHP to use an excessive amount of CPU time. (CVE-2015-4024) An uninitialized pointer use flaw was found in PHP's Exif extension. A specially crafted JPEG or TIFF file could cause a PHP application using the exif_read_data() function to crash or, possibly, execute arbitrary code with the privileges of the user running that PHP application. (CVE-2015-0232) An integer overflow flaw leading to a heap-based buffer overflow was found in the way PHP's FTP extension parsed file listing FTP server responses. A malicious FTP server could use this flaw to cause a PHP application to crash or, possibly, execute arbitrary code. (CVE-2015-4022) Multiple flaws were discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code. (CVE-2014-8142, CVE-2015-0231, CVE-2015-0273, CVE-2015-2787, CVE-2015-4147, CVE-2015-4148, CVE-2015-4599, CVE-2015-4600, CVE-2015-4601, CVE-2015-4602, CVE-2015-4603) It was found that certain PHP functions did not properly handle file names containing a NULL character. A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions. (CVE-2015-2348, CVE-2015-4025, CVE-2015-4026, CVE-2015-3411, CVE-2015-3412, CVE-2015-4598) Multiple flaws were found in the way the way PHP's Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash or, possibly, execute arbitrary code when opened. (CVE-2015-2301, CVE-2015-2783, CVE-2015-3307, CVE-2015-3329, CVE-2015-4021) Multiple flaws were found in PHP's File Information (fileinfo) extension. A remote attacker could cause a PHP application to crash if it used fileinfo to identify type of attacker supplied files. (CVE-2014-9652, CVE-2015-4604, CVE-2015-4605) A heap buffer overflow flaw was found in the enchant_broker_request_dict() function of PHP's enchant extension. An attacker able to make a PHP application enchant dictionaries could possibly cause it to crash. (CVE-2014-9705) A buffer over-read flaw was found in the GD library used by the PHP gd extension. A specially crafted GIF file could cause a PHP application using the imagecreatefromgif() function to crash. (CVE-2014-9709) This update also fixes the following bugs : * The libgmp library in some cases terminated unexpectedly with a segmentation fault when being used with other libraries that use the GMP memory management. With this update, PHP no longer changes libgmp memory allocators, which prevents the described crash from occurring. (BZ#1212305) * When using the Open Database Connectivity (ODBC) API, the PHP process in some cases terminated unexpectedly with a segmentation fault. The underlying code has been adjusted to prevent this crash. (BZ#1212299) * Previously, running PHP on a big-endian system sometimes led to memory corruption in the fileinfo module. This update adjusts the behavior of the PHP pointer so that it can be freed without causing memory corruption. (BZ#1212298) All php users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 84345
    published 2015-06-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84345
    title CentOS 7 : php (CESA-2015:1135)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-1135.NASL
    description Updated php packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. A flaw was found in the way the PHP module for the Apache httpd web server handled pipelined requests. A remote attacker could use this flaw to trigger the execution of a PHP script in a deinitialized interpreter, causing it to crash or, possibly, execute arbitrary code. (CVE-2015-3330) A flaw was found in the way PHP parsed multipart HTTP POST requests. A specially crafted request could cause PHP to use an excessive amount of CPU time. (CVE-2015-4024) An uninitialized pointer use flaw was found in PHP's Exif extension. A specially crafted JPEG or TIFF file could cause a PHP application using the exif_read_data() function to crash or, possibly, execute arbitrary code with the privileges of the user running that PHP application. (CVE-2015-0232) An integer overflow flaw leading to a heap-based buffer overflow was found in the way PHP's FTP extension parsed file listing FTP server responses. A malicious FTP server could use this flaw to cause a PHP application to crash or, possibly, execute arbitrary code. (CVE-2015-4022) Multiple flaws were discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code. (CVE-2014-8142, CVE-2015-0231, CVE-2015-0273, CVE-2015-2787, CVE-2015-4147, CVE-2015-4148, CVE-2015-4599, CVE-2015-4600, CVE-2015-4601, CVE-2015-4602, CVE-2015-4603) It was found that certain PHP functions did not properly handle file names containing a NULL character. A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions. (CVE-2015-2348, CVE-2015-4025, CVE-2015-4026, CVE-2015-3411, CVE-2015-3412, CVE-2015-4598) Multiple flaws were found in the way the way PHP's Phar extension parsed Phar archi