PHP up to 4.4.9/5.5.6 Timestamp Converter openssl_x509_parse ASN1 Timestamp memory corruption
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 9.0 | $0-$5k | 0.00 |
A vulnerability classified as critical was found in PHP up to 4.4.9/5.5.6 (Programming Language Software). This vulnerability affects the function openssl_x509_parse of the component Timestamp Converter. The manipulation as part of a ASN1 Timestamp leads to a memory corruption vulnerability. The CWE definition for the vulnerability is CWE-119. The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:
The asn1_time_to_time_t function in ext/openssl/openssl.c in PHP before 5.3.28, 5.4.x before 5.4.23, and 5.5.x before 5.5.7 does not properly parse (1) notBefore and (2) notAfter timestamps in X.509 certificates, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted certificate that is not properly handled by the openssl_x509_parse function.The advisory summarizes:
Other applications like Wordpress use openssl_x509_parse() to further verify SSL certificates whenever Wordpress connects to a HTTPS URL (in case ext/curl is not loaded which is the default for several linux distributions).
The weakness was disclosed 12/13/2013 by Stefan Esser (i0n1c) with SektionEins GmbH as PHP openssl_x509_parse() Memory Corruption Vulnerability as confirmed advisory (Website). The advisory is shared for download at sektioneins.de. The public release has been coordinated in cooperation with the vendor. The advisory contains:
RedHat Security tells php.net that they should commit the fix silently and add info about it only after release. They further tell php.net to tell us to not discuss the vulnerability in public prior to patches being available. security@php.net fixes the vulnerability openly and does not attempt to hide that the commit is a security fix as RedHat Security suggested. RedHat Security Announces that they now consider this vulnerability public and sends out their own patches with big announcement one day before php.net is ready to release their own fixes.This vulnerability was named CVE-2013-6420 since 11/04/2013. The exploitation appears to be difficult. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. Technical details and also a public exploit are known. Responsible for the vulnerability is the following code:
static time_t asn1_time_to_time_t(ASN1_UTCTIME * timestr TSRMLS_DC) /* {{{ */
{
/*
This is how the time string is formatted:
snprintf(p, sizeof(p), "%02d%02d%02d%02d%02d%02dZ",ts->tm_year%100,
ts->tm_mon+1,ts->tm_mday,ts->tm_hour,ts->tm_min,ts->tm_sec);
*/
time_t ret;
struct tm thetime;
char * strbuf;
char * thestr;
long gmadjust = 0;
if (timestr->length < 13) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "extension author too lazy to parse %s correctly", timestr->data);
return (time_t)-1;
} The advisory points out:This problem can be triggered by x509 certificates that contain NUL bytes in their notBefore and notAfter timestamp fields and leads to a memory corruption that might result in arbitrary code execution. (…) Within the function openssl_x509_parse() the helper function asn1_time_to_time_t() is called two times (…).
A public exploit has been developed by Stefan Esser (i0n1c) in x509 Certificate and been published immediately after the advisory. It is possible to download the exploit at sektioneins.de. It is declared as proof-of-concept. The vulnerability was handled as a non-public zero-day exploit for at least 11 days. During that time the estimated underground price was around $25k-$100k. The vulnerability scanner Nessus provides a plugin with the ID 71574 (Amazon Linux AMI : php (ALAS-2013-262)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Amazon Linux Local Security Checks and running in the context l. The commercial vulnerability scanner Qualys is able to test this issue with plugin 43551 (Juniper JUNOS J-Web: Multiple Vulnerabilities (JSA10804)).
Upgrading eliminates this vulnerability. The upgrade is hosted for download at php.net. A possible mitigation has been published even before and not after the disclosure of the vulnerability. The advisory contains the following remark:
security@php.net pushes PHP updates to the PHP 5.3, PHP 5.4 and PHP 5.5 branches to the mirros as was previously agreed upon.Furthermore it is possible to detect and prevent this kind of attack with TippingPoint and the filter 13619.
The vulnerability is also documented in the databases at X-Force (89602), Tenable (71574) and Exploit-DB (30395). Additional details are provided at packetstormsecurity.com.
Product
Type
Name
Version
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB CVSS-B Score: 🔍VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 10.0VulDB Meta Temp Score: 9.0
VulDB Base Score: 10.0
VulDB Temp Score: 9.0
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Memory corruptionCWE: CWE-119
CAPEC: 🔍
ATT&CK: 🔍
Local: No
Remote: Yes
Availability: 🔍
Access: Public
Status: Proof-of-Concept
Author: Stefan Esser (i0n1c)
Programming Language: 🔍
Download: 🔍
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | unlock | unlock | unlock | unlock |
|---|---|---|---|---|
| Today | unlock | unlock | unlock | unlock |
Nessus ID: 71574
Nessus Name: Amazon Linux AMI : php (ALAS-2013-262)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Context: 🔍
Nessus Port: 🔍
OpenVAS ID: 702816
OpenVAS Name: Debian Security Advisory DSA 2816-1 (php5 - several vulnerabilities
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Exploit-DB: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exploit Delay Time: 🔍
Upgrade: php.net
TippingPoint: 🔍
McAfee IPS: 🔍
McAfee IPS Version: 🔍
ISS Proventia IPS: 🔍
PaloAlto IPS: 🔍
Fortigate IPS: 🔍
Timeline
11/04/2013 🔍11/27/2013 🔍
12/01/2013 🔍
12/02/2013 🔍
12/09/2013 🔍
12/12/2013 🔍
12/13/2013 🔍
12/13/2013 🔍
12/16/2013 🔍
12/16/2013 🔍
12/17/2013 🔍
12/17/2013 🔍
12/23/2013 🔍
07/07/2014 🔍
06/04/2021 🔍
Sources
Product: php.orgAdvisory: PHP openssl_x509_parse() Memory Corruption Vulnerability
Researcher: Stefan Esser (i0n1c)
Organization: SektionEins GmbH
Status: Confirmed
Confirmation: 🔍
Coordinated: 🔍
CVE: CVE-2013-6420 (🔍)
OVAL: 🔍
IAVM: 🔍
X-Force: 89602
SecurityTracker: 1029472
Vulnerability Center: 42606 - PHP Remote Arbitrary Code Execution and Denial of Service due to a Flaw in the openssl_x509_parse Function, High
SecurityFocus: 64018 - PHP CVE-2013-6712 Remote Denial of Service Vulnerability
Secunia: 59652 - SUSE update for php5, Highly Critical
scip Labs: https://www.scip.ch/en/?labs.20161013
Misc.: 🔍
Entry
Created: 12/16/2013 15:13Updated: 06/04/2021 11:40
Changes: 12/16/2013 15:13 (112), 11/25/2018 10:02 (10), 06/04/2021 11:40 (2)
Complete: 🔍
Cache ID: 3:076:103
No comments yet. Languages: en.
Please log in to comment.