CVE-2017-11362 in PHP
Summary
by MITRE
In PHP 7.x before 7.0.21 and 7.1.x before 7.1.7, ext/intl/msgformat/msgformat_parse.c does not restrict the locale length, which allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact within International Components for Unicode (ICU) for C/C++ via a long first argument to the msgfmt_parse_message function.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 12/13/2022
The vulnerability identified as CVE-2017-11362 represents a critical stack-based buffer overflow flaw within PHP's internationalization component, specifically in the msgformat_parse.c file of the ext/intl extension. This issue affects PHP versions prior to 7.0.21 and 7.1.7, creating a significant security risk that can be exploited remotely by attackers to disrupt service availability or potentially execute arbitrary code. The flaw stems from the absence of proper input validation for locale parameters within the msgfmt_parse_message function, which processes internationalized messages through the International Components for Unicode (ICU) library for C/C++.
The technical implementation of this vulnerability exploits the lack of bounds checking on locale string lengths during message parsing operations. When a maliciously crafted long locale string is passed as the first argument to msgfmt_parse_message, the underlying ICU library fails to properly validate the input size, leading to a stack buffer overflow condition. This overflow occurs because the application allocates a fixed-size buffer on the stack to handle locale data but does not verify that the incoming locale string exceeds this predetermined limit. The stack-based nature of this vulnerability makes it particularly dangerous as it can corrupt adjacent stack memory, potentially leading to application crashes, unpredictable behavior, or in some cases, remote code execution depending on memory layout and compiler protections.
From an operational perspective, this vulnerability creates substantial risk for PHP applications that utilize internationalization features and process user-supplied data through message formatting functions. Attackers can leverage this flaw to perform denial of service attacks by causing application crashes, making services unavailable to legitimate users. The impact extends beyond simple service disruption as the vulnerability may allow for more severe consequences including privilege escalation or information disclosure depending on the execution environment and available mitigations. The vulnerability is particularly concerning in web applications where user input flows directly into internationalization functions without proper sanitization, making it a prime target for automated exploitation tools.
Organizations affected by this vulnerability should prioritize immediate patching of their PHP installations to versions 7.0.21 or 7.1.7 and later, which contain the necessary fixes to restrict locale length validation. Additional mitigations include implementing input validation measures that limit the maximum length of locale parameters before processing, employing web application firewalls to detect and block suspicious input patterns, and monitoring application logs for potential exploitation attempts. Security teams should also consider implementing runtime protections such as stack canaries and address space layout randomization to reduce the exploitability of similar vulnerabilities. This vulnerability aligns with CWE-121 Stack-based Buffer Overflow and maps to ATT&CK technique T1499.004 for Denial of Service, emphasizing the need for comprehensive security controls across the application lifecycle. The incident underscores the critical importance of validating all user inputs, particularly in internationalization libraries that handle complex data structures and external dependencies like ICU, which can introduce unexpected security implications when not properly constrained.