J-Security Center

Title: PHP Printf() Function 64bit Casting Multiple Format String Vulnerabilities

Severity: HIGH

Description:

PHP is a general-purpose scripting language that is especially suited for web development and can be embedded into HTML.

PHP is prone to multiple format-string vulnerabilities due to a design error when casting 64-bit variables to 32 bits.

Specifically, the vulnerabilities reside in the 'php_sprintf_getnumber()' and 'php_sprintf_appendstring()' helper functions of the 'printf()' function family. The first helper function extracts the argument number, width, or precision for the 'php_formatted_print()' function. On 64-bit systems, these helper functions return an unsigned 63-bit long variable that is truncated and stored in 32-bit format. Because the calling code ensures that numbers must always be long positive numbers, when truncated they may become negative numbers, which are unexpected. This may cause the application to behave incorrectly, referencing arbitrary memory addresses or to overwrite heap control structures. Attackers may exploit the later condition to overwrite heap control structures with characters in the format string to execute arbitrary code.

Attackers may be able to exploit these issues to execute arbitrary code in the context of the webserver process or to cause denial-of-service conditions.

These issues affect PHP versions prior to 4.4.5 and 5.2.1 running on 64-bit computers.

Affected Products:

  • Apple Mac OS X 10.0.0
  • Apple Mac OS X 10.0.1
  • Apple Mac OS X 10.0.2
  • Apple Mac OS X 10.0.3
  • Apple Mac OS X 10.0.4
  • Apple Mac OS X 10.1.0
  • Apple Mac OS X 10.1.0
  • Apple Mac OS X 10.1.1
  • Apple Mac OS X 10.1.2
  • Apple Mac OS X 10.1.3
  • Apple Mac OS X 10.1.4
  • Apple Mac OS X 10.1.5
  • Caldera OpenLinux Server 3.1.0
  • Caldera OpenLinux Server 3.1.1
  • Caldera OpenLinux Workstation 3.1.0
  • Caldera OpenLinux Workstation 3.1.1
  • Compaq Compaq Secure Web Server PHP 1.0.0
  • Conectiva Linux 6.0.0
  • Conectiva Linux 7.0.0
  • Debian Linux 2.2.0
  • Debian Linux 2.2.0 68k
  • Debian Linux 2.2.0 IA-32
  • Debian Linux 2.2.0 alpha
  • Debian Linux 2.2.0 arm
  • Debian Linux 2.2.0 powerpc
  • Debian Linux 2.2.0 sparc
  • Debian Linux 3.0.0 alpha
  • Debian Linux 3.0.0 arm
  • Debian Linux 3.0.0 hppa
  • Debian Linux 3.0.0 ia-32
  • Debian Linux 3.0.0 ia-64
  • Debian Linux 3.0.0 m68k
  • Debian Linux 3.0.0 mips
  • Debian Linux 3.0.0 mipsel
  • Debian Linux 3.0.0 ppc
  • Debian Linux 3.0.0 s/390
  • Debian Linux 3.0.0 sparc
  • Debian Linux 4.0
  • Debian Linux 4.0 alpha
  • Debian Linux 4.0 amd64
  • Debian Linux 4.0 arm
  • Debian Linux 4.0 hppa
  • Debian Linux 4.0 ia-32
  • Debian Linux 4.0 ia-64
  • Debian Linux 4.0 m68k
  • Debian Linux 4.0 mips
  • Debian Linux 4.0 mipsel
  • Debian Linux 4.0 powerpc
  • Debian Linux 4.0 s/390
  • Debian Linux 4.0 sparc
  • EnGarde Secure Linux 1.0.1
  • Gentoo Linux
  • Gentoo Linux 1.2.0
  • Gentoo Linux 1.4.0 _rc1
  • Guardian Digital Engarde Secure Linux 1.0.1
  • HP Internet Express 5.4.0
  • HP Internet Express 5.7.0
  • HP Internet Express 5.8.0
  • HP Internet Express 5.9.0
  • HP Internet Express 6.0.0
  • HP Internet Express 6.3
  • HP Internet Express 6.4
  • HP Internet Express 6.6
  • HP Secure OS software for Linux 1.0.0
  • HP Secure Web Server for HP Tru64 UNIX 6.6.4
  • HP System Management Homepage 2.0.0
  • HP System Management Homepage 2.0.1
  • HP System Management Homepage 2.0.2
  • HP System Management Homepage 2.1.0
  • HP System Management Homepage 2.1.1
  • HP System Management Homepage 2.1.2
  • HP System Management Homepage 2.1.3
  • HP System Management Homepage 2.1.3 .132
  • HP System Management Homepage 2.1.4
  • HP System Management Homepage 2.1.5
  • HP Systems Management HomePage 2.1.7.168
  • HP Tru64 UNIX Compaq Secure Web Server 4.0.0 f
  • HP Tru64 UNIX Compaq Secure Web Server 4.0.0 g
  • HP Tru64 UNIX Compaq Secure Web Server 5.0.0 a
  • HP Tru64 UNIX Compaq Secure Web Server 5.1.0
  • HP Tru64 UNIX Compaq Secure Web Server 5.1.0 a
  • HP Tru64 UNIX Compaq Secure Web Server 5.8.1
  • HP Tru64 UNIX Compaq Secure Web Server 5.8.2
  • HP Tru64 UNIX Compaq Secure Web Server 5.9.1
  • HP Tru64 UNIX Compaq Secure Web Server 5.9.2
  • HP Tru64 UNIX Compaq Secure Web Server 6.3.0
  • HP Tru64 UNIX Compaq Secure Web Server 6.3.2 a
  • MandrakeSoft Corporate Server 1.0.1
  • MandrakeSoft Corporate Server 2.1.0
  • MandrakeSoft Corporate Server 2.1.0 x86_64
  • MandrakeSoft Corporate Server 3.0.0
  • MandrakeSoft Corporate Server 3.0.0 x86_64
  • MandrakeSoft Linux Mandrake 10.0.0
  • MandrakeSoft Linux Mandrake 10.0.0 amd64
  • MandrakeSoft Linux Mandrake 10.1.0
  • MandrakeSoft Linux Mandrake 10.1.0 x86_64
  • MandrakeSoft Linux Mandrake 7.1.0
  • MandrakeSoft Linux Mandrake 7.2.0
  • MandrakeSoft Linux Mandrake 8.0.0
  • MandrakeSoft Linux Mandrake 8.0.0 ppc
  • MandrakeSoft Linux Mandrake 8.1.0
  • MandrakeSoft Linux Mandrake 8.1.0 ia64
  • MandrakeSoft Linux Mandrake 8.2.0
  • MandrakeSoft Linux Mandrake 8.2.0 ppc
  • MandrakeSoft Linux Mandrake 9.0.0
  • MandrakeSoft Linux Mandrake 9.1.0
  • MandrakeSoft Linux Mandrake 9.1.0 ppc
  • MandrakeSoft Multi Network Firewall 2.0.0
  • MandrakeSoft Single Network Firewall 7.2.0
  • OpenPKG OpenPKG 1.1.0
  • OpenPKG OpenPKG Current
  • PHP PHP 4.0.0 0
  • PHP PHP 4.0.1
  • PHP PHP 4.0.1 pl1
  • PHP PHP 4.0.1 pl2
  • PHP PHP 4.0.2
  • PHP PHP 4.0.3
  • PHP PHP 4.0.3 pl1
  • PHP PHP 4.0.4
  • PHP PHP 4.0.5
  • PHP PHP 4.0.6
  • PHP PHP 4.0.7
  • PHP PHP 4.0.7 RC1
  • PHP PHP 4.0.7 RC2
  • PHP PHP 4.0.7 RC3
  • PHP PHP 4.1.0 .0
  • PHP PHP 4.1.1
  • PHP PHP 4.1.2
  • PHP PHP 4.2.0 -dev
  • PHP PHP 4.2.0 .0
  • PHP PHP 4.2.1
  • PHP PHP 4.2.2
  • PHP PHP 4.2.3
  • PHP PHP 4.3.0
  • PHP PHP 4.3.1
  • PHP PHP 4.3.10
  • PHP PHP 4.3.11
  • PHP PHP 4.3.2
  • PHP PHP 4.3.3
  • PHP PHP 4.3.4
  • PHP PHP 4.3.5
  • PHP PHP 4.3.6
  • PHP PHP 4.3.7
  • PHP PHP 4.3.8
  • PHP PHP 4.3.9
  • PHP PHP 4.4.0 .0
  • PHP PHP 4.4.1
  • PHP PHP 4.4.2
  • PHP PHP 4.4.3
  • PHP PHP 4.4.4
  • PHP PHP 5.0.0 .0
  • PHP PHP 5.0.0 candidate 1
  • PHP PHP 5.0.0 candidate 2
  • PHP PHP 5.0.0 candidate 3
  • PHP PHP 5.0.1
  • PHP PHP 5.0.2
  • PHP PHP 5.0.3
  • PHP PHP 5.0.4
  • PHP PHP 5.0.5
  • PHP PHP 5.1.0
  • PHP PHP 5.1.1
  • PHP PHP 5.1.2
  • PHP PHP 5.1.3
  • PHP PHP 5.1.3-RC1
  • PHP PHP 5.1.4
  • PHP PHP 5.1.5
  • PHP PHP 5.1.6
  • PHP PHP 5.2
  • RedHat Fedora Core3
  • RedHat Linux 6.2.0
  • RedHat Linux 6.2.0 alpha
  • RedHat Linux 6.2.0 i386
  • RedHat Linux 6.2.0 sparc
  • RedHat Linux 7.0.0
  • RedHat Linux 7.0.0 alpha
  • RedHat Linux 7.0.0 i386
  • RedHat Linux 7.1.0
  • RedHat Linux 7.1.0 alpha
  • RedHat Linux 7.1.0 i386
  • RedHat Linux 7.1.0 ia64
  • RedHat Linux 7.2.0
  • RedHat Linux 7.2.0 i386
  • RedHat Linux 7.2.0 ia64
  • RedHat Linux 8.0.0
  • RedHat Linux 8.0.0 i386
  • S.u.S.E. Linux 6.4.0
  • S.u.S.E. Linux 6.4.0 alpha
  • S.u.S.E. Linux 6.4.0 i386
  • S.u.S.E. Linux 6.4.0 ppc
  • S.u.S.E. Linux 7.0.0
  • S.u.S.E. Linux 7.0.0 alpha
  • S.u.S.E. Linux 7.0.0 i386
  • S.u.S.E. Linux 7.0.0 ppc
  • S.u.S.E. Linux 7.0.0 sparc
  • S.u.S.E. Linux 7.1.0
  • S.u.S.E. Linux 7.1.0 alpha
  • S.u.S.E. Linux 7.1.0 ppc
  • S.u.S.E. Linux 7.1.0 sparc
  • S.u.S.E. Linux 7.1.0 x86
  • S.u.S.E. Linux 7.2.0
  • S.u.S.E. Linux 7.2.0 i386
  • S.u.S.E. Linux 7.3.0
  • S.u.S.E. Linux 7.3.0 i386
  • S.u.S.E. Linux 7.3.0 ppc
  • S.u.S.E. Linux 7.3.0 sparc
  • S.u.S.E. Linux 8.0.0
  • S.u.S.E. Linux 8.0.0 i386
  • S.u.S.E. Linux 8.1.0
  • S.u.S.E. Linux Personal 8.2.0
  • S.u.S.E. Linux Personal 9.0.0
  • S.u.S.E. Linux Personal 9.0.0 x86_64
  • S.u.S.E. Linux Personal 9.1.0
  • S.u.S.E. Linux Personal 9.2.0
  • Slackware Linux 8.1.0
  • Sun Cobalt Control Station 4100CS
  • Sun Cobalt Qube3 4000WG
  • Sun Cobalt Qube3 Japanese 4000WGJ
  • Sun Cobalt Qube3 Japanese w/ Caching and RAID 4100WGJ
  • Sun Cobalt Qube3 Japanese w/Caching 4010WGJ
  • Sun Cobalt Qube3 w/ Caching and RAID 4100WG
  • Sun Cobalt Qube3 w/Caching 4010WG
  • Sun Cobalt RaQ 550
  • Sun Cobalt RaQ XTR 3500R
  • Sun Cobalt RaQ XTR Japanese 3500R-ja
  • Sun Cobalt RaQ4 3001R
  • Sun Cobalt RaQ4 Japanese RAID 3100R-ja
  • Sun Cobalt RaQ4 RAID 3100R
  • Sun LX50
  • Trustix Secure Enterprise Linux 2.0.0
  • Trustix Secure Linux 1.5.0
  • Trustix Secure Linux 2.0.0
  • Trustix Secure Linux 2.1.0
  • Trustix Secure Linux 2.2.0
  • Turbolinux Home
  • Turbolinux Turbolinux 10 F...
  • Turbolinux Turbolinux Desktop 10.0.0
  • Turbolinux Turbolinux Server 10.0.0
  • Turbolinux Turbolinux Server 7.0.0
  • Turbolinux Turbolinux Server 8.0.0
  • Turbolinux Turbolinux Workstation 7.0.0
  • Turbolinux Turbolinux Workstation 8.0.0
  • Ubuntu Ubuntu Linux 4.1.0 ia32
  • Ubuntu Ubuntu Linux 4.1.0 ia64
  • Ubuntu Ubuntu Linux 4.1.0 ppc
  • Ubuntu Ubuntu Linux 6.06 LTS amd64
  • Ubuntu Ubuntu Linux 6.06 LTS i386
  • Ubuntu Ubuntu Linux 6.06 LTS powerpc
  • Ubuntu Ubuntu Linux 6.06 LTS sparc
  • Ubuntu Ubuntu Linux 6.10 amd64
  • Ubuntu Ubuntu Linux 6.10 i386
  • Ubuntu Ubuntu Linux 6.10 powerpc
  • Ubuntu Ubuntu Linux 6.10 sparc

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.