AuthorTopic: PHP7: 3 Critical Zero-Day Flaws Found in PHP 7 — One Remains Unpatched!  (Read 5551 times)

Offline Palloy

  • Moderator
  • Sous Chef
  • *****
  • Posts: 3751
    • View Profile
This applies to people running web servers and either use PHP directly (to create dynamic/personalised stuff on web pages), or have installed packages like WordPress and SMF and lots of other packages, which use PHP.  That is, just about every web server, including

PHP Group is currently supporting 3 "strains" of PHP: 7.1, 7.0, and 5.6, so you should ensure that you or your web host is using the latest version.  One way to do that is to use SSH to login to your web host, which gets you to a root command prompt (#) and type:

# php --version

to which DD responds:

PHP 5.4.45 (cli) (built: Oct  5 2015 14:16:21)
Copyright (c) 1997-2014 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2014 Zend Technologies
    with the ionCube PHP Loader (enabled) + Intrusion Protection from (unconfigured) v5.1.2, Copyright (c) 2002-2016, by ionCube Ltd.
    with SourceGuardian v11.0.2, Copyright (c) 2000-2016, by SourceGuardian Ltd.
    with Zend Guard Loader v3.3, Copyright (c) 1998-2013, by Zend Technologies

which is NOT a good sign.

The problem is that with every new strain of PHP there are new features and some old features are dropped.  If any of your PHP routines use those old features, they will not work when you upgrade to the new strain. 

WordPress (core package) has been proven to work with all versions of PHP, but this doesn't necessarily apply to the plugins and themes.  Some plugin writers test their plugin on new strains of PHP and declare it works (and they could be wrong).  If they don't do this, the only way to check that the plugins and themes work in PHP-7.1 is to do the upgrade and see if it breaks.   :o

SMF is even less straightforward.  Since SMF-2.0.7, SMF requires PHP-5.5.x, and definitely doesn't work with PHP-7.x.  This because in PHP-7.x MySQL has been dropped and replaced by MySQLi .  That involves making big changes to SMF, and currently the developers say they aren't going to do it for SMF-2.0.x, and probably not for SMF-2.1.x either.  Huh? - that outrageous !!!!  I demand that you work on this free software and make it compatible at once !  What do you mean the developer says "no" ?

This signals the end for SMF sooner or later.  When PHP Group drops support for PHP-5.x (scheduled for tomorrow, 31 Dec 2016, but security bugs will be fixed for another 2 years) , and SMF doesn't work with PHP-7.x we're fucked.

No, hang on. As of November 2016 SMF says SMF-2.1.x will support PHP-7.  SMF-2.1 has been on beta release (a testing version) for years but no final release date has been set.  There is also a "mod" for SMF-2.0 that might work with PHP-7, but testing that is a lower priority than working on SMF-2.1.  What a fucking shambles.

Anyway, the best we can do at the moment it to upgrade PHP to 5.6.x .  I won't start on it yet.
3 Critical Zero-Day Flaws Found in PHP 7 — One Remains Unpatched!
December 28, 2016
Swati Khandelwal

Three critical zero-day vulnerabilities have been discovered in PHP 7 that could allow an attacker to take complete control over 80 percent of websites which run on the latest version of the popular web programming language.

The critical vulnerabilities reside in the unserialized mechanism in PHP 7 – the same mechanism that was found to be vulnerable in PHP 5 as well, allowing hackers to compromise Drupal, Joomla, Magento, vBulletin and PornHub websites and other web servers in the past years by sending maliciously crafted data in client cookies.

Security researchers at Check Point's exploit research team spent several months examining the unserialized mechanism in PHP 7 and discovered "three fresh and previously unknown vulnerabilities" in the mechanism.

While researchers discovered flaws in the same mechanism, the vulnerabilities in PHP 7 are different from what was found in PHP 5.

Tracked as CVE-2016-7479, CVE-2016-7480, and CVE-2016-7478, the zero-day flaws can be exploited in a similar manner as a separate vulnerability (CVE-2015-6832) detailed in Check Point's August report.

    CVE-2016-7479—Use-After-Free Code Execution
    CVE-2016-7480—Use of Uninitialized Value Code Execution
    CVE-2016-7478—Remote Denial of Service

The first two vulnerabilities, if exploited, would allow a hacker to take full control over the target server, enabling the attacker to do anything from spreading malware to steal customer data or to defacing it.

The third vulnerability could be exploited to generate a Denial of Service (DoS) attack, allowing a hacker to hang the website, exhaust its memory consumption and eventually shut down the target system, researchers explain in their report [PDF].

According to Yannay Livneh of Check Point's exploit research team, none of the above vulnerabilities were found exploited in the wild by hackers.

The check Point researchers reported all the three zero-day vulnerabilities to the PHP security team on September 15 and August 6.

Patches for two of the three flaws were issued by the PHP security team on 13th October and 1st December, but one of them remains unpatched.

Besides patches, Check Point also released IPS signatures for the three vulnerabilities on the 18th and 31st of October to protect users against any attack that exploits these vulnerabilities.

In order to ensure the webserver’s security, users are strongly recommended to upgrade their servers to the latest version of PHP.
« Last Edit: December 29, 2016, 06:51:15 PM by Palloy »
The State is a body of armed men


Related Topics

  Subject / Started by Replies Last post
0 Replies
Last post October 18, 2016, 03:37:47 PM
by Palloy
0 Replies
Last post November 03, 2016, 03:12:02 PM
by Palloy
3 Replies
Last post January 04, 2017, 06:48:04 AM
by Palloy