Misbehavior of the "fsockopen" function

SEC Consult Vulnerability Lab Security Advisory < 20170403-0 >

=======================================================================

title: Misbehavior of the "fsockopen" function

product: PHP

vulnerable version: 7.1.2

fixed version:

CVE number: CVE-2017-7272

impact: Medium

homepage: www.php.net

found: 2017-03-06

by: Fikri Fadzil (Office Kuala Lumpur)

SEC Consult Vulnerability Lab

 

An integrated part of SEC Consult

Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow

Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

 

www.sec-consult.com

 

=======================================================================

 

Vendor description:

-------------------

"PHP is a popular general-purpose scripting language that is especially suited

to web development. Fast, flexible and pragmatic, PHP powers everything from

your blog to the most popular websites in the world."

 

Source: www.php.net

 

 

Business recommendation:

------------------------

By making use of this issue, it is possible for an attacker to bypass current

prevention mechanisms used to protect the "fsockopen" function in PHP to perform

server-side request forgery attacks.

 

SEC Consult recommends to check the developed or installed websites for any

possibility to exploit any form of vulnerability due to this issue.

 

 

Vulnerability overview/description:

-----------------------------------

The "fsockopen" function in PHP will respond differently if two port numbers

are given at once. As many developers assume the function will prioritize the

port number given to the second function parameter, an attacker may utilize this

unpredictable behavior to e.g. conduct a server-side request forgery attack.

 

 

Proof of concept:

-----------------

The "fsockopen" function in PHP will not use the port number given to the

second parameter if the hostname already has a port number appended. The

example below should explain misbehavior of the function.

 

// This request will go to port 80

fsockopen("192.168.184.132", 80);

 

// This request will go to port 53

fsockopen("192.168.184.132:53", 80);

 

Instead of initiating a socket connection on port 80 as given in the second

parameter, the function appears to use the port number 53 which is

appended to the hostname.

 

 

 

Vulnerable / tested versions:

-----------------------------

PHP version 7.0.11 and 7.1.2 have been tested and found to be vulnerable.

 

Older PHP versions are potentially affected as well.

 

 

Vendor contact timeline:

------------------------

2017-03-07: Reported the issue through PHP Bug Tracking System. (SecBug #74216)

bugs.php.net/bug.php

2017-03-07: Changes were committed to the PHP's main repo in Github.

github.com/php/php-src/commit/bab0b99f376dac9170ac81382a5ed526938d595a

2017-04-03: Public disclosure of the advisory

 

 

Solution:

---------

Patch:

github.com/php/php-src/commit/bab0b99f376dac9170ac81382a5ed526938d595a

 

 

Workaround:

-----------

It is recommended to restrict user input data for a hostname to not have a

port number appended.

 

 

Advisory URL:

-------------

www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

SEC Consult Vulnerability Lab

 

SEC Consult

Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow

Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

 

About SEC Consult Vulnerability Lab

The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It

ensures the continued knowledge gain of SEC Consult in the field of network

and application security to stay ahead of the attacker. The SEC Consult

Vulnerability Lab supports high-quality penetration testing and the evaluation

of new offensive and defensive technologies for our customers. Hence our

customers obtain the most current information about vulnerabilities and valid

recommendation about the risk profile of new technologies.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Interested to work with the experts of SEC Consult?

Send us your application www.sec-consult.com/career/

 

Interested in improving your cyber security with the experts of SEC Consult?

Contact our local offices www.sec-consult.com/contact/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Mail: research at sec-consult dot com

Web: www.sec-consult.com

Blog: blog.sec-consult.com

Twitter: twitter.com/sec_consult

 

EOF Fikri Fadzil / @2017