SEC Consult SA-20170403-0 :: Misbehavior of PHP fsockopen function

--jMvxvL8tCUmPWV7pjrGklRpedtTjbh55X
Content-Type: multipart/mixed; boundary="esexFRwcupb1AL0RWQjXV1sFoLhdjWW9a"
From: SEC Consult Vulnerability Lab <research@sec-consult.com>
To: bugtraq@securityfocus.com, fulldisclosure@seclists.org
Message-ID: <58E20A81.7020708@sec-consult.com>
Subject: SEC Consult SA-20170403-0 :: Misbehavior of PHP fsockopen function

--esexFRwcupb1AL0RWQjXV1sFoLhdjWW9a
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

SEC Consult Vulnerability Lab Security Advisory < 20170403-0 >
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
              title: Misbehavior of the "fsockopen" function
            product: PHP
 vulnerable version: 7.1.2
      fixed version:
         CVE number: CVE-2017-7272
             impact: Medium
           homepage: http://www.php.net/
              found: 2017-03-06
                 by: Fikri Fadzil (Office Kuala Lumpur)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Bangkok - Berlin - Linz - Luxembourg - Montreal - Mo=
scow
                     Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Z=
urich

                     https://www.sec-consult.com

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Vendor description:
-------------------
"PHP is a popular general-purpose scripting language that is especially s=
uited
to web development. Fast, flexible and pragmatic, PHP powers everything f=
rom
your blog to the most popular websites in the world."

Source: http://www.php.net/


Business recommendation:
------------------------
By making use of this issue, it is possible for an attacker to bypass cur=
rent
prevention mechanisms used to protect the "fsockopen" function in PHP to =
perform
server-side request forgery attacks.

SEC Consult recommends to check the developed or installed websites for a=
ny
possibility to exploit any form of vulnerability due to this issue.


Vulnerability overview/description:
-----------------------------------
The "fsockopen" function in PHP will respond differently if two port numb=
ers
are given at once. As many developers assume the function will prioritize=
 the
port number given to the second function parameter, an attacker may utili=
ze this
unpredictable behavior to e.g. conduct a server-side request forgery atta=
ck.


Proof of concept:
-----------------
The "fsockopen" function in PHP will not use the port number given to the=

second parameter if the hostname already has a port number appended. The
example below should explain misbehavior of the function.

// This request will go to port 80
fsockopen("192.168.184.132", 80);

// This request will go to port 53
fsockopen("192.168.184.132:53", 80);

Instead of initiating a socket connection on port 80 as given in the seco=
nd
parameter, the function appears to use the port number 53 which is
appended to the hostname.



Vulnerable / tested versions:
-----------------------------
PHP version 7.0.11 and 7.1.2 have been tested and found to be vulnerable.=


Older PHP versions are potentially affected as well.


Vendor contact timeline:
------------------------
2017-03-07: Reported the issue through PHP Bug Tracking System. (SecBug #=
74216)
            https://bugs.php.net/bug.php?id=3D74216
2017-03-07: Changes were committed to the PHPs main repo in Github.

https://github.com/php/php-src/commit/bab0b99f376dac9170ac81382a5ed526938=
d595a
2017-04-03: Public disclosure of the advisory


Solution:
---------
Patch:
https://github.com/php/php-src/commit/bab0b99f376dac9170ac81382a5ed526938=
d595a


Workaround:
-----------
It is recommended to restrict user input data for a hostname to not have =
a
port number appended.


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. I=
t
ensures the continued knowledge gain of SEC Consult in the field of netwo=
rk
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evalu=
ation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and v=
alid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consu=
lt?
Contact our local offices https://www.sec-consult.com/en/About/Contact.ht=
m
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Fikri Fadzil / @2017


--esexFRwcupb1AL0RWQjXV1sFoLhdjWW9a--

--jMvxvL8tCUmPWV7pjrGklRpedtTjbh55X
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJY4gqKAAoJEC0t17XG7og/YOEQAJv56jXDF/TFIDY7QPmQNbp8
rPqcPhuDHHWIbQwbmpNeY3WFSSrmahHVOpWZ5f62GObhNEjVc89maE/4GnLH80xw
9Ox7+4trKF3SLjupbl7CSTTg+UOjIUvWtY/v39ERioPRSscAO4hXJv5iB+ZPIF2a
AoJmRQ2LEoKdmw4QyxAbB/a+PffvB1WJ+seud0miDaIk88nQIL1D4f2A0n/aaRpM
lGSbhBBAJ5lv29SffrH+FdMWM5y7atMn1jGShMwph3p5LvkjjUPlILKw/zcH6iAF
iCrjpDFriCptyYr5Rzr6/Wkohacvt7jSyr6QK+9BS0gXoUD96APJTuQEslYtm5jl
VsUbZxK63srs/iczq/IC8gDMDvlLPeuQzeDC0fEi2raxU7rrk+Rwj4k+YsHr5joz
sd7eajzGZU0m/9zntYz6adBa8UtkSj7ZJQRywApBpdT5PWyO0+hGINlflEOirHVl
ex8tO9erAjH5ZPFNDv5Po3Tl6zMjNjXt+6K4qTQiicKr1Q0daYfMyJ28ML8zDZcM
xzNGg0mfWaafI15aIuJjm1CmFPoLGOQDs/+t6ATobr+cwRrHrJTum1IU22TXisF9
HxJf8AGq7k3bePdv7u8SZXoChtbjGhnA5djXPfUHye7vobkbopW/QQ4kaQ3zgwsK
akuDP35Xqya/8bd3ZCXa
=6oWY
-----END PGP SIGNATURE-----

--jMvxvL8tCUmPWV7pjrGklRpedtTjbh55X--