[2016-03-02 19:14 UTC] andrew at jmpesp dot org

Description:
------------
A format string vulnerability exists in php_snmp_error() at ext/snmp/snmp.c:533, because snmp_object->snmp_errstr is passed directly to zend_throw_exception_ex() without a "%s".  This issue appears to be present across all PHP versions.  In testing, I have been able to leverage this vulnerability for full code-execution by abusing PHP's internal "%Z" (zval) format specifier.  In the interest of brevity I am not attaching that exploit to this report, but would be happy to provide it if wanted/needed.


This patch should solve it:

--- php-7.0.3/ext/snmp/snmp.c	2016-02-28 10:30:45.575024313 +0000
+++ php-7.0.3_patched/ext/snmp/snmp.c	2016-03-02 19:04:15.037952227 +0000
@@ -530,7 +530,7 @@
 	}
 
 	if (object && (snmp_object->exceptions_enabled & type)) {
-		zend_throw_exception_ex(php_snmp_exception_ce, type, snmp_object->snmp_errstr);
+		zend_throw_exception_ex(php_snmp_exception_ce, type, "%s", snmp_object->snmp_errstr);
 	} else {
 		va_start(args, format);
 		php_verror(docref, "", E_WARNING, format, args);





Test script:
---------------
<?php
$session = new SNMP(SNMP::VERSION_3, "127.0.0.1", "public");
$session->exceptions_enabled = SNMP::ERRNO_ANY;  // important!
try {
	$session->get("%x%x%x%x%x%x%x%x");
} catch (SNMPException $e) {
	echo $e->getMessage();
}
?>