CVE-2017-5358 – This is a critical stack-based buffer overflow ... (How to Fix)

Q: What is the severity of CVE-2017-5358?

CVE-2017-5358 has a CVSS score of 9.8 (CRITICAL). This is a critical stack-based buffer overflow vulnerability in EasyCom for PHP's php_Easycom5_3_0.dll library. Remote attackers can execute arbitrary code by sending specially crafted server arguments to connection API functions. Organizations using EasyCom for PHP 4.0.0.29 with AS400/IBM iSeries connectivity are affected.

📋 TL;DR

This is a critical stack-based buffer overflow vulnerability in EasyCom for PHP's php_Easycom5_3_0.dll library. Remote attackers can execute arbitrary code by sending specially crafted server arguments to connection API functions. Organizations using EasyCom for PHP 4.0.0.29 with AS400/IBM iSeries connectivity are affected.

💻 Affected Systems

Products:

EasyCom for PHP

Versions: 4.0.0.29

Operating Systems: Windows, Linux, Any OS running PHP with EasyCom extension

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the php_Easycom5_3_0.dll library used by the EasyCom PHP extension for AS400 connectivity.

📦 What is this software?

Easycom For Php by Easycom Aura

View all CVEs affecting Easycom For Php →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with remote code execution leading to data theft, ransomware deployment, or creation of persistent backdoors on affected servers.

🟠

Likely Case

Remote code execution allowing attackers to gain shell access, install malware, or pivot to internal network resources.

🟢

If Mitigated

Exploitation attempts fail due to input validation or memory protection mechanisms, potentially causing service crashes.

🌐 Internet-Facing: HIGH - Remote exploitation without authentication makes internet-facing systems prime targets.

🏢 Internal Only: MEDIUM - Internal systems remain vulnerable to insider threats or compromised internal hosts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code available on Exploit-DB and Packet Storm. Attack requires network access to PHP applications using the vulnerable functions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.0.0.30 or later

Vendor Advisory: http://hyp3rlinx.altervista.org/advisories/EASYCOM-PHP-API-BUFFER-OVERFLOW.txt

Restart Required: Yes

Instructions:

1. Download latest EasyCom for PHP version from vendor. 2. Replace php_Easycom5_3_0.dll with patched version. 3. Restart web server/PHP service. 4. Test AS400 connectivity functions.

🔧 Temporary Workarounds

Input Validation Wrapper

all

Implement input validation for server parameter before passing to vulnerable functions

// PHP code example:
function safe_i5_connect($server) {
    if (strlen($server) > 255) {
        throw new Exception('Server name too long');
    }
    return i5_connect($server);
}

Network Restriction

all

Restrict network access to PHP applications using EasyCom functions

# iptables example for Linux:
iptables -A INPUT -p tcp --dport 80 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
# Windows Firewall:
netsh advfirewall firewall add rule name="Block EasyCom" dir=in action=block protocol=TCP localport=80,443

🧯 If You Can't Patch

Disable or remove the EasyCom PHP extension entirely
Implement web application firewall (WAF) rules to block requests with long server parameters

🔍 How to Verify

Check if Vulnerable:

Check if php_Easycom5_3_0.dll version 5.3.0 exists in PHP extensions directory and EasyCom version is 4.0.0.29

Check Version:

php -r "echo phpversion('easycom');" or check PHP info page for EasyCom extension details

Verify Fix Applied:

Verify php_Easycom5_3_0.dll file version is updated and EasyCom version shows 4.0.0.30 or higher

📡 Detection & Monitoring

Log Indicators:

Unusually long server parameter values in PHP logs
Web server crashes or segmentation faults
Multiple failed connection attempts with varying server names

Network Indicators:

HTTP requests with server parameters exceeding 255 characters
Traffic patterns matching exploit payloads from known sources

SIEM Query:

source="web_logs" AND (uri="*i5_connect*" OR uri="*i5_pconnect*" OR uri="*i5_private_connect*") AND param_length>255

📊 Metadata

CVE ID: CVE-2017-5358

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-119

Published: March 15, 2017

Last Updated: April 20, 2025

🔗 References

http://hyp3rlinx.altervista.org/advisories/EASYCOM-PHP-API-BUFFER-OVERFLOW.txt Exploit,Third Party Advisory
http://packetstormsecurity.com/files/141299/EasyCom-AS400-PHP-API-Buffer-Overflow.html Exploit,Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2017/Feb/60 Third Party Advisory,VDB Entry
http://www.securityfocus.com/bid/96419 Third Party Advisory,VDB Entry
https://www.exploit-db.com/exploits/41425/ Exploit,Third Party Advisory,VDB Entry
http://hyp3rlinx.altervista.org/advisories/EASYCOM-PHP-API-BUFFER-OVERFLOW.txt Exploit,Third Party Advisory
http://packetstormsecurity.com/files/141299/EasyCom-AS400-PHP-API-Buffer-Overflow.html Exploit,Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2017/Feb/60 Third Party Advisory,VDB Entry
http://www.securityfocus.com/bid/96419 Third Party Advisory,VDB Entry
https://www.exploit-db.com/exploits/41425/ Exploit,Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-5358, you might also want to check these: