CVE-2007-1286
published 2007-03-06CVE-2007-1286: Integer overflow in PHP 4.4.4 and earlier allows remote context-dependent attackers to execute arbitrary code via a long string to the unserialize function…
PriorityP350medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
40.44%
98.5th percentile
Integer overflow in PHP 4.4.4 and earlier allows remote context-dependent attackers to execute arbitrary code via a long string to the unserialize function, which triggers the overflow in the ZVAL reference counter.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| php | php | <= 4.4.4 | — |
| php | php | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploit attempts by monitoring for oversized Cookie headers (~900KB+) sent to PHP applications, particularly where the cookie value is passed to unserialize(). The exploit requires approximately 900k of data delivered via multiple Cookie headers. ↗
- →Inspect HTTP responses for PHP version headers (X-Powered-By or Server) advertising PHP/4.x (specifically 4.4.4 and earlier) as these are the vulnerable versions targeted by this exploit. ↗
- →Monitor for POST requests carrying large payloads (~2MB) combined with multiple Cookie headers targeting known application paths such as /phpBB2/faq.php, /index.php, /dmr/dmr.php, /phpwebgallery/index.php, /ariadne/loader.php/, /proma/index.php, /egroupware/login.php — indicative of the brute-force shellcode delivery method. ↗
- →On x86 Linux systems, look for exploitation artifacts where the EDI register points into a hashtable string; this is a characteristic memory layout indicator of this specific vulnerability being triggered. ↗
- ·The exploit targets PHP 4.4.4 and all earlier versions supporting unserialize(); PHP 4.5.0 (patched by Stefan Esser) is not vulnerable. Detections based on PHP version headers should only flag PHP/4.x versions below 4.5.0. ↗
- ·The Metasploit module brute-forces return addresses in the range 0xb6000400–0xbfff0000 (step 1MB) for Linux x86 Generic targets; specific distributions (SuSE 64-bit: 0x005c0000, Backtrack 2.0: 0xb797a000, Gentoo: 0xb6900000) may require adjusted ranges. ↗
- ·The cookie name passed to unserialize() is application-specific and configurable via the COOKIENAME option; defenders should enumerate all cookies their PHP 4 applications pass to unserialize() and monitor those specifically. ↗
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vendor_redhat6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-259c-37px-2x76: Integer overflow in the 16 bit variable reference counter in PHP 4 allows context-dependent attackers to execute arbitrary code by overflowing this co
ghsa_unreviewed·2022-05-01·CVSS 6.8
CVE-2007-1383 [MEDIUM] CWE-190 GHSA-259c-37px-2x76: Integer overflow in the 16 bit variable reference counter in PHP 4 allows context-dependent attackers to execute arbitrary code by overflowing this co
Integer overflow in the 16 bit variable reference counter in PHP 4 allows context-dependent attackers to execute arbitrary code by overflowing this counter, which causes the same variable to be destroyed twice, a related issue to CVE-2007-1286.
GHSA
GHSA-5g4m-4pg3-qmxc: Integer overflow in PHP 4
ghsa_unreviewed·2022-05-01
CVE-2007-1286 [MEDIUM] GHSA-5g4m-4pg3-qmxc: Integer overflow in PHP 4
Integer overflow in PHP 4.4.4 and earlier allows remote context-dependent attackers to execute arbitrary code via a long string to the unserialize function, which triggers the overflow in the ZVAL reference counter.
Red Hat
security flaw
vendor_redhat·2007-03-02·CVSS 6.8
CVE-2007-1286 [MEDIUM] security flaw
security flaw
Integer overflow in PHP 4.4.4 and earlier allows remote context-dependent attackers to execute arbitrary code via a long string to the unserialize function, which triggers the overflow in the ZVAL reference counter.
Red Hat
php variable counter integer overflow
vendor_redhat·CVSS 6.8
CVE-2007-1383 [MEDIUM] php variable counter integer overflow
php variable counter integer overflow
Integer overflow in the 16 bit variable reference counter in PHP 4 allows context-dependent attackers to execute arbitrary code by overflowing this counter, which causes the same variable to be destroyed twice, a related issue to CVE-2007-1286.
Statement: The PHP interpreter does not offer a reliable "sandboxed" security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself. We therefore do not classify this issue as security-sensitive since no trust boundary is crossed.
No detection rules found.
Exploit-DB
PHP 4 - Unserialize() ZVAL Reference Counter Overflow (Cookie) (Metasploit)
exploitdb·2010-09-20
CVE-2007-1286 PHP 4 - Unserialize() ZVAL Reference Counter Overflow (Cookie) (Metasploit)
PHP 4 - Unserialize() ZVAL Reference Counter Overflow (Cookie) (Metasploit)
---
##
# $Id: php_unserialize_zval_cookie.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'PHP 4 unserialize() ZVAL Reference Counter Overflow (Cookie)',
'Description' => %q{
This module exploits an integer overflow vulnerability in the unserialize()
function of the PHP web server extension. This vulnerability was patched by
Stefan in version 4.5.0 and applies all previous versions supporting this function.
This particular module
Exploit-DB
PHP 4.4.4 - 'Unserialize()' ZVAL Reference Counter Overflow (PoC)
exploitdb·2007-03-02
CVE-2007-1286 PHP 4.4.4 - 'Unserialize()' ZVAL Reference Counter Overflow (PoC)
PHP 4.4.4 - 'Unserialize()' ZVAL Reference Counter Overflow (PoC)
---
# milw0rm.com [2007-03-02]
Exploit-DB
PHP < 4.5.0 - Unserialize Overflow (Metasploit)
exploitdb·2007-03-01
CVE-2007-1286 PHP < 4.5.0 - Unserialize Overflow (Metasploit)
PHP 'PHP 4 unserialize() ZVAL Reference Counter Overflow (Cookie)',
'Description' => %q{
This module exploits an integer overflow vulnerability in the unserialize()
function of the PHP web server extension. This vulnerability was patched by
Stefan in version 4.5.0 and applies all previous versions supporting this function.
This particular module targets numerous web applications and is based on the proof
of concept provided by Stefan Esser. This vulnerability requires approximately 900k
of data to trigger due the multiple Cookie headers requirement. Since we
are already assuming a fast network connection, we use a 2Mb block of shellcode for
the brute force, allowing quick exploitation for those with fast networks.
One of the neat things about this vulnerability is that on x86 systems, the
Metasploit
PHP 4 unserialize() ZVAL Reference Counter Overflow (Cookie)
metasploit
PHP 4 unserialize() ZVAL Reference Counter Overflow (Cookie)
PHP 4 unserialize() ZVAL Reference Counter Overflow (Cookie)
This module exploits an integer overflow vulnerability in the unserialize() function of the PHP web server extension. This vulnerability was patched by Stefan in version 4.5.0 and applies all previous versions supporting this function. This particular module targets numerous web applications and is based on the proof of concept provided by Stefan Esser. This vulnerability requires approximately 900k of data to trigger due the multiple Cookie headers requirement. Since we are already assuming a fast network connection, we use a 2Mb block of shellcode for the brute force, allowing quick exploitation for those with fast networks. One of the neat things about this vulnerability is that on x86 systems, the EDI register points into th
Bugzilla
CVE-2007-1286 security flaw
bugzilla·2018-08-16·CVSS 6.8
CVE-2007-1286 [MEDIUM] CVE-2007-1286 security flaw
CVE-2007-1286 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
Integer overflow in PHP 4.4.4 and earlier allows remote context-dependent attackers to execute arbitrary code via a long string to the unserialize function, which triggers the overflow in the ZVAL reference counter.
Bugzilla
CVE-2007-1285 Multiple PHP issues (CVE-2007-1286, CVE-2007-1711)
bugzilla·2007-04-05·CVSS 7.5
CVE-2007-1285 [HIGH] CVE-2007-1285 Multiple PHP issues (CVE-2007-1286, CVE-2007-1711)
CVE-2007-1285 Multiple PHP issues (CVE-2007-1286, CVE-2007-1711)
+++ This bug was initially created as a clone of Bug #235225 +++
Summary of bugs disclosed during the "Month of PHP Bugs" which affect Stronghold
for Red Hat Enterprise Linux:
CVE-2007-1285 MOPB-03-2007
impact=low,public=20070301
CVE-2007-1286 MOPB-04-2007
impact=important,public=20070302
CVE-2007-1711 MOPB-32-2007
impact=important,public=20070325
Version-Release number of selected component (if applicable):
4.1.2-2.14
Discussion:
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
Bugzilla
CVE-2007-1285 "Month of PHP Bugs" security issues (CVE-2007-1286 CVE-2007-1583 CVE-2007-1711 CVE-2007-1718)
bugzilla·2007-03-01·CVSS 2.1
CVE-2007-1285 [LOW] CVE-2007-1285 "Month of PHP Bugs" security issues (CVE-2007-1286 CVE-2007-1583 CVE-2007-1711 CVE-2007-1718)
CVE-2007-1285 "Month of PHP Bugs" security issues (CVE-2007-1286 CVE-2007-1583 CVE-2007-1711 CVE-2007-1718)
Description of problem:
This bug will be used to provide tracking information for the issues reported
during the "Month of PHP Bugs" initiative, http://www.php-security.org/
Discussion:
Introduction: The PHP interpreter does not offer a reliable
"sandboxed" security layer (as found in, say, a JVM) in which
untrusted scripts can be run; any script run by the PHP interpreter
must be trusted with the privileges of the interpreter itself. In
analysis of these issues, bugs which rely on an "untrusted local
attacker" will therefore not be classified as being
security-sensitive, since no trust boundary is crossed.
---
MOPB-01-2007 describes an issue in the PHP interpreter regarding the
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01056506http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01086137http://rhn.redhat.com/errata/RHSA-2007-0154.htmlhttp://rhn.redhat.com/errata/RHSA-2007-0155.htmlhttp://rhn.redhat.com/errata/RHSA-2007-0163.htmlhttp://secunia.com/advisories/24419http://secunia.com/advisories/24606http://secunia.com/advisories/24910http://secunia.com/advisories/24924http://secunia.com/advisories/24941http://secunia.com/advisories/24945http://secunia.com/advisories/25025http://secunia.com/advisories/25062http://secunia.com/advisories/25423http://secunia.com/advisories/25445http://secunia.com/advisories/25850http://security.gentoo.org/glsa/glsa-200703-21.xmlhttp://security.gentoo.org/glsa/glsa-200705-19.xmlhttp://www.debian.org/security/2007/dsa-1282http://www.debian.org/security/2007/dsa-1283http://www.mandriva.com/security/advisories?name=MDKSA-2007:087http://www.mandriva.com/security/advisories?name=MDKSA-2007:088http://www.osvdb.org/32771http://www.php-security.org/MOPB/MOPB-04-2007.htmlhttp://www.securityfocus.com/archive/1/466166/100/0/threadedhttp://www.securityfocus.com/bid/22765http://www.trustix.org/errata/2007/0009/http://www.vupen.com/english/advisories/2007/1991http://www.vupen.com/english/advisories/2007/2374https://exchange.xforce.ibmcloud.com/vulnerabilities/32796https://issues.rpath.com/browse/RPL-1268https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11575http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01056506http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01086137http://rhn.redhat.com/errata/RHSA-2007-0154.htmlhttp://rhn.redhat.com/errata/RHSA-2007-0155.htmlhttp://rhn.redhat.com/errata/RHSA-2007-0163.htmlhttp://secunia.com/advisories/24419http://secunia.com/advisories/24606http://secunia.com/advisories/24910http://secunia.com/advisories/24924http://secunia.com/advisories/24941http://secunia.com/advisories/24945http://secunia.com/advisories/25025http://secunia.com/advisories/25062http://secunia.com/advisories/25423http://secunia.com/advisories/25445http://secunia.com/advisories/25850http://security.gentoo.org/glsa/glsa-200703-21.xmlhttp://security.gentoo.org/glsa/glsa-200705-19.xmlhttp://www.debian.org/security/2007/dsa-1282http://www.debian.org/security/2007/dsa-1283http://www.mandriva.com/security/advisories?name=MDKSA-2007:087http://www.mandriva.com/security/advisories?name=MDKSA-2007:088http://www.osvdb.org/32771http://www.php-security.org/MOPB/MOPB-04-2007.htmlhttp://www.securityfocus.com/archive/1/466166/100/0/threadedhttp://www.securityfocus.com/bid/22765http://www.trustix.org/errata/2007/0009/http://www.vupen.com/english/advisories/2007/1991http://www.vupen.com/english/advisories/2007/2374https://exchange.xforce.ibmcloud.com/vulnerabilities/32796https://issues.rpath.com/browse/RPL-1268https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11575
2007-03-06
Published