CVE-2015-6834
published 2016-05-16CVE-2015-6834: Multiple use-after-free vulnerabilities in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 allow remote attackers to execute arbitrary code via…
PriorityP274critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
46.80%
98.7th percentile
Multiple use-after-free vulnerabilities in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 allow remote attackers to execute arbitrary code via vectors related to (1) the Serializable interface, (2) the SplObjectStorage class, and (3) the SplDoublyLinkedList class, which are mishandled during unserialization.
Affected
59 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | os_x_el_capitan_10.11.1_security_update_2015-004_yosemite_and_security_update_20 | — | — |
| php | php | <= 5.4.44 | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x00\x00\x00\x01\x00\x00\x00
- →Detect unserialization payloads targeting SplDoublyLinkedList by looking for the class token C:19:"SplDoublyLinkedList" in user-supplied data passed to unserialize(), especially when combined with back-references R: or r: and an O:3:"obj" with a __wakeup method. ↗
- →Detect unserialization payloads targeting SplObjectStorage by looking for the class token C:16:"SplObjectStorage" in user-supplied data passed to unserialize(), combined with back-references R: and a __wakeup-bearing object. ↗
- →The exploit uses a fake zval byte pattern (8-byte pointer + 4 null bytes + \x01 + \x00 + \x00\x00) embedded as a PHP serialized string payload; scan for this byte sequence in HTTP request bodies targeting PHP unserialize endpoints. ↗
- →Post-exploitation stage writes a shell command to /tmp/a and executes it via 'sh /*/a;' — monitor for creation of executable files in /tmp and short shell commands matching this glob pattern. ↗
- ·The PoC for SplDoublyLinkedList was confirmed on macOS 10.11 with PHP 5.6.12; behavior on other platforms may differ. ↗
- ·Red Hat Enterprise Linux 5 and 6 ship PHP versions that are not affected; RHEL 7 and Red Hat Software Collections are affected but Red Hat has stated no fix is planned. ↗
- ·CVE-2016-9936 is a follow-on incomplete fix for this same vulnerability in PHP 7.x before 7.0.14; environments running PHP 7 should also be assessed for CVE-2016-9936. ↗
- ·The apache2 process runs as PIE, so there are no fixed known addresses; the exploit requires a heap address leak and libphp5 base address computation before achieving code execution, making it environment-sensitive. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6m7q-7r8q-jg24: Multiple use-after-free vulnerabilities in PHP before 5
ghsa_unreviewed·2022-05-17
CVE-2015-6834 [CRITICAL] GHSA-6m7q-7r8q-jg24: Multiple use-after-free vulnerabilities in PHP before 5
Multiple use-after-free vulnerabilities in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 allow remote attackers to execute arbitrary code via vectors related to (1) the Serializable interface, (2) the SplObjectStorage class, and (3) the SplDoublyLinkedList class, which are mishandled during unserialization.
GHSA
GHSA-jp9f-r2q5-mv5q: The unserialize implementation in ext/standard/var
ghsa_unreviewed·2022-05-14·CVSS 9.8
CVE-2016-9936 [CRITICAL] CWE-416 GHSA-jp9f-r2q5-mv5q: The unserialize implementation in ext/standard/var
The unserialize implementation in ext/standard/var.c in PHP 7.x before 7.0.14 allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted serialized data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6834.
OSV
CVE-2016-9936: The unserialize implementation in ext/standard/var
osv·2017-01-04·CVSS 9.8
CVE-2016-9936 [CRITICAL] CVE-2016-9936: The unserialize implementation in ext/standard/var
The unserialize implementation in ext/standard/var.c in PHP 7.x before 7.0.14 allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted serialized data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6834.
OSV
php5 vulnerabilities
osv·2015-09-30·CVSS 9.8
CVE-2015-5589 [CRITICAL] php5 vulnerabilities
php5 vulnerabilities
It was discovered that the PHP phar extension incorrectly handled certain
files. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service. (CVE-2015-5589)
It was discovered that the PHP phar extension incorrectly handled certain
filepaths. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2015-5590)
Taoguang Chen discovered that PHP incorrectly handled unserializing
objects. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2015-6831, CVE-2015-6834, CVE-2015-6835
Sean Heelan discovered that PHP incorrectly handled unserializing
objects. A remote attacker co
OSV
CVE-2015-6834: Multiple use-after-free vulnerabilities in PHP before 5
osv·2015-09-09·CVSS 9.8
CVE-2015-6834 [CRITICAL] CVE-2015-6834: Multiple use-after-free vulnerabilities in PHP before 5
Multiple use-after-free vulnerabilities in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 allow remote attackers to execute arbitrary code via vectors related to (1) the Serializable interface, (2) the SplObjectStorage class, and (3) the SplDoublyLinkedList class, which are mishandled during unserialization.
Red Hat
php: Use After Free in unserialize()
vendor_redhat·2016-12-08·CVSS 9.8
CVE-2016-9936 [CRITICAL] CWE-416 php: Use After Free in unserialize()
php: Use After Free in unserialize()
The unserialize implementation in ext/standard/var.c in PHP 7.x before 7.0.14 allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted serialized data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6834.
Package: php (Red Hat Enterprise Linux 5) - Will not fix
Package: php53 (Red Hat Enterprise Linux 5) - Will not fix
Package: php (Red Hat Enterprise Linux 6) - Will not fix
Package: php (Red Hat Enterprise Linux 7) - Will not fix
Package: php (Red Hat OpenShift Enterprise 2) - Will not fix
Package: rh-php56-php (Red Hat Software Collections) - Will not fix
Ubuntu
PHP vulnerabilities
vendor_ubuntu·2015-09-30·CVSS 9.8
CVE-2015-5589 [CRITICAL] PHP vulnerabilities
Title: PHP vulnerabilities
Summary: Several security issues were fixed in PHP.
It was discovered that the PHP phar extension incorrectly handled certain
files. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service. (CVE-2015-5589)
It was discovered that the PHP phar extension incorrectly handled certain
filepaths. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2015-5590)
Taoguang Chen discovered that PHP incorrectly handled unserializing
objects. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2015-6831, CVE-2015-6834, CVE-2015-6835
Sean Heelan discovered that PHP inco
Red Hat
php: multiple unserialization use-after-free issues
vendor_redhat·2015-07-31·CVSS 9.8
CVE-2015-6834 [CRITICAL] CWE-416 php: multiple unserialization use-after-free issues
php: multiple unserialization use-after-free issues
Multiple use-after-free vulnerabilities in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 allow remote attackers to execute arbitrary code via vectors related to (1) the Serializable interface, (2) the SplObjectStorage class, and (3) the SplDoublyLinkedList class, which are mishandled during unserialization.
A flaw was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code.
Statement: This issue did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 5 and 6. This issue is not currently planned to be corrected in future updates in Red Hat Enterprise Linux 7
Apple
CVE-2015-6834: OS X El Capitan 10.11.1, Security Update 2015-004 Yosemite, and Security Update 2015-007 Mavericks
vendor_apple·CVSS 9.8
CVE-2015-6834 [CRITICAL] CVE-2015-6834: OS X El Capitan 10.11.1, Security Update 2015-004 Yosemite, and Security Update 2015-007 Mavericks
Apple Security Update: About the security content of OS X El Capitan 10.11.1, Security Update 2015-004 Yosemite, and Security Update 2015-007 Mavericks
Product: OS X El Capitan 10.11.1, Security Update 2015-004 Yosemite, and Security Update 2015-007 Mavericks
CVE: CVE-2015-6834
Component: CVE-2015-6834
No detection rules found.
Exploit-DB
PHP 5.4/5.5/5.6 - SplDoublyLinkedList 'Unserialize()' Use-After-Free
exploitdb·2015-09-09
CVE-2015-6834 PHP 5.4/5.5/5.6 - SplDoublyLinkedList 'Unserialize()' Use-After-Free
PHP 5.4/5.5/5.6 - SplDoublyLinkedList 'Unserialize()' Use-After-Free
---
Yet Another Use After Free Vulnerability in unserialize() with SplDoublyLinkedList
Taoguang Chen -
Write Date: 2015.8.27
Release Date: 2015.9.4
A use-after-free vulnerability was discovered in unserialize() with SplDoublyLinkedList object's deserialization and crafted object's __wakeup() magic method that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.
Affected Versions
Affected is PHP 5.6 llist, elem TSRMLS_CC);
}
It has been demonstrated many times before that __wakeup() leads to
ZVAL is freed from memory. However during deserialization will still
allow to use R: or r: to set references to that already freed memory.
It is possible to use-after-free attack and execute arbi
Exploit-DB
PHP 5.4/5.5/5.6 - SplObjectStorage 'Unserialize()' Use-After-Free
exploitdb·2015-09-09
CVE-2015-6834 PHP 5.4/5.5/5.6 - SplObjectStorage 'Unserialize()' Use-After-Free
PHP 5.4/5.5/5.6 - SplObjectStorage 'Unserialize()' Use-After-Free
---
Yet Another Use After Free Vulnerability in unserialize() with SplObjectStorage
Taoguang Chen
Write Date: 2015.8.27
Release Date: 2015.9.4
A use-after-free vulnerability was discovered in unserialize() with SplObjectStorage object's deserialization and crafted object's __wakeup() magic method that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.
Affected Versions
Affected is PHP 5.6 ryat = 1;
}
}
$fakezval = ptr2str(1122334455);
$fakezval .= ptr2str(0);
$fakezval .= "\x00\x00\x00\x00";
$fakezval .= "\x01";
$fakezval .= "\x00";
$fakezval .= "\x00\x00";
$inner = 'x:i:1;O:8:"stdClass":0:{},i:1;;m:a:0:{}';
$exploit = 'a:5:{i:0;i:1;i:1;C:16:"SplObjectStorage":'.strlen($inner).':{'.$
CTF
hitcon2015 / web500-use-after-flee
ctf_writeups·2015·CVSS 9.8
[CRITICAL] hitcon2015 / web500-use-after-flee
# Use-After-FLEE (pwn, web 500)
Use-After-FLEE was a web challenge allowing you to upload and run
arbitrary PHP scripts.
## Poking around
Uploading a script that does `phpinfo()`, we see that the PHP script is
running with and `open_basedir` of `/var/www/html/:/tmp/` as well as the
following functinos in `disable_functions`:
```
exec, passthru, shell_exec, system, proc_open, popen, curl_exec,
curl_multi_exec, parse_ini_file, symlink, chgrp, chmod, chown, dl, mail,
imap_mail, apache_child_terminate, posix_kill, proc_terminate,
proc_get_status, syslog, openlog, ini_alter, ini_set, ini_restore,
putenv, apache_setenv, pcntl_alarm, pcntl_fork, pcntl_waitpid,
pcntl_wait, pcntl_wtermsig, pcntl_wstopsig, pcntl_signal,
pcntl_signal_dispatch, pcntl_sigtimedwait, pcntl_sigprocmask,
pcntl_sigwaiti
Bugzilla
CVE-2015-6834 php: multiple unserialization use-after-free issues
bugzilla·2015-09-07·CVSS 9.8
CVE-2015-6834 [CRITICAL] CVE-2015-6834 php: multiple unserialization use-after-free issues
CVE-2015-6834 php: multiple unserialization use-after-free issues
Use after free vulnerability was found in unserialize() function. We can create ZVAL and free it via Serializable::unserialize. However the unserialize() will still allow to use R: or r: to set references to that already freed memory. It is possible to use-after-free attack and execute arbitrary code remotely.
Upstream bugs and patches:
https://bugs.php.net/bug.php?id=70172
http://git.php.net/?p=php-src.git;a=commitdiff;h=e8429400d40e3c3aa4b22ba701991d698a2f3b2f
https://bugs.php.net/bug.php?id=70366
http://git.php.net/?p=php-src.git;a=commitdiff;h=259057b2a484747a6c73ce54c4fa0f5acbd56179
https://bugs.php.net/bug.php?id=70365
http://git.php.net/?p=php-src.git;a=commitdiff;h=f06a069c462d37c2e009f6d1d93b8c8e7b713393
Disc
http://php.net/ChangeLog-5.phphttp://www.debian.org/security/2015/dsa-3358http://www.securityfocus.com/bid/76649http://www.securitytracker.com/id/1033548https://bugs.php.net/bug.php?id=70172https://bugs.php.net/bug.php?id=70365https://bugs.php.net/bug.php?id=70366https://security.gentoo.org/glsa/201606-10http://php.net/ChangeLog-5.phphttp://www.debian.org/security/2015/dsa-3358http://www.securityfocus.com/bid/76649http://www.securitytracker.com/id/1033548https://bugs.php.net/bug.php?id=70172https://bugs.php.net/bug.php?id=70365https://bugs.php.net/bug.php?id=70366https://security.gentoo.org/glsa/201606-10
2016-05-16
Published