cbcvebase.
CVE-2015-6834
published 2016-05-16

CVE-2015-6834: Multiple use-after-free vulnerabilities in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 allow remote attackers to execute arbitrary code via…

PriorityP274critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
46.80%
98.7th percentile
Multiple use-after-free vulnerabilities in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 allow remote attackers to execute arbitrary code via vectors related to (1) the Serializable interface, (2) the SplObjectStorage class, and (3) the SplDoublyLinkedList class, which are mishandled during unserialization.

Affected

59 ranges· showing 25
VendorProductVersion rangeFixed in
appleos_x_el_capitan_10.11.1_security_update_2015-004_yosemite_and_security_update_20
phpphp<= 5.4.44
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp

Detection & IOCsextracted from sources · hover to see the quote

commandsh /*/a;
path/tmp/a
versionPHP 5.5.9-1ubuntu4.12
bytes
\x00\x00\x00\x00\x01\x00\x00\x00
  • Detect unserialization payloads targeting SplDoublyLinkedList by looking for the class token C:19:"SplDoublyLinkedList" in user-supplied data passed to unserialize(), especially when combined with back-references R: or r: and an O:3:"obj" with a __wakeup method.
  • Detect unserialization payloads targeting SplObjectStorage by looking for the class token C:16:"SplObjectStorage" in user-supplied data passed to unserialize(), combined with back-references R: and a __wakeup-bearing object.
  • The exploit uses a fake zval byte pattern (8-byte pointer + 4 null bytes + \x01 + \x00 + \x00\x00) embedded as a PHP serialized string payload; scan for this byte sequence in HTTP request bodies targeting PHP unserialize endpoints.
  • Post-exploitation stage writes a shell command to /tmp/a and executes it via 'sh /*/a;' — monitor for creation of executable files in /tmp and short shell commands matching this glob pattern.
  • ·The PoC for SplDoublyLinkedList was confirmed on macOS 10.11 with PHP 5.6.12; behavior on other platforms may differ.
  • ·Red Hat Enterprise Linux 5 and 6 ship PHP versions that are not affected; RHEL 7 and Red Hat Software Collections are affected but Red Hat has stated no fix is planned.
  • ·CVE-2016-9936 is a follow-on incomplete fix for this same vulnerability in PHP 7.x before 7.0.14; environments running PHP 7 should also be assessed for CVE-2016-9936.
  • ·The apache2 process runs as PIE, so there are no fixed known addresses; the exploit requires a heap address leak and libphp5 base address computation before achieving code execution, making it environment-sensitive.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.