CVE-2015-6835
published 2016-05-16CVE-2015-6835: The session deserializer in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 mishandles multiple php_var_unserialize calls, which allow remote…
PriorityP265critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
36.99%
98.3th percentile
The session deserializer in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 mishandles multiple php_var_unserialize calls, which allow remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via crafted session content.
Affected
45 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | os_x_el_capitan_10.11.1_security_update_2015-004_yosemite_and_security_update_20 | — | — |
| php | php | <= 5.4.44 | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is triggered when the PHP session deserializer (php, php_binary, or php_serialize handlers) calls php_var_unserialize() multiple times on crafted session content. Monitor for use of R: or r: reference tokens in serialized session data pointing to already-freed ZVALs. ↗
- →Multiple use-after-free vulnerabilities exist in all three session deserializer modes: php, php_binary, and php_serialize. Detection should cover all three session.serialize_handler values. ↗
- →Successful exploitation allows an attacker to control memory and create a fake ZVAL, observable in PHP output as unexpected integer values (e.g., 1122334455) in deserialized arrays. ↗
- ·Affected PHP versions are 5.4 before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13. Red Hat Enterprise Linux 6 and 7 packages and several Red Hat Software Collections were marked 'Will not fix' due to the behavior being documented as unsafe (passing untrusted input to unserialize()). ↗
- ·The vulnerability requires untrusted input to reach the session deserializer. PHP documentation explicitly warns against passing untrusted user input to unserialize(); using JSON (json_decode/json_encode) is the recommended safe alternative. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
PHP vulnerabilities
vendor_ubuntu·2015-09-30·CVSS 9.8
CVE-2015-5589 [CRITICAL] PHP vulnerabilities
Title: PHP vulnerabilities
Summary: Several security issues were fixed in PHP.
It was discovered that the PHP phar extension incorrectly handled certain
files. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service. (CVE-2015-5589)
It was discovered that the PHP phar extension incorrectly handled certain
filepaths. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2015-5590)
Taoguang Chen discovered that PHP incorrectly handled unserializing
objects. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2015-6831, CVE-2015-6834, CVE-2015-6835
Sean Heelan discovered that PHP inco
Red Hat
php: use-after-free vulnerability in session deserializer
vendor_redhat·2015-08-09·CVSS 9.8
CVE-2015-6835 [CRITICAL] CWE-416 php: use-after-free vulnerability in session deserializer
php: use-after-free vulnerability in session deserializer
The session deserializer in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 mishandles multiple php_var_unserialize calls, which allow remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via crafted session content.
A flaw was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code.
Package: php (Red Hat Enterprise Linux 5) - Will not fix
Package: php53 (Red Hat Enterprise Linux 5) - Will not fix
Package: php (Red Hat Enterprise Linux 6) - Will not fix
Package: php (Red Hat Enterprise Linux 7) - Will not fix
Package: php54-php (Red
Apple
CVE-2015-6835: OS X El Capitan 10.11.1, Security Update 2015-004 Yosemite, and Security Update 2015-007 Mavericks
vendor_apple·CVSS 9.8
CVE-2015-6835 [CRITICAL] CVE-2015-6835: OS X El Capitan 10.11.1, Security Update 2015-004 Yosemite, and Security Update 2015-007 Mavericks
Apple Security Update: About the security content of OS X El Capitan 10.11.1, Security Update 2015-004 Yosemite, and Security Update 2015-007 Mavericks
Product: OS X El Capitan 10.11.1, Security Update 2015-004 Yosemite, and Security Update 2015-007 Mavericks
CVE: CVE-2015-6835
Component: CVE-2015-6835
GHSA
GHSA-5qpr-hcf2-vwc2: The session deserializer in PHP before 5
ghsa_unreviewed·2022-05-17
CVE-2015-6835 [CRITICAL] GHSA-5qpr-hcf2-vwc2: The session deserializer in PHP before 5
The session deserializer in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 mishandles multiple php_var_unserialize calls, which allow remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via crafted session content.
OSV
php5 vulnerabilities
osv·2015-09-30·CVSS 9.8
CVE-2015-5589 [CRITICAL] php5 vulnerabilities
php5 vulnerabilities
It was discovered that the PHP phar extension incorrectly handled certain
files. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service. (CVE-2015-5589)
It was discovered that the PHP phar extension incorrectly handled certain
filepaths. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2015-5590)
Taoguang Chen discovered that PHP incorrectly handled unserializing
objects. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2015-6831, CVE-2015-6834, CVE-2015-6835
Sean Heelan discovered that PHP incorrectly handled unserializing
objects. A remote attacker co
OSV
CVE-2015-6835: The session deserializer in PHP before 5
osv·2015-09-09·CVSS 9.8
CVE-2015-6835 [CRITICAL] CVE-2015-6835: The session deserializer in PHP before 5
The session deserializer in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 mishandles multiple php_var_unserialize calls, which allow remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via crafted session content.
No detection rules found.
arXiv
S2malloc: Statistically Secure Allocator for Use-After-Free Protection And More
arxiv_fulltext·2024-05-29
S2malloc: Statistically Secure Allocator for Use-After-Free Protection And More
: Statistically Secure Allocator for Use-After-Free Protection And More
Ruizhe Wang0009-0001-5607-3917
Meng Xu0009-0001-6364-4837
N. Asokan0000-0002-5093-9871
R. Wang et al.
University of Waterloo
\ruizhe.wang, meng.xu.cs\@uwaterloo.ca [email protected]
## Abstract
Attacks on heap memory, encompassing
memory overflow,
double and invalid free,
use-after-free (UAF),
and
various heap spraying techniques
are ever-increasing.
Existing entropy-based secure
memory allocators provide statistical defenses
against virtually all of these attack vectors.
Although they claim protections against UAF attacks,
their designs are not tailored to detect
(failed) attempts.
Consequently,
to beat this entropy-based protection,
an attacker can simply launch the same attack repeatedly
with the potential use
arXiv
SeMalloc: Semantics-Informed Memory Allocator
arxiv_fulltext·2024-05-22
SeMalloc: Semantics-Informed Memory Allocator
: Semantics-Informed Memory Allocator
fancyplain
Rev.
\ of LastPage
Ruizhe Wang
[email protected]
University of Waterloo
Canada
Meng Xu
[email protected]
University of Waterloo
Canada
N. Asokan
[email protected]
University of Waterloo
Canada
CCSXML
10002978.10003022.10003023
Security and privacy Software security engineering
500
CCSXML
[500]Security and privacy Software security engineering
Static analysis, use-after-free, secure memory allocator
acmlicensed
2018
2018
XXXXXXX.XXXXXXX
[CCS '24]the 2024 ACM SIGSAC Conference on Computer and Communications
SecurityOctober 14--18,
2024Salt Lake City, UT
## Abstract
Use-after-free (UAF)
is a critical and prevalent problem
in memory unsafe languages.
While many solutions have been proposed,
balancing
security, run-ti
Bugzilla
CVE-2015-6835 php: use-after-free vulnerability in session deserializer
bugzilla·2015-09-07·CVSS 9.8
CVE-2015-6835 [CRITICAL] CVE-2015-6835 php: use-after-free vulnerability in session deserializer
CVE-2015-6835 php: use-after-free vulnerability in session deserializer
A use-after-free vulnerability was found in session deserializer. When session deserializer (php/php_binary) is deserializing multiple data, it will call php_var_unserialize() multiple times. We can create ZVAL and free it via the php_var_unserialize() with a crafted serialized string. Then the next call php_var_unserialize() will still allow to use R: or r: to set references to that already freed memory. It is possible to use-after-free attack and execute arbitrary code remotely.
Upstream report:
https://bugs.php.net/bug.php?id=70219
Upstream patch:
http://git.php.net/?p=php-src.git;a=commitdiff;h=df4bf28f9f104ca3ef78ed94b497859f15b004e5
Discussion:
Created php tracking bugs for this issue:
Affects: fedora-all
http://php.net/ChangeLog-5.phphttp://www.debian.org/security/2015/dsa-3358http://www.securityfocus.com/bid/76734http://www.securitytracker.com/id/1033548https://bugs.php.net/bug.php?id=70219https://security.gentoo.org/glsa/201606-10http://php.net/ChangeLog-5.phphttp://www.debian.org/security/2015/dsa-3358http://www.securityfocus.com/bid/76734http://www.securitytracker.com/id/1033548https://bugs.php.net/bug.php?id=70219https://security.gentoo.org/glsa/201606-10
2016-05-16
Published