Vulnerability Details : CVE-2007-1286

Integer overflow in PHP 4.4.4 and earlier allows remote context-dependent attackers to execute arbitrary code via a long string to the unserialize function, which triggers the overflow in the ZVAL reference counter.
Vulnerability category: OverflowExecute code
Published 2007-03-06 20:19:00
Updated 2018-10-16 16:37:48
Source MITRE
View at NVD,
At least one public exploit which can be used to exploit this vulnerability exists!

Exploit prediction scoring system (EPSS) score for CVE-2007-1286

Probability of exploitation activity in the next 30 days: 13.34%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 95 % EPSS Score History EPSS FAQ

Metasploit modules for CVE-2007-1286

  • PHP 4 unserialize() ZVAL Reference Counter Overflow (Cookie)
    Disclosure Date : 2007-03-04
    This module exploits an integer overflow vulnerability in the unserialize() function of the PHP web server extension. This vulnerability was patched by Stefan in version 4.5.0 and applies all previous versions supporting this function. This particular module targets numerous web applications and is based on the proof of concept provided by Stefan Esser. This vulnerability requires approximately 900k of data to trigger due the multiple Cookie headers requirement. Since we are already assuming a fast network connection, we use a 2Mb block of shellcode for the brute force, allowing quick exploitation for those with fast networks. One of the neat things about this vulnerability is that on x86 systems, the EDI register points into the beginning of the hashtable string. This can be used with an egghunter to quickly exploit systems where the location of a valid "jmp EDI" or "call EDI" instruction

CVSS scores for CVE-2007-1286

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Source
[email protected]

References for CVE-2007-1286

Products affected by CVE-2007-1286

This web site uses cookies for managing your session and website analytics (Google analytics) purposes as described in our privacy policy.
By using this web site you are agreeing to terms of use!