Vulnerability Details : CVE-2007-1286
Integer overflow in PHP 4.4.4 and earlier allows remote context-dependent attackers to execute arbitrary code via a long string to the unserialize function, which triggers the overflow in the ZVAL reference counter.
Vulnerability category: OverflowExecute code
At least one public exploit which can be used to exploit this vulnerability exists!
Exploit prediction scoring system (EPSS) score for CVE-2007-1286
Probability of exploitation activity in the next 30 days: 13.34%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 95 % EPSS Score History EPSS FAQ
Metasploit modules for CVE-2007-1286
-
PHP 4 unserialize() ZVAL Reference Counter Overflow (Cookie)
Disclosure Date : 2007-03-04exploit/multi/php/php_unserialize_zval_cookieThis module exploits an integer overflow vulnerability in the unserialize() function of the PHP web server extension. This vulnerability was patched by Stefan in version 4.5.0 and applies all previous versions supporting this function. This particular module targets numerous web applications and is based on the proof of concept provided by Stefan Esser. This vulnerability requires approximately 900k of data to trigger due the multiple Cookie headers requirement. Since we are already assuming a fast network connection, we use a 2Mb block of shellcode for the brute force, allowing quick exploitation for those with fast networks. One of the neat things about this vulnerability is that on x86 systems, the EDI register points into the beginning of the hashtable string. This can be used with an egghunter to quickly exploit systems where the location of a valid "jmp EDI" or "call EDI" instruction
CVSS scores for CVE-2007-1286
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|
|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
[email protected] |
References for CVE-2007-1286
- http://www.vupen.com/english/advisories/2007/1991
- https://issues.rpath.com/browse/RPL-1268
- http://www.securityfocus.com/bid/22765
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/32796
- http://security.gentoo.org/glsa/glsa-200705-19.xml
- http://rhn.redhat.com/errata/RHSA-2007-0163.html
- http://security.gentoo.org/glsa/glsa-200703-21.xml
- http://www.trustix.org/errata/2007/0009/
- http://www.securityfocus.com/archive/1/466166/100/0/threaded
- http://rhn.redhat.com/errata/RHSA-2007-0155.html
- http://www.vupen.com/english/advisories/2007/2374
- http://www.mandriva.com/security/advisories?name=MDKSA-2007:087
- http://www.debian.org/security/2007/dsa-1282
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01086137
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01056506
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11575
- http://rhn.redhat.com/errata/RHSA-2007-0154.html
- http://www.debian.org/security/2007/dsa-1283
- http://www.mandriva.com/security/advisories?name=MDKSA-2007:088
-
http://www.php-security.org/MOPB/MOPB-04-2007.html
Exploit;Patch;Vendor Advisory
Products affected by CVE-2007-1286
- cpe:2.3:a:php:php:*:*:*:*:*:*:*:*