ID CVE-2015-6832
Summary Use-after-free vulnerability in the SPL unserialize implementation in ext/spl/spl_array.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allows remote attackers to execute arbitrary code via crafted serialized data that triggers misuse of an array field.
References
Vulnerable Configurations
  • PHP 5.4.43
    cpe:2.3:a:php:php:5.4.43
  • PHP 5.5.0
    cpe:2.3:a:php:php:5.5.0
  • PHP 5.5.0 alpha1
    cpe:2.3:a:php:php:5.5.0:alpha1
  • PHP 5.5.0 alpha2
    cpe:2.3:a:php:php:5.5.0:alpha2
  • PHP 5.5.0 alpha3
    cpe:2.3:a:php:php:5.5.0:alpha3
  • PHP 5.5.0 alpha4
    cpe:2.3:a:php:php:5.5.0:alpha4
  • PHP 5.5.0 alpha5
    cpe:2.3:a:php:php:5.5.0:alpha5
  • PHP 5.5.0 alpha6
    cpe:2.3:a:php:php:5.5.0:alpha6
  • PHP 5.5.0 beta1
    cpe:2.3:a:php:php:5.5.0:beta1
  • PHP 5.5.0 beta2
    cpe:2.3:a:php:php:5.5.0:beta2
  • PHP 5.5.0 beta3
    cpe:2.3:a:php:php:5.5.0:beta3
  • PHP 5.5.0 beta4
    cpe:2.3:a:php:php:5.5.0:beta4
  • PHP 5.5.0 release candidate 1
    cpe:2.3:a:php:php:5.5.0:rc1
  • PHP 5.5.0 release candidate 2
    cpe:2.3:a:php:php:5.5.0:rc2
  • PHP 5.5.1
    cpe:2.3:a:php:php:5.5.1
  • PHP 5.5.2
    cpe:2.3:a:php:php:5.5.2
  • PHP 5.5.3
    cpe:2.3:a:php:php:5.5.3
  • PHP 5.5.4
    cpe:2.3:a:php:php:5.5.4
  • PHP 5.5.5
    cpe:2.3:a:php:php:5.5.5
  • PHP 5.5.6
    cpe:2.3:a:php:php:5.5.6
  • PHP 5.5.7
    cpe:2.3:a:php:php:5.5.7
  • PHP 5.5.8
    cpe:2.3:a:php:php:5.5.8
  • PHP 5.5.9
    cpe:2.3:a:php:php:5.5.9
  • PHP 5.5.10
    cpe:2.3:a:php:php:5.5.10
  • PHP 5.5.11
    cpe:2.3:a:php:php:5.5.11
  • PHP 5.5.12
    cpe:2.3:a:php:php:5.5.12
  • PHP 5.5.13
    cpe:2.3:a:php:php:5.5.13
  • PHP 5.5.14
    cpe:2.3:a:php:php:5.5.14
  • PHP 5.5.18
    cpe:2.3:a:php:php:5.5.18
  • PHP 5.5.19
    cpe:2.3:a:php:php:5.5.19
  • PHP 5.5.20
    cpe:2.3:a:php:php:5.5.20
  • PHP 5.5.21
    cpe:2.3:a:php:php:5.5.21
  • PHP 5.5.22
    cpe:2.3:a:php:php:5.5.22
  • PHP 5.5.23
    cpe:2.3:a:php:php:5.5.23
  • PHP 5.5.24
    cpe:2.3:a:php:php:5.5.24
  • PHP 5.5.25
    cpe:2.3:a:php:php:5.5.25
  • PHP 5.5.26
    cpe:2.3:a:php:php:5.5.26
  • PHP 5.5.27
    cpe:2.3:a:php:php:5.5.27
  • PHP 5.6.0 alpha1
    cpe:2.3:a:php:php:5.6.0:alpha1
  • PHP 5.6.0 alpha2
    cpe:2.3:a:php:php:5.6.0:alpha2
  • PHP 5.6.0 alpha3
    cpe:2.3:a:php:php:5.6.0:alpha3
  • PHP 5.6.0 alpha4
    cpe:2.3:a:php:php:5.6.0:alpha4
  • PHP 5.6.0 alpha5
    cpe:2.3:a:php:php:5.6.0:alpha5
  • PHP 5.6.0 beta1
    cpe:2.3:a:php:php:5.6.0:beta1
  • PHP 5.6.0 beta2
    cpe:2.3:a:php:php:5.6.0:beta2
  • PHP 5.6.0 beta3
    cpe:2.3:a:php:php:5.6.0:beta3
  • PHP 5.6.0 beta4
    cpe:2.3:a:php:php:5.6.0:beta4
  • PHP PHP 5.6.1
    cpe:2.3:a:php:php:5.6.1
  • PHP 5.6.2
    cpe:2.3:a:php:php:5.6.2
  • PHP 5.6.3
    cpe:2.3:a:php:php:5.6.3
  • PHP 5.6.4
    cpe:2.3:a:php:php:5.6.4
  • PHP 5.6.5
    cpe:2.3:a:php:php:5.6.5
  • PHP 5.6.6
    cpe:2.3:a:php:php:5.6.6
  • PHP 5.6.7
    cpe:2.3:a:php:php:5.6.7
  • PHP PHP 5.6.8
    cpe:2.3:a:php:php:5.6.8
  • PHP PHP 5.6.9
    cpe:2.3:a:php:php:5.6.9
  • PHP PHP 5.6.10
    cpe:2.3:a:php:php:5.6.10
  • PHP PHP 5.6.11
    cpe:2.3:a:php:php:5.6.11
CVSS
Base: 7.5 (as of 22-01-2016 - 11:25)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2015-609.NASL
    description The PHP5 script interpreter was updated to fix various security issues : - CVE-2015-6831: A use after free vulnerability in unserialize() has been fixed which could be used to crash php or potentially execute code. [bnc#942291] [bnc#942294] [bnc#942295] - CVE-2015-6832: A dangling pointer in the unserialization of ArrayObject items could be used to crash php or potentially execute code. [bnc#942293] - CVE-2015-6833: A directory traversal when extracting ZIP files could be used to overwrite files outside of intended area. [bnc#942296] - CVE-2015-6834: A Use After Free Vulnerability in unserialize() has been fixed which could be used to crash php or potentially execute code. [bnc#945403] - CVE-2015-6835: A Use After Free Vulnerability in session unserialize() has been fixed which could be used to crash php or potentially execute code. [bnc#945402] - CVE-2015-6836: A SOAP serialize_function_call() type confusion leading to remote code execution problem was fixed. [bnc#945428] - CVE-2015-6837 CVE-2015-6838: Two NULL pointer dereferences in the XSLTProcessor class were fixed. [bnc#945412]
    last seen 2019-02-21
    modified 2016-10-13
    plugin id 86183
    published 2015-09-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86183
    title openSUSE Security Update : php5 (openSUSE-2015-609)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_787EF75E44DA11E593AD002590263BF5.NASL
    description The PHP project reports : Core : - Fixed bug #69793 (Remotely triggerable stack exhaustion via recursive method calls). - Fixed bug #70121 (unserialize() could lead to unexpected methods execution / NULL pointer deref). OpenSSL : - Fixed bug #70014 (openssl_random_pseudo_bytes() is not cryptographically secure). Phar : - Improved fix for bug #69441. - Fixed bug #70019 (Files extracted from archive may be placed outside of destination directory). SOAP : - Fixed bug #70081 (SoapClient info leak / NULL pointer dereference via multiple type confusions). SPL : - Fixed bug #70068 (Dangling pointer in the unserialization of ArrayObject items). - Fixed bug #70166 (Use After Free Vulnerability in unserialize() with SPLArrayObject). - Fixed bug #70168 (Use After Free Vulnerability in unserialize() with SplObjectStorage). - Fixed bug #70169 (Use After Free Vulnerability in unserialize() with SplDoublyLinkedList).
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 85484
    published 2015-08-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85484
    title FreeBSD : php5 -- multiple vulnerabilities (787ef75e-44da-11e5-93ad-002590263bf5)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2015-585.NASL
    description PHP process crashes when processing an invalid file with the 'phar' extension. (CVE-2015-5589) As discussed upstream, mysqlnd is vulnerable to the attack described in https://www.duosecurity.com/blog/backronym-mysql-vulnerability. (CVE-2015-3152) PHP versions before 5.5.27 and 5.4.43 contain buffer overflow issue. (CVE-2015-5590) A flaw was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code. (CVE-2015-6831 , CVE-2015-6832) A flaw was found in the way the way PHP's Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash or, possibly, execute arbitrary code when opened. (CVE-2015-6833)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 85458
    published 2015-08-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85458
    title Amazon Linux AMI : php56 (ALAS-2015-585) (BACKRONYM)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-341.NASL
    description - CVE-2015-6831 Use after free vulnerability was found in unserialize() function. We can create ZVAL and free it via Serializable::unserialize. However the unserialize() will still allow to use R: or r: to set references to that already freed memory. It is possible to use-after-free attack and execute arbitrary code remotely. - CVE-2015-6832 Dangling pointer in the unserialization of ArrayObject items. - CVE-2015-6833 Files extracted from archive may be placed outside of destination directory - CVE-2015-6834 Use after free vulnerability was found in unserialize() function. We can create ZVAL and free it via Serializable::unserialize. However the unserialize() will still allow to use R: or r: to set references to that already freed memory. It is possible to use-after-free attack and execute arbitrary code remotely. - CVE-2015-6836 A type confusion occurs within SOAP serialize_function_call due to an insufficient validation of the headers field. In the SoapClient's __call method, the verify_soap_headers_array check is applied only to headers retrieved from zend_parse_parameters; problem is that a few lines later, soap_headers could be updated or even replaced with values from the __default_headers object fields. - CVE-2015-6837 The XSLTProcessor class misses a few checks on the input from the libxslt library. The valuePop() function call is able to return NULL pointer and php does not check that. - CVE-2015-6838 The XSLTProcessor class misses a few checks on the input from the libxslt library. The valuePop() function call is able to return NULL pointer and php does not check that. - CVE-2015-7803 A NULL pointer dereference flaw was found in the way PHP's Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash. - CVE-2015-7804 An uninitialized pointer use flaw was found in the phar_make_dirstream() function of PHP's Phar extension. A specially crafted phar file in the ZIP format with a directory entry with a file name '/ZIP' could cause a PHP application function to crash. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-09
    plugin id 86794
    published 2015-11-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86794
    title Debian DLA-341-1 : php5 security update
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-1633-1.NASL
    description This update of PHP5 brings several security fixes. Security fixes : - CVE-2015-6831: A use after free vulnerability in unserialize() has been fixed which could be used to crash php or potentially execute code. [bnc#942291] [bnc#942294] [bnc#942295] - CVE-2015-6832: A dangling pointer in the unserialization of ArrayObject items could be used to crash php or potentially execute code. [bnc#942293] - CVE-2015-6833: A directory traversal when extracting ZIP files could be used to overwrite files outside of intended area. [bnc#942296] - CVE-2015-6834: A Use After Free Vulnerability in unserialize() has been fixed which could be used to crash php or potentially execute code. [bnc#945403] - CVE-2015-6835: A Use After Free Vulnerability in session unserialize() has been fixed which could be used to crash php or potentially execute code. [bnc#945402] - CVE-2015-6836: A SOAP serialize_function_call() type confusion leading to remote code execution problem was fixed. [bnc#945428] - CVE-2015-6837 CVE-2015-6838: Two NULL pointer dereferences in the XSLTProcessor class were fixed. [bnc#945412] Bugfixes : - Compare with SQL_NULL_DATA correctly [bnc#935074] - If MD5 was disabled in net-snmp we have to disable the used MD5 function in ext/snmp/snmp.c as well. (bsc#944302) Also the Suhosin framework was updated to 0.9.38. [fate#319325] Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 119971
    published 2019-01-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=119971
    title SUSE SLES12 Security Update : php5 (SUSE-SU-2015:1633-1)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2015-584.NASL
    description PHP process crashes when processing an invalid file with the 'phar' extension. (CVE-2015-5589) As discussed upstream, mysqlnd is vulnerable to the attack described in https://www.duosecurity.com/blog/backronym-mysql-vulnerability. (CVE-2015-3152) PHP versions before 5.5.27 and 5.4.43 contain buffer overflow issue. (CVE-2015-5590) A flaw was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code. (CVE-2015-6831 , CVE-2015-6832) A flaw was found in the way the way PHP's Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash or, possibly, execute arbitrary code when opened. (CVE-2015-6833)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 85457
    published 2015-08-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85457
    title Amazon Linux AMI : php55 (ALAS-2015-584) (BACKRONYM)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2015-583.NASL
    description PHP process crashes when processing an invalid file with the 'phar' extension. (CVE-2015-5589) As discussed upstream, mysqlnd is vulnerable to the attack described in https://www.duosecurity.com/blog/backronym-mysql-vulnerability. (CVE-2015-3152) PHP versions before 5.5.27 and 5.4.43 contain buffer overflow issue. (CVE-2015-5590) A flaw was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code. (CVE-2015-6831 , CVE-2015-6832) A flaw was found in the way the way PHP's Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash or, possibly, execute arbitrary code when opened. (CVE-2015-6833)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 85456
    published 2015-08-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85456
    title Amazon Linux AMI : php54 (ALAS-2015-583) (BACKRONYM)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2758-1.NASL
    description It was discovered that the PHP phar extension incorrectly handled certain files. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2015-5589) It was discovered that the PHP phar extension incorrectly handled certain filepaths. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-5590) Taoguang Chen discovered that PHP incorrectly handled unserializing objects. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-6831, CVE-2015-6834, CVE-2015-6835 Sean Heelan discovered that PHP incorrectly handled unserializing objects. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-6832) It was discovered that the PHP phar extension incorrectly handled certain archives. A remote attacker could use this issue to cause files to be placed outside of the destination directory. (CVE-2015-6833) Andrea Palazzo discovered that the PHP Soap client incorrectly validated data types. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-6836) It was discovered that the PHP XSLTProcessor class incorrectly handled certain data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2015-6837). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 86221
    published 2015-10-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86221
    title Ubuntu 12.04 LTS / 14.04 LTS / 15.04 : php5 vulnerabilities (USN-2758-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3344.NASL
    description Multiple vulnerabilities have been discovered in the PHP language : - CVE-2015-4598 thoger at redhat dot com discovered that paths containing a NUL character were improperly handled, thus allowing an attacker to manipulate unexpected files on the server. - CVE-2015-4643 Max Spelsberg discovered an integer overflow flaw leading to a heap-based buffer overflow in PHP's FTP extension, when parsing listings in FTP server responses. This could lead to a a crash or execution of arbitrary code. - CVE-2015-4644 A denial of service through a crash could be caused by a segfault in the php_pgsql_meta_data function. - CVE-2015-5589 kwrnel at hotmail dot com discovered that PHP could crash when processing an invalid phar file, thus leading to a denial of service. - CVE-2015-5590 jared at enhancesoft dot com discovered a buffer overflow in the phar_fix_filepath function, that could causes a crash or execution of arbitrary code. - Additionally, several other vulnerabilites were fixed : sean dot heelan at gmail dot com discovered a problem in the unserialization of some items, that could lead to arbitrary code execution. stewie at mail dot ru discovered that the phar extension improperly handled zip archives with relative paths, which would allow an attacker to overwrite files outside of the destination directory. taoguangchen at icloud dot com discovered several use-after-free vulnerabilities that could lead to arbitrary code execution.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 85664
    published 2015-08-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85664
    title Debian DSA-3344-1 : php5 - security update
  • NASL family CGI abuses
    NASL id PHP_5_5_28.NASL
    description According to its banner, the version of PHP running on the remote web server is 5.5.x prior to 5.5.28. It is, therefore, affected by multiple vulnerabilities : - Multiple use-after-free errors exist in spl_array.c, spl_observer.c, and spl_dllist.c due to improper sanitization of input to the unserialize() function. An attacker can exploit these issues, by using a specially crafted SplDoublyLinkedList, SplArrayObject, or SplObjectStorage object, to deference freed memory and thus execute arbitrary code. (CVE-2015-6831) - A dangling pointer error exists in file spl_array.c due to improper sanitization of input to the unserialize() function. An attacker can exploit this, by using a specially crafted SplDoublyLinkedList object, to gain control over a deallocated pointer and thus execute arbitrary code. (CVE-2015-6832) - A path traversal flaw exists in file phar_object.c due to improper sanitization of user-supplied input. An attacker can exploit this to write arbitrary files. (CVE-2015-6833) - A type confusion flaw exists in the serialize_function_call() function in soap.c due to improper validation of input passed via the header field. A remote attacker can exploit this to execute arbitrary code. (CVE-2015-6836) - Multiple type confusion flaws exist in the _call() method in file php_http.c when handling calls for zend_hash_get_current_key or 'Z*'. An attacker can exploit this to disclose memory contents or crash an application using PHP. (CVE-2015-8835) - The openssl_random_pseudo_bytes() function in file openssl.c does not generate sufficiently random numbers. This allows an attacker to more easily predict the results, thus allowing further attacks to be carried out. (CVE-2015-8867) - A flaw exists in file zend_exceptions.c due to the improper use of the function unserialize() during recursive method calls. A remote attacker can exploit this to crash an application using PHP. (CVE-2015-8873) - A flaw exists in file zend_exceptions.c due to insufficient type checking by functions unserialize() and __toString(). A remote attacker can exploit this to cause a NULL pointer deference or unexpected method execution, thus causing an application using PHP to crash. (CVE-2015-8876) - An integer truncation flaw exists in the zend_hash_compare() function in zend_hash.c that is triggered when comparing arrays. A remote attacker can exploit this to cause arrays to be improperly matched during comparison. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 85299
    published 2015-08-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85299
    title PHP 5.5.x < 5.5.28 Multiple Vulnerabilities
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201606-10.NASL
    description The remote host is affected by the vulnerability described in GLSA-201606-10 (PHP: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below for details. Impact : An attacker can possibly execute arbitrary code or create a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2016-10-10
    plugin id 91704
    published 2016-06-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91704
    title GLSA-201606-10 : PHP: Multiple vulnerabilities
refmap via4
confirm
debian DSA-3344
gentoo GLSA-201606-10
the hacker news via4
id THN:ADC5E0B7C8DF1100E34C28AC74897A50
last seen 2018-01-27
modified 2016-12-29
published 2016-12-28
reporter Swati Khandelwal
source https://thehackernews.com/2016/12/php-7-update.html
title 3 Critical Zero-Day Flaws Found in PHP 7 — One Remains Unpatched!
Last major update 29-11-2016 - 22:02
Published 19-01-2016 - 00:59
Last modified 03-11-2017 - 21:29
Back to Top