ID CVE-2015-6835
Summary The session deserializer in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 mishandles multiple php_var_unserialize calls, which allow remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via crafted session content.
References
Vulnerable Configurations
  • PHP 5.6.0 alpha1
    cpe:2.3:a:php:php:5.6.0:alpha1
  • PHP 5.6.0 alpha2
    cpe:2.3:a:php:php:5.6.0:alpha2
  • PHP 5.6.0 alpha3
    cpe:2.3:a:php:php:5.6.0:alpha3
  • PHP 5.6.0 alpha4
    cpe:2.3:a:php:php:5.6.0:alpha4
  • PHP 5.6.0 alpha5
    cpe:2.3:a:php:php:5.6.0:alpha5
  • PHP 5.6.0 beta1
    cpe:2.3:a:php:php:5.6.0:beta1
  • PHP 5.6.0 beta2
    cpe:2.3:a:php:php:5.6.0:beta2
  • PHP 5.6.0 beta3
    cpe:2.3:a:php:php:5.6.0:beta3
  • PHP 5.6.0 beta4
    cpe:2.3:a:php:php:5.6.0:beta4
  • PHP 5.6.1 -
    cpe:2.3:a:php:php:5.6.1
  • PHP 5.6.2
    cpe:2.3:a:php:php:5.6.2
  • PHP 5.6.3 -
    cpe:2.3:a:php:php:5.6.3
  • PHP 5.6.4 -
    cpe:2.3:a:php:php:5.6.4
  • PHP 5.6.5 -
    cpe:2.3:a:php:php:5.6.5
  • PHP 5.6.6 -
    cpe:2.3:a:php:php:5.6.6
  • PHP 5.6.7 -
    cpe:2.3:a:php:php:5.6.7
  • PHP 5.6.8 -
    cpe:2.3:a:php:php:5.6.8
  • PHP 5.6.9 -
    cpe:2.3:a:php:php:5.6.9
  • PHP 5.6.10 -
    cpe:2.3:a:php:php:5.6.10
  • PHP 5.6.11 -
    cpe:2.3:a:php:php:5.6.11
  • PHP 5.6.12 -
    cpe:2.3:a:php:php:5.6.12
  • PHP 5.4.44
    cpe:2.3:a:php:php:5.4.44
  • PHP 5.5.0 -
    cpe:2.3:a:php:php:5.5.0
  • PHP 5.5.0 alpha1
    cpe:2.3:a:php:php:5.5.0:alpha1
  • PHP 5.5.0 alpha2
    cpe:2.3:a:php:php:5.5.0:alpha2
  • PHP 5.5.0 alpha3
    cpe:2.3:a:php:php:5.5.0:alpha3
  • PHP 5.5.0 alpha4
    cpe:2.3:a:php:php:5.5.0:alpha4
  • PHP 5.5.0 alpha5
    cpe:2.3:a:php:php:5.5.0:alpha5
  • PHP 5.5.0 alpha6
    cpe:2.3:a:php:php:5.5.0:alpha6
  • PHP 5.5.0 beta1
    cpe:2.3:a:php:php:5.5.0:beta1
  • PHP 5.5.0 beta2
    cpe:2.3:a:php:php:5.5.0:beta2
  • PHP 5.5.0 beta3
    cpe:2.3:a:php:php:5.5.0:beta3
  • PHP 5.5.0 beta4
    cpe:2.3:a:php:php:5.5.0:beta4
  • PHP 5.5.0 release candidate 1
    cpe:2.3:a:php:php:5.5.0:rc1
  • PHP 5.5.0 release candidate 2
    cpe:2.3:a:php:php:5.5.0:rc2
  • PHP 5.5.1
    cpe:2.3:a:php:php:5.5.1
  • PHP 5.5.2 -
    cpe:2.3:a:php:php:5.5.2
  • PHP 5.5.3
    cpe:2.3:a:php:php:5.5.3
  • PHP 5.5.4 -
    cpe:2.3:a:php:php:5.5.4
  • PHP 5.5.5 -
    cpe:2.3:a:php:php:5.5.5
  • PHP 5.5.6 -
    cpe:2.3:a:php:php:5.5.6
  • PHP 5.5.7 -
    cpe:2.3:a:php:php:5.5.7
  • PHP 5.5.8 -
    cpe:2.3:a:php:php:5.5.8
  • PHP 5.5.9 -
    cpe:2.3:a:php:php:5.5.9
  • PHP 5.5.10 -
    cpe:2.3:a:php:php:5.5.10
  • PHP 5.5.11 -
    cpe:2.3:a:php:php:5.5.11
  • PHP 5.5.12 -
    cpe:2.3:a:php:php:5.5.12
  • PHP 5.5.13 -
    cpe:2.3:a:php:php:5.5.13
  • PHP 5.5.14 -
    cpe:2.3:a:php:php:5.5.14
  • PHP 5.5.15 -
    cpe:2.3:a:php:php:5.5.15
  • PHP 5.5.16 -
    cpe:2.3:a:php:php:5.5.16
  • PHP 5.5.17 -
    cpe:2.3:a:php:php:5.5.17
  • PHP 5.5.18 -
    cpe:2.3:a:php:php:5.5.18
  • PHP 5.5.19 -
    cpe:2.3:a:php:php:5.5.19
  • PHP 5.5.20 -
    cpe:2.3:a:php:php:5.5.20
  • PHP 5.5.21 -
    cpe:2.3:a:php:php:5.5.21
  • PHP 5.5.22 -
    cpe:2.3:a:php:php:5.5.22
  • PHP 5.5.23 -
    cpe:2.3:a:php:php:5.5.23
  • PHP 5.5.24 -
    cpe:2.3:a:php:php:5.5.24
  • PHP 5.5.25 -
    cpe:2.3:a:php:php:5.5.25
  • PHP 5.5.26 -
    cpe:2.3:a:php:php:5.5.26
  • PHP 5.5.27 -
    cpe:2.3:a:php:php:5.5.27
  • PHP 5.5.28
    cpe:2.3:a:php:php:5.5.28
CVSS
Base: 7.5 (as of 16-05-2016 - 18:30)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
exploit-db via4
description PHP Session Deserializer Use-After-Free. CVE-2015-6835. Dos exploit for php platform
id EDB-ID:38123
last seen 2016-02-04
modified 2015-09-09
published 2015-09-09
reporter Taoguang Chen
source https://www.exploit-db.com/download/38123/
title PHP Session Deserializer Use-After-Free
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2015-609.NASL
    description The PHP5 script interpreter was updated to fix various security issues : - CVE-2015-6831: A use after free vulnerability in unserialize() has been fixed which could be used to crash php or potentially execute code. [bnc#942291] [bnc#942294] [bnc#942295] - CVE-2015-6832: A dangling pointer in the unserialization of ArrayObject items could be used to crash php or potentially execute code. [bnc#942293] - CVE-2015-6833: A directory traversal when extracting ZIP files could be used to overwrite files outside of intended area. [bnc#942296] - CVE-2015-6834: A Use After Free Vulnerability in unserialize() has been fixed which could be used to crash php or potentially execute code. [bnc#945403] - CVE-2015-6835: A Use After Free Vulnerability in session unserialize() has been fixed which could be used to crash php or potentially execute code. [bnc#945402] - CVE-2015-6836: A SOAP serialize_function_call() type confusion leading to remote code execution problem was fixed. [bnc#945428] - CVE-2015-6837 CVE-2015-6838: Two NULL pointer dereferences in the XSLTProcessor class were fixed. [bnc#945412]
    last seen 2019-02-21
    modified 2016-10-13
    plugin id 86183
    published 2015-09-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86183
    title openSUSE Security Update : php5 (openSUSE-2015-609)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD2015-007.NASL
    description The remote host is running a version of Mac OS X 10.9.5 or 10.10.5 that is missing Security Update 2015-004 or 2015-007. It is, therefore, affected by multiple vulnerabilities in the following components : - Accelerate Framework - apache_mod_php - ATS - Audio - CFNetwork - CoreGraphics - CoreText - EFI - FontParser - Grand Central Dispatch - ImageIO - IOAcceleratorFamily - Kernel - libarchive - MCX Application Restrictions - OpenGL Note that successful exploitation of the most serious issues can result in arbitrary code execution.
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 86829
    published 2015-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86829
    title Mac OS X Multiple Vulnerabilities (Security Updates 2015-004 / 2015-007)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-1633-1.NASL
    description This update of PHP5 brings several security fixes. Security fixes : - CVE-2015-6831: A use after free vulnerability in unserialize() has been fixed which could be used to crash php or potentially execute code. [bnc#942291] [bnc#942294] [bnc#942295] - CVE-2015-6832: A dangling pointer in the unserialization of ArrayObject items could be used to crash php or potentially execute code. [bnc#942293] - CVE-2015-6833: A directory traversal when extracting ZIP files could be used to overwrite files outside of intended area. [bnc#942296] - CVE-2015-6834: A Use After Free Vulnerability in unserialize() has been fixed which could be used to crash php or potentially execute code. [bnc#945403] - CVE-2015-6835: A Use After Free Vulnerability in session unserialize() has been fixed which could be used to crash php or potentially execute code. [bnc#945402] - CVE-2015-6836: A SOAP serialize_function_call() type confusion leading to remote code execution problem was fixed. [bnc#945428] - CVE-2015-6837 CVE-2015-6838: Two NULL pointer dereferences in the XSLTProcessor class were fixed. [bnc#945412] Bugfixes : - Compare with SQL_NULL_DATA correctly [bnc#935074] - If MD5 was disabled in net-snmp we have to disable the used MD5 function in ext/snmp/snmp.c as well. (bsc#944302) Also the Suhosin framework was updated to 0.9.38. [fate#319325] Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 119971
    published 2019-01-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=119971
    title SUSE SLES12 Security Update : php5 (SUSE-SU-2015:1633-1)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_10_11_1.NASL
    description The remote host is running a version of Mac OS X that is 10.9.5 or later but prior to 10.11.1 It is, therefore, affected by multiple vulnerabilities in the following components : - Accelerate Framework (CVE-2015-5940) - apache_mod_php (CVE-2015-0235, CVE-2015-0273, CVE-2015-6834, CVE-2015-6835, CVE-2015-6836, CVE-2015-6837, CVE-2015-6838) - ATS (CVE-2015-6985) - Audio (CVE-2015-5933, CVE-2015-5934, CVE-2015-7003) - Bom (CVE-2015-7006) - CFNetwork (CVE-2015-7023) - configd (CVE-2015-7015) - CoreGraphics (CVE-2015-5925, CVE-2015-5926) - CoreText (CVE-2015-5944, CVE-2015-6975, CVE-2015-6992, CVE-2015-7017) - Directory Utility (CVE-2015-6980) - Disk Images (CVE-2015-6995) - EFI (CVE-2015-7035) - File Bookmark (CVE-2015-6987) - FontParser (CVE-2015-5927, CVE-2015-5942, CVE-2015-6976, CVE-2015-6977, CVE-2015-6978, CVE-2015-6990, CVE-2015-6991, CVE-2015-6993, CVE-2015-7008, CVE-2015-7009, CVE-2015-7010, CVE-2015-7018) - Grand Central Dispatch (CVE-2015-6989) - Graphics Drivers (CVE-2015-7019, CVE-2015-7020, CVE-2015-7021) - ImageIO (CVE-2015-5935, CVE-2015-5936, CVE-2015-5937, CVE-2015-5938, CVE-2015-5939) - IOAcceleratorFamily (CVE-2015-6996) - IOHIDFamily (CVE-2015-6974) - Kernel (CVE-2015-5932, CVE-2015-6988, CVE-2015-6994) - libarchive (CVE-2015-6984) - MCX Application Restrictions (CVE-2015-7016) - Net-SNMP (CVE-2014-3565, CVE-2012-6151) - OpenGL (CVE-2015-5924) - OpenSSH (CVE-2015-6563) - Sandbox (CVE-2015-5945) - Script Editor (CVE-2015-7007) - Security (CVE-2015-6983, CVE-2015-7024) - SecurityAgent (CVE-2015-5943) Note that successful exploitation of the most serious issues can result in arbitrary code execution.
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 86654
    published 2015-10-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86654
    title Mac OS X < 10.11.1 Multiple Vulnerabilities
  • NASL family F5 Networks Local Security Checks
    NASL id F5_BIGIP_SOL17377.NASL
    description Use after free vulnerability was found in unserialize() function. We can create ZVAL and free it via Serializable::unserialize. However the unserialize() will still allow to use R: or r: to set references to that already freed memory. It is possible to use-after-free attack and execute arbitrary code remotely.
    last seen 2019-02-21
    modified 2019-01-04
    plugin id 91433
    published 2016-06-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91433
    title F5 Networks BIG-IP : PHP vulnerabilities (SOL17377)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2015-274-02.NASL
    description New php packages are available for Slackware 14.0, 14.1, and -current to fix security issues.
    last seen 2019-02-21
    modified 2016-10-19
    plugin id 86223
    published 2015-10-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86223
    title Slackware 14.0 / 14.1 / current : php (SSA:2015-274-02)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2758-1.NASL
    description It was discovered that the PHP phar extension incorrectly handled certain files. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2015-5589) It was discovered that the PHP phar extension incorrectly handled certain filepaths. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-5590) Taoguang Chen discovered that PHP incorrectly handled unserializing objects. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-6831, CVE-2015-6834, CVE-2015-6835 Sean Heelan discovered that PHP incorrectly handled unserializing objects. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-6832) It was discovered that the PHP phar extension incorrectly handled certain archives. A remote attacker could use this issue to cause files to be placed outside of the destination directory. (CVE-2015-6833) Andrea Palazzo discovered that the PHP Soap client incorrectly validated data types. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-6836) It was discovered that the PHP XSLTProcessor class incorrectly handled certain data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2015-6837). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 86221
    published 2015-10-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86221
    title Ubuntu 12.04 LTS / 14.04 LTS / 15.04 : php5 vulnerabilities (USN-2758-1)
  • NASL family CGI abuses
    NASL id PHP_5_5_29.NASL
    description According to its banner, the version of PHP running on the remote web server is 5.5.x prior to 5.5.29. It is, therefore, affected by the following vulnerabilities : - Multiple use-after-free memory errors exist related to the unserialize() function. A remote attacker can exploit these errors to execute arbitrary code. (CVE-2015-6834) - A use-after-free memory error exists related to the php_var_unserialize() function. A remote attacker, using a crafted serialize string, can exploit this to execute arbitrary code. (CVE-2015-6835) - A type confusion error exists related to the serialize_function_call() function due to improper validation of the headers field. A remote attacker can exploit this to have unspecified impact. (CVE-2015-6836) - Multiple flaws exist in the XSLTProcessor class due to improper validation of input from the libxslt library. A remote attacker can exploit thse flaws to have an unspecified impact. (CVE-2015-6837, CVE-2015-6838) - A flaw exists in the php_zip_extract_file() function in file php_zip.c due to improper sanitization of user-supplied input. An unauthenticated, remote attacker can exploit this to create arbitrary directories outside of the restricted path. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 85886
    published 2015-09-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85886
    title PHP 5.5.x < 5.5.29 Multiple Vulnerabilities
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2015-601.NASL
    description As reported upstream, A NULL pointer dereference flaw was found in the way PHP's Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash. (CVE-2015-7803 ) A flaw was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code. (CVE-2015-6834 , CVE-2015-6835 , CVE-2015-6836) A NULL pointer dereference flaw was found in the XSLTProcessor class in PHP. An attacker could use this flaw to cause a PHP application to crash if it performed Extensible Stylesheet Language (XSL) transformations using untrusted XSLT files and allowed the use of PHP functions to be used as XSLT functions within XSL stylesheets. (CVE-2015-6837 , CVE-2015-6838) As reported upstream, an uninitialized pointer use flaw was found in the phar_make_dirstream() function of PHP's Phar extension. A specially crafted phar file in the ZIP format with a directory entry with a file name '/ZIP' could cause a PHP application function to crash. (CVE-2015-7804)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 86495
    published 2015-10-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86495
    title Amazon Linux AMI : php56 (ALAS-2015-601)
  • NASL family CGI abuses
    NASL id PHP_5_4_45.NASL
    description According to its banner, the version of PHP running on the remote web server is 5.4.x prior to 5.4.45. It is, therefore, affected by the following vulnerabilities : - Multiple use-after-free memory errors exist related to the unserialize() function. A remote attacker can exploit these errors to execute arbitrary code. (CVE-2015-6834) - A use-after-free memory error exists related to the php_var_unserialize() function. A remote attacker, using a crafted serialize string, can exploit this to execute arbitrary code. (CVE-2015-6835) - A type confusion error exists related to the serialize_function_call() function due to improper validation of the headers field. A remote attacker can exploit this to have unspecified impact. (CVE-2015-6836) - Multiple flaws exist in the XSLTProcessor class due to improper validation of input from the libxslt library. A remote attacker can exploit thse flaws to have an unspecified impact. (CVE-2015-6837, CVE-2015-6838) - A flaw exists in the php_zip_extract_file() function in file php_zip.c due to improper sanitization of user-supplied input. An unauthenticated, remote attacker can exploit this to create arbitrary directories outside of the restricted path. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 85885
    published 2015-09-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85885
    title PHP 5.4.x < 5.4.45 Multiple Vulnerabilities
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_3D675519565411E59AD814DAE9D210B8.NASL
    description PHP reports : - Core : - Fixed bug #70172 (Use After Free Vulnerability in unserialize()). - Fixed bug #70219 (Use after free vulnerability in session deserializer). - EXIF : - Fixed bug #70385 (Buffer over-read in exif_read_data with TIFF IFD tag byte value of 32 bytes). - hash : - Fixed bug #70312 (HAVAL gives wrong hashes in specific cases). - PCRE : - Fixed bug #70345 (Multiple vulnerabilities related to PCRE functions). - SOAP : - Fixed bug #70388 (SOAP serialize_function_call() type confusion / RCE). - SPL : - Fixed bug #70365 (Use-after-free vulnerability in unserialize() with SplObjectStorage). - Fixed bug #70366 (Use-after-free vulnerability in unserialize() with SplDoublyLinkedList). - XSLT : - Fixed bug #69782 (NULL pointer dereference). - ZIP : - Fixed bug #70350 (ZipArchive::extractTo allows for directory traversal when creating directories).
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 85859
    published 2015-09-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85859
    title FreeBSD : php -- multiple vulnerabilities (3d675519-5654-11e5-9ad8-14dae9d210b8)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2015-602.NASL
    description As reported upstream, A NULL pointer dereference flaw was found in the way PHP's Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash. (CVE-2015-7803 ) A flaw was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code. (CVE-2015-6834 , CVE-2015-6835 , CVE-2015-6836) A NULL pointer dereference flaw was found in the XSLTProcessor class in PHP. An attacker could use this flaw to cause a PHP application to crash if it performed Extensible Stylesheet Language (XSL) transformations using untrusted XSLT files and allowed the use of PHP functions to be used as XSLT functions within XSL stylesheets. (CVE-2015-6837 , CVE-2015-6838) As reported upstream, an uninitialized pointer use flaw was found in the phar_make_dirstream() function of PHP's Phar extension. A specially crafted phar file in the ZIP format with a directory entry with a file name '/ZIP' could cause a PHP application function to crash. (CVE-2015-7804)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 86496
    published 2015-10-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86496
    title Amazon Linux AMI : php55 (ALAS-2015-602)