Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Vulnerabilities Plague PHP 7’s Unserialize Mechanism

PHP 7’s “unserialize” function is plagued by a series of vulnerabilities that could allow an attacker to take full control over affected servers, Check Point security researchers reveal.

PHP 7’s “unserialize” function is plagued by a series of vulnerabilities that could allow an attacker to take full control over affected servers, Check Point security researchers reveal.

Tracked as CVE-2016-7479, CVE-2016-7480, and CVE-2016-7478, the vulnerabilities are new, but they can be exploited in a similar manner as detailed in a separate vulnerability detailed in August. The flaw, a use-after-free in SPL, could be exploited “by using re-usable exploit primitives for PHP-7 unserialize vulnerabilities,” Check Point said in August.

In a report (PDF) that provides full details of the exploitation method, Check Point experts explained that the unserialize function could be abused to read memory, to forge objects, and to achieve code execution on the affected server. They also underlined that the function was dangerous and that it had been proven so numerous times over the past years, although it remained in use.

In August, the security researchers also said that the aforementioned re-usable exploit primitives were general enough to be applied to all vulnerabilities found in the unserialize mechanism. Now, they claim that the newly discovered flaws can be abused in a similar manner, which apparently confirms the previous statement.

What’s more, the security firm notes that flaws in the unserialize mechanism were heavily exploited in PHP 5 by hackers looking to compromise popular platforms, including Magento, vBulletin, Drupal, and Joomla!. Attackers were able to compromise other web servers as well, by sending maliciously crafted data in client cookies.

According to Check Point, the first two of the fresh bugs allow an attacker to take full control over the impacted servers. Thus, they could do “anything they want with the website, from spreading malware to defacing it or stealing customer data,” the security researchers warn.

As for the third bug, it can be abused to generate a Denial of Service (DoS) attack through which the attacker would basically hang the website, move to exhaust its memory consumption, and then shut it down.

The three security issues were made public this week, but they were found earlier this year. According to Check Point, the vulnerabilities were reported to the PHP security team on September 15 and August 6. Two of the vulnerabilities were resolved on October 13 and December 1, but one of them remains unpatched.

“PHP 7, the latest release of the popular web programming language that powers more than 80% of websites, offers great advantages for website owners and developers. Some of them include doubling the performance and adding numerous functionalities. Yet for hackers, it represents a completely fresh attack vector, where they can find previously undisclosed vulnerabilities,” Check Point notes.

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.