Pierluigi Paganini December 30, 2016

Researchers at the security firm CheckPoint have discovered three fresh critical zero day vulnerability in the last PHP 7.

Security researchers at the firm CheckPoint have discovered three fresh critical 0-day vulnerabilities in last PHP 7.

These vulnerabilities allow an attacker to take full control over 80 percent of websites which run on the latest release of the popular web programming language. The bad news is that one of the vulnerabilities remains unpatched again.

Security researchers at Check Point’s have analyzed in the last months PHP 7 and focused their efforts into “the unserialized mechanism” which is one of the most well-known vulnerable areas of PHP.

This is the same mechanism that was strongly exploited in PHP 5 and allowed attackers to compromise popular platforms, including Magento, vBulletin, Drupal, Joomla!, Pornhub’s website and other affected web servers in past, by sending maliciously crafted data in client cookies or to expose API calls.

The vulnerabilities are tracked as:

• CVE-2016-7479 User After Free(UAF) Code Execution
• CVE-2016-7480 Use of Uninitialized Value Code Execution
• CVE-2016-7478 Remote Denial of Service

The exploitation of the first two vulnerabilities could allow an attacker to take complete control over affected servers, this means that it is possible to exploit them to spread malware as well as to steal data they store.

The last vulnerability triggers a remote Denial of Service attack/threat which basically hangs the website, exhausts its memory consumption, and a possible site down.

“The first vulnerability allows a remote attacker to unserialize a pathological exception object which refers to itself as the previous exception.” states the report. “When invoking the __toString method of this exception, the code iterates over the chain of exceptions. As the chain of exceptions consists of just that one object that points to itself, the iteration never terminates. “

For more technical details about the vulnerabilities give a look at the report.

“We have reported the three vulnerabilities to the PHP security team on the 15th of September and 6th of August. The PHP security team issued fixes for two of the vulnerabilities on the 13th of October and 1st of December.”

To ensure your webserver’s security, we recommend you should upgrade to latest version of PHP and stay tuned on PHP’s official site for news and updates.

Below the list of vulnerable PHP versions:

• CVE-2016-7479 Version <= 7.0.13
• CVE-2016-7480 Version < 7.0.12
• CVE-2016-7478 Version <= 7.0.13 and 5.6.26

Written by: @GranetMan

Granet is a young and Junior IT Security Researcher, he is passionate in Linux, Arduino, Digital Forensics, Cyber Security, Free software and Malware Analysis

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – PHP 7, hacking)