CVE-2016-5773

Vulnerability

The vulnerability resides in php_zip.c within the PHP zip extension. It arises from an improper interaction between the unserialize implementation and garbage collection when processing a ZipArchive object. This affects PHP versions before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8. The code path is reachable when an application unserializes user-supplied data containing a crafted ZipArchive object.

Exploitation

An attacker needs no authentication or special network position; they only need to supply malicious serialized data to a PHP application that calls unserialize() on untrusted input. The exploit sequence involves crafting serialized data that, when unserialized, triggers a use-after-free condition during garbage collection of the ZipArchive object.

Impact

Successful exploitation allows an attacker to execute arbitrary code with the privileges of the PHP process or cause a denial of service (application crash). This can lead to full compromise of the affected system, including data disclosure, modification, or destruction.

Mitigation

Fixed versions are 5.5.37, 5.6.23, and 7.0.8. Red Hat provided an updated package (rh-php56-php to version 5.6.25) in RHSA-2016-2750 [1]. Users should upgrade to a patched version immediately. No workaround is available for unpatched installations.