CVE-2007-1376

PHP <4.4.5, <5.2.1 - Memory Corruption

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2007-1376. PoCs published by Stefan Esser.

AI-analyzed exploit summary This exploit leverages a memory disclosure vulnerability in PHP's ext/shmop and ext/gd to dump RSA private keys from memory. It scans memory for RSA key signatures and extracts them if found.

Description

The shmop functions in PHP before 4.4.5, and before 5.2.1 in the 5.x series, do not verify that their arguments correspond to a shmop resource, which allows context-dependent attackers to read and write arbitrary memory locations via arguments associated with an inappropriate resource, as demonstrated by a GD Image resource.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Stefan Esser · phplocallinux
https://www.exploit-db.com/exploits/3427

This exploit leverages a memory disclosure vulnerability in PHP's ext/shmop and ext/gd to dump RSA private keys from memory. It scans memory for RSA key signatures and extracts them if found.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: PHP with ext/gd and ext/shmop loaded
No auth needed
Prerequisites: PHP with ext/gd and ext/shmop extensions loaded
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Stefan Esser · phplocallinux
https://www.exploit-db.com/exploits/3426

This exploit leverages a memory corruption vulnerability in PHP's shmop extension to execute arbitrary shellcode. It scans Apache memory for a specific pattern, overwrites an address to redirect execution to the shellcode, and binds a shell to port 4444.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Racy
Target: PHP < 5.2.0 with ext/gd and ext/shmop loaded
No auth needed
Prerequisites: PHP < 5.2.0 · ext/gd and ext/shmop loaded · Linux x86 environment
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (13)

Core 13
Core References
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/25056
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/32781
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2007/dsa-1283
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/24606
Third Party Advisory vendor-advisory x_refsource_gentoo
http://security.gentoo.org/glsa/glsa-200703-21.xml
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/25062
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/3427
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/usn-455-1
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/22862
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/3426
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/25057
Vendor Advisory vendor-advisory x_refsource_suse
http://www.novell.com/linux/security/advisories/2007_32_php.html

Scores

EPSS 0.1003
EPSS Percentile 95.0%

Details

Status published
Products (36)
php/php 4.0 (8 CPE variants)
php/php 4.0.0
php/php 4.0.1 (3 CPE variants)
php/php 4.0.2
php/php 4.0.3 (2 CPE variants)
php/php 4.0.4 (2 CPE variants)
php/php 4.0.5
php/php 4.0.6
php/php 4.0.7 (4 CPE variants)
php/php 4.1.0
... and 26 more
Published Mar 10, 2007
Tracked Since Feb 18, 2026