CVE-2016-3078

CRITICAL

PHP < 7.0.6 - Integer Overflow in ZipArchive getFromIndex and getFromName

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-3078. PoCs published by Hans Jerry Illikainen.

AI-analyzed exploit summary The exploit leverages an integer wrap vulnerability in PHP 7.x before 7.0.6, where the `getFromIndex()` and `getFromName()` methods of `ZipArchive` mishandle large uncompressed file sizes, leading to a heap overflow. The PoC demonstrates remote code execution (RCE) by triggering the vulnerability in a PHP-FPM environment.

Description

Multiple integer overflows in php_zip.c in the zip extension in PHP before 7.0.6 allow remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted call to (1) getFromIndex or (2) getFromName in the ZipArchive class.

Exploits (1)

exploitdb WORKING POC

by Hans Jerry Illikainen · textremotephp

https://www.exploit-db.com/exploits/39742

View Code ZIP pw:eip

The exploit leverages an integer wrap vulnerability in PHP 7.x before 7.0.6, where the `getFromIndex()` and `getFromName()` methods of `ZipArchive` mishandle large uncompressed file sizes, leading to a heap overflow. The PoC demonstrates remote code execution (RCE) by triggering the vulnerability in a PHP-FPM environment.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: PHP 7.x before 7.0.6

No auth needed

Prerequisites: PHP 7.x before 7.0.6 with ZipArchive enabled · Ability to upload a malicious ZIP file to the target server

MITRE ATT&CK