The session extension does not set the correct reference count value for the session variables, because it does not include the internal pointer from within the session globals. Due to this unsetting _SESSION and HTTP_SESSION_VARS will destroy the Hashtable containing the session data although the session extension still has an internal pointer to it and still uses it internally. This allows replacing the Hashtable through a specially prepared string and leads to code execution.
The summary says it all. For further clarification test the exploit.
Proof of concept, exploit or instructions to reproduce
The attached proof of concept code will execute the supplied shellcode through this vulnerability. It requires an offset to for example zend_execute_internal that is intially NULL and when overwritten results in code execution.
You cannot simply replace the shellcode. The shellcode given is specially prepared to result in a Hashtable bucket with a hash key that is an actual x86 jmp instruction into the nopspace of the shellcode.
Under normal situations this vulnerability can only be exploited locally. But in some situations remote code execution can be possible. For this to happen the attacked application needs to have code that can be tricked into unsetting HTTP_SESSION_VARS and _SESSION. This has to happen after a session_start() or when session auto start is activated. If both conditions are meet remote code execution might be possible.
SecurityReason Note :
Exploit - http://securityreason.com/exploitalert/2219