Several binaries and shellscripts installed by the Zend Platform come with insecure file permissions. Certain files are incorrectly owned by the Web server user or owned by the user account, who installed the Zend Platform.
By compromisng the web server account through for example one of the MOPB exploits or by compromising the user account that installed Zend Platform, an attacker is able to elevate his privileges by replacing or editing the files, which will run with root privileges on the next server restart.
Proof of concept, exploit or instructions to reproduce
On a system using mod_php where safe_mode and open_basedir are not activated you can for example directly edit /usr/local/Zend/bin/scd.sh which is the startup script for the Zend session managment daemon. Insert any command you want and restart the webserver. The inserted commands will be executed with root permissions.
If the system has safe_mode and open_basedir activated, just use one of the local vulnerabilities that will be disclosed during this month.
This issue was disclosed to Zend at the end of January 2007. Meanwhile Zend provides instructions how to fix the file permissions on their site. However their recommendation is to upgrade to Zend Platform 3.0.