Skip to content
Branch: master
Find file History
real real
real and real Added info
Latest commit 8a19918 Apr 10, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
cfreal-carpediem.php PHP 7.1 doesn't deallocate twice (UAF) Apr 9, 2019

CARPE (DIEM): CVE-2019-0211 Apache Root Privilege Escalation

This is a local root exploit for Apache HTTPd. Details here. This is a POC. It might fail for a dozen of reasons. PR welcome.


The exploit has been tested and works on:

Ubuntu 18.04.2 LTS

PHP : 7.1.27-1 / 7.2.15-0 / 7.3.3-1
Apache : Apache/2.4.29 (Ubuntu), build 2018-03-02T02:19:31

Ubuntu 16.04.6 LTS

PHP : 7.1.27-1 / 7.2.16-1 / 7.3.3-1
Apache : Apache/2.4.18 (Ubuntu), build 2016-04-15T18:00:57

Debian GNU/Linux 9.8 (stretch)

PHP : 7.1.27-1 / 7.2.16-1 / 7.3.3-1
Apache : Apache/2.4.25 (Debian), build 2018-11-03T18:46:19 (latest version when debian-security repo is disabled)

You can’t perform that action at this time.