PHP :: Bug #62474 :: com_event_sink crashes when closure object given as an argument

Bug #62474

com_event_sink crashes when closure object given as an argument

Submitted:

2012-07-03 20:18 UTC

Modified:

2020-10-22 16:12 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	0 of 0 (0.0%)

From:

deadb17ch at gmail dot com

Assigned:

cmb (profile)

Status:

Closed

Package:

COM related

PHP Version:

7.3

OS:

Windows XP SP3

Private report:

CVE-ID:

None

View Developer Edit

[2012-07-03 20:18 UTC] deadb17ch at gmail dot com

Description:
------------
com_event_sink() crashes when closure object (anonymouse function) is given as the 
second argument...

Test script:
---------------
<?php

$__evil = function() { };

com_event_sink(
	/* variant */	new Variant(),
	/* object  */	$__evil,			// oink!
	/* mixed   */	array()
);

?>

Expected result:
----------------
nothing happends or an information about error (or maybe argument type mismatch) 
occurs


Actual result:
--------------
crash

eax=00000000 ebx=010328f0 ecx=00000000 edx=00000001 esi=0121e438 edi=00000000
eip=100f33c8 esp=00c0fa50 ebp=00000000 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for 
C:\xampp\php\php5ts.dll - 
php5ts!php_com_load_typelib_via_cache+0x118:
100f33c8 8b08            mov     ecx,dword ptr [eax]  ds:0023:00000000=????????

Patches

Pull Requests

Pull requests:

Fix #62474: com_event_sink crashes on certain arguments (php-src/6372)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2012-07-26 13:32 UTC] fb1h2s at gmail dot com

It's possible to achieve code execution using this bug. 

$_evil_object = new VARIANT(0x41414141);

[2012-07-26 13:43 UTC] deadb17ch at gmail dot com

I know. I have send an advisory about possible code execution  in com_event_sink()  
function using VARIANT object to bugtraq some time ago (21 May) :

http://cxsecurity.com/issue/WLB-2012050163
http://www.exploit-db.com/exploits/18910/

but this time it is about bug in second argument, not first.

[2012-07-27 20:43 UTC] fb1h2s at gmail dot com

Oh yea my mistake I was referring to arg 1 crash, dint see a Bug Id open for that here though.

<?php


$buffer = str_repeat("A", 1000);


$vVar = new VARIANT(0x41414141); // We controll this
$vVar2 = new VARIANT(0x41414141); // 


com_event_sink($vVar, $vVar2 , $buffer );

?>

[2012-09-11 14:08 UTC] fb1h2s at gmail dot com

A reliable way to get coded execution  http://www.garage4hackers.com/blogs/8/web-
app-remote-code-execution-via-scripting-engines-part-1-local-exploits-php-0-day-
394/ using this bug.

[2020-10-22 16:12 UTC] cmb@php.net

-Status: Open +Status: Verified -PHP Version: 5.4.4 +PHP Version: 7.3 -Assigned To: +Assigned To: cmb

[2020-10-22 16:12 UTC] cmb@php.net

Unlikely to be remotely exploitable, but still a bug.

[2020-10-23 11:45 UTC] cmb@php.net

The following pull request has been associated:

Patch Name: Fix #62474: com_event_sink crashes on certain arguments
On GitHub:  https://github.com/php/php-src/pull/6372
Patch:      https://github.com/php/php-src/pull/6372.patch

[2020-10-26 10:56 UTC] cmb@php.net

Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7424bfc7ac772687a681e42081ea0d8943f0d85e
Log: Fix #62474: com_event_sink crashes on certain arguments

[2020-10-26 10:56 UTC] cmb@php.net

-Status: Verified +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 08:01:29 2024 UTC