php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #62474 com_event_sink crashes when closure object given as an argument
Submitted: 2012-07-03 20:18 UTC Modified: 2020-10-22 16:12 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: deadb17ch at gmail dot com Assigned: cmb (profile)
Status: Closed Package: COM related
PHP Version: 7.3 OS: Windows XP SP3
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: deadb17ch at gmail dot com
New email:
PHP Version: OS:

 

 [2012-07-03 20:18 UTC] deadb17ch at gmail dot com 
Description:
------------
com_event_sink() crashes when closure object (anonymouse function) is given as the 
second argument...

Test script:
---------------
<?php

$__evil = function() { };

com_event_sink(
	/* variant */	new Variant(),
	/* object  */	$__evil,			// oink!
	/* mixed   */	array()
);

?>

Expected result:
----------------
nothing happends or an information about error (or maybe argument type mismatch) 
occurs


Actual result:
--------------
crash

eax=00000000 ebx=010328f0 ecx=00000000 edx=00000001 esi=0121e438 edi=00000000
eip=100f33c8 esp=00c0fa50 ebp=00000000 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for 
C:\xampp\php\php5ts.dll - 
php5ts!php_com_load_typelib_via_cache+0x118:
100f33c8 8b08            mov     ecx,dword ptr [eax]  ds:0023:00000000=????????

Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-07-26 13:32 UTC] fb1h2s at gmail dot com 
It's possible to achieve code execution using this bug. 

$_evil_object = new VARIANT(0x41414141);
 [2012-07-26 13:43 UTC] deadb17ch at gmail dot com 
I know. I have send an advisory about possible code execution  in com_event_sink()  
function using VARIANT object to bugtraq some time ago (21 May) :

http://cxsecurity.com/issue/WLB-2012050163
http://www.exploit-db.com/exploits/18910/

but this time it is about bug in second argument, not first.
 [2012-07-27 20:43 UTC] fb1h2s at gmail dot com 
Oh yea my mistake I was referring to arg 1 crash, dint see a Bug Id open for that here though.

<?php


$buffer = str_repeat("A", 1000);


$vVar = new VARIANT(0x41414141); // We controll this
$vVar2 = new VARIANT(0x41414141); // 


com_event_sink($vVar, $vVar2 , $buffer );

?>
 [2012-09-11 14:08 UTC] fb1h2s at gmail dot com 
A reliable way to get coded execution  http://www.garage4hackers.com/blogs/8/web-
app-remote-code-execution-via-scripting-engines-part-1-local-exploits-php-0-day-
394/ using this bug.
 [2020-10-22 16:12 UTC] cmb@php.net
-Status: Open +Status: Verified -PHP Version: 5.4.4 +PHP Version: 7.3 -Assigned To: +Assigned To: cmb
 [2020-10-22 16:12 UTC] cmb@php.net 
Unlikely to be remotely exploitable, but still a bug.
 [2020-10-23 11:45 UTC] cmb@php.net 
The following pull request has been associated:

Patch Name: Fix #62474: com_event_sink crashes on certain arguments
On GitHub:  https://github.com/php/php-src/pull/6372
Patch:      https://github.com/php/php-src/pull/6372.patch
 [2020-10-26 10:56 UTC] cmb@php.net 
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7424bfc7ac772687a681e42081ea0d8943f0d85e
Log: Fix #62474: com_event_sink crashes on certain arguments
 [2020-10-26 10:56 UTC] cmb@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 11:01:29 2024 UTC