php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #73008 Bug #72286 is actually a gc use after free and is exploitable
Submitted: 2016-09-03 19:54 UTC Modified: 2017-01-02 12:17 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: xavier dot combelle at gmail dot com Assigned: dmitry (profile)
Status: Duplicate Package: *General Issues
PHP Version: 5.6.25 OS: debian jessie
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: xavier dot combelle at gmail dot com
New email:
PHP Version: OS:

 

 [2016-09-03 19:54 UTC] xavier dot combelle at gmail dot com 
Description:
------------
I use a fresh php just compiled for test like this 

./sapi/cli/php ~/public_html/test.php

It occurred to me that Bug #72286, is indeed an use after free kind of bug so could be exploitable.

With a variation of Bug #72286 report, I show how the bug could lead to not intended execution.

For the proof of concept I just call a method which echo "dangerous". If I don't mistake attribute change could be also obtained.

Apart that the destructed  object should be take in a reference cycle, and the garbage collection triggered, the only constraint I see of the proof of concept is that a target object must be created inside the destructor and the  target method/attribute should be call

Test script:
---------------
https://gist.github.com/xcombelle/cc8c391e93d01dfe9568bf634a656767

Expected result:
----------------
not dangerous

Actual result:
--------------
dangerous

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-03 20:08 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-09-03 20:08 UTC] stas@php.net
-Assigned To: +Assigned To: dmitry
 [2017-01-02 12:17 UTC] nikic@php.net
-Status: Assigned +Status: Duplicate
 [2017-01-02 12:17 UTC] nikic@php.net 
Marking as duplicate of bug #72286.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sun Nov 24 06:01:32 2024 UTC