php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73008 Bug #72286 is actually a gc use after free and is exploitable
Submitted: 2016-09-03 19:54 UTC Modified: 2017-01-02 12:17 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: xavier dot combelle at gmail dot com Assigned: dmitry (profile)
Status: Duplicate Package: *General Issues
PHP Version: 5.6.25 OS: debian jessie
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: xavier dot combelle at gmail dot com
New email:
PHP Version: OS:

 

 [2016-09-03 19:54 UTC] xavier dot combelle at gmail dot com
Description:
------------
I use a fresh php just compiled for test like this 

./sapi/cli/php ~/public_html/test.php

It occurred to me that Bug #72286, is indeed an use after free kind of bug so could be exploitable.

With a variation of Bug #72286 report, I show how the bug could lead to not intended execution.

For the proof of concept I just call a method which echo "dangerous". If I don't mistake attribute change could be also obtained.

Apart that the destructed  object should be take in a reference cycle, and the garbage collection triggered, the only constraint I see of the proof of concept is that a target object must be created inside the destructor and the  target method/attribute should be call

Test script:
---------------
https://gist.github.com/xcombelle/cc8c391e93d01dfe9568bf634a656767

Expected result:
----------------
not dangerous

Actual result:
--------------
dangerous

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-03 20:08 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-09-03 20:08 UTC] stas@php.net
-Assigned To: +Assigned To: dmitry
 [2017-01-02 12:17 UTC] nikic@php.net
-Status: Assigned +Status: Duplicate
 [2017-01-02 12:17 UTC] nikic@php.net
Marking as duplicate of bug #72286.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Thu Sep 19 15:01:30 2019 UTC