Bug #62474 [Com]: com_event_sink crashes when closure object given as an argument
Edit report at https://bugs.php.net/bug.php?id=62474&edit=1 ID: 62474 Comment by: fb1h2s at gmail dot com Reported by:deadb17ch at gmail dot com Summary:com_event_sink crashes when closure object given as an argument Status: Open Type: Bug Package:COM related Operating System: Windows XP SP3 PHP Version:5.4.4 Block user comment: N Private report: N New Comment: It's possible to achieve code execution using this bug. $_evil_object = new VARIANT(0x41414141); Previous Comments: [2012-07-03 20:18:20] deadb17ch at gmail dot com Description: com_event_sink() crashes when closure object (anonymouse function) is given as the second argument... Test script: --- Expected result: nothing happends or an information about error (or maybe argument type mismatch) occurs Actual result: -- crash eax= ebx=010328f0 ecx= edx=0001 esi=0121e438 edi= eip=100f33c8 esp=00c0fa50 ebp= iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00200202 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\xampp\php\php5ts.dll - php5ts!php_com_load_typelib_via_cache+0x118: 100f33c8 8b08mov ecx,dword ptr [eax] ds:0023:= -- Edit this bug report at https://bugs.php.net/bug.php?id=62474&edit=1
Bug #62474 [Com]: com_event_sink crashes when closure object given as an argument
Edit report at https://bugs.php.net/bug.php?id=62474&edit=1 ID: 62474 Comment by: fb1h2s at gmail dot com Reported by:deadb17ch at gmail dot com Summary:com_event_sink crashes when closure object given as an argument Status: Open Type: Bug Package:COM related Operating System: Windows XP SP3 PHP Version:5.4.4 Block user comment: N Private report: N New Comment: Oh yea my mistake I was referring to arg 1 crash, dint see a Bug Id open for that here though. Previous Comments: [2012-07-26 13:43:04] deadb17ch at gmail dot com I know. I have send an advisory about possible code execution in com_event_sink() function using VARIANT object to bugtraq some time ago (21 May) : http://cxsecurity.com/issue/WLB-2012050163 http://www.exploit-db.com/exploits/18910/ but this time it is about bug in second argument, not first. [2012-07-26 13:32:17] fb1h2s at gmail dot com It's possible to achieve code execution using this bug. $_evil_object = new VARIANT(0x41414141); [2012-07-03 20:18:20] deadb17ch at gmail dot com Description: com_event_sink() crashes when closure object (anonymouse function) is given as the second argument... Test script: --- Expected result: nothing happends or an information about error (or maybe argument type mismatch) occurs Actual result: -- crash eax= ebx=010328f0 ecx= edx=0001 esi=0121e438 edi= eip=100f33c8 esp=00c0fa50 ebp= iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00200202 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\xampp\php\php5ts.dll - php5ts!php_com_load_typelib_via_cache+0x118: 100f33c8 8b08mov ecx,dword ptr [eax] ds:0023:= -- Edit this bug report at https://bugs.php.net/bug.php?id=62474&edit=1
Bug #62474 [Com]: com_event_sink crashes when closure object given as an argument
Edit report at https://bugs.php.net/bug.php?id=62474&edit=1 ID: 62474 Comment by: fb1h2s at gmail dot com Reported by:deadb17ch at gmail dot com Summary:com_event_sink crashes when closure object given as an argument Status: Open Type: Bug Package:COM related Operating System: Windows XP SP3 PHP Version:5.4.4 Block user comment: N Private report: N New Comment: A reliable way to get coded execution http://www.garage4hackers.com/blogs/8/web- app-remote-code-execution-via-scripting-engines-part-1-local-exploits-php-0-day- 394/ using this bug. Previous Comments: [2012-07-27 20:43:06] fb1h2s at gmail dot com Oh yea my mistake I was referring to arg 1 crash, dint see a Bug Id open for that here though. [2012-07-26 13:43:04] deadb17ch at gmail dot com I know. I have send an advisory about possible code execution in com_event_sink() function using VARIANT object to bugtraq some time ago (21 May) : http://cxsecurity.com/issue/WLB-2012050163 http://www.exploit-db.com/exploits/18910/ but this time it is about bug in second argument, not first. [2012-07-26 13:32:17] fb1h2s at gmail dot com It's possible to achieve code execution using this bug. $_evil_object = new VARIANT(0x41414141); [2012-07-03 20:18:20] deadb17ch at gmail dot com Description: com_event_sink() crashes when closure object (anonymouse function) is given as the second argument... Test script: --- Expected result: nothing happends or an information about error (or maybe argument type mismatch) occurs Actual result: -- crash eax= ebx=010328f0 ecx= edx=0001 esi=0121e438 edi= eip=100f33c8 esp=00c0fa50 ebp= iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00200202 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\xampp\php\php5ts.dll - php5ts!php_com_load_typelib_via_cache+0x118: 100f33c8 8b08mov ecx,dword ptr [eax] ds:0023:= -- Edit this bug report at https://bugs.php.net/bug.php?id=62474&edit=1
