search

ITh4cker / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Flash: wild pointer crash in XML handling #400

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
The attached sample file, 
signal_sigsegv_7ffff637297a_8900_e3f87b25c25db8f9ec3c975f8c1211cc.swf, crashes, 
perhaps relating to XML handling.

The crash looks like this on Linux x64:

=> 0x00007f6931226f22:  mov    0x8(%rcx),%eax
rcx            0x303030303030300    217020518514230016

The wider context shows that the wild pointer target can be incremented with 
this vulnerability, which is typically enough for an exploit:

=> 0x00007f6931226f22:  mov    0x8(%rcx),%eax    <--- read
   0x00007f6931226f25:  test   %eax,%eax
   0x00007f6931226f27:  je     0x7f6931226f80
   0x00007f6931226f29:  test   $0x40000000,%eax
   0x00007f6931226f2e:  jne    0x7f6931226f80
   0x00007f6931226f30:  add    $0x1,%eax         <--- increment
   0x00007f6931226f33:  cmp    $0xff,%al
   0x00007f6931226f35:  mov    %eax,0x8(%rcx)    <--- write back

The base sample from which this fuzz case was generated is also attached, 
e3f87b25c25db8f9ec3c975f8c1211cc.swf

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by cev...@google.com on 21 May 2015 at 12:38

Attachments:

GoogleCodeExporter commented 8 years ago 
This crash looked interesting so I minimized it, attached.

Original comment by cev...@google.com on 21 May 2015 at 3:18

Attachments:

GoogleCodeExporter commented 8 years ago

Original comment by scvi...@google.com on 21 May 2015 at 12:47

GoogleCodeExporter commented 8 years ago 
Attaching a repro for a similar issue in the same area.

Original comment by cev...@google.com on 22 May 2015 at 3:52

Attachments:

GoogleCodeExporter commented 8 years ago 
PSIRT-3734

Original comment by cev...@google.com on 26 May 2015 at 10:17

GoogleCodeExporter commented 8 years ago

Original comment by natashe...@google.com on 11 Aug 2015 at 3:34

GoogleCodeExporter commented 8 years ago 
Fixed in https://helpx.adobe.com/security/products/flash-player/apsb15-19.html

Original comment by natashe...@google.com on 18 Aug 2015 at 7:35