codenote / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Flash: memory corruption with mp4 file with lots of "trex" tags #251

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
To reproduce, host the attached SWF and other files on a web server (e.g. 
localhost) and load it like this:

http://localhost/PlayManifest.swf?file=trex.mpd

This will corrupt some pointers right away and these pointers will be free()d 
when the stream is torn down. We could of course do this programatically 
without any user interaction, but for now, just press refresh.

On Chrome Windows Canary 64-bit, windbg sees the crash like this:

000007fe`e7e184d4 486378f8   movsxd rdi,dword ptr [rax-8] ds:44444444`4343433b

In other words, the corrupted pointer passed to free() is attacker-controlled. 
It is also highly deterministic: I believe that the heap corruption involved 
does not cross a heap chunk boundary.

To compile the .as file, I had to use special flags to flex:

mxmlc -target-player 14.0 -swf-version 25 -static-link-runtime-shared-libraries 
./PlayManifest.as
(This also requires that you have v14.0 of playerglobals.swc installed. Any 
newer version should also be fine.)

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by cev...@google.com on 4 Feb 2015 at 9:10

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 5 Feb 2015 at 8:17

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 6 Mar 2015 at 6:04

GoogleCodeExporter commented 9 years ago
https://helpx.adobe.com/security/products/flash-player/apsb15-05.html

Original comment by cev...@google.com on 12 Mar 2015 at 7:36

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 19 Mar 2015 at 7:57