codenote / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Flash: out-of-bounds write with mp4 file missing a track (alternate mp4 parser) #253

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
See also https://code.google.com/p/google-security-research/issues/detail?id=246

To reproduce, host the attached SWF and other files on a web server (e.g. 
localhost) and load it like this:

http://localhost/PlayManifest.swf?file=oob_frma.mpd

On Chrome Windows Canary 64-bit, windbg sees the crash like this:

000007fe`ed8fb4c5 ...   mov dword ptr [rax+rsi+1459Ch],eax ds:00000218`01d8f9a4

eax = 0x41414141

As can be seen, the value being written to the out-of-bounds location is under 
attacker control. The out-of-bounds location appears to be quite wild, perhaps 
+4GB out-of-bounds. An example of how to exploit such issues, even in the 
presence of a memory limit, is covered on the Project Zero blog: 
http://googleprojectzero.blogspot.com/2014/09/exploiting-cve-2014-0556-in-flash.
html

On 32-bit, I believe the corruption will be much more subtle, always landing in 
an allocated chunk, due to address-space wrap around at 4GB. I'd expect the 
issue to be more reliably exploitable on 32-bit, but even getting a PoC that 
crashes on 32-bit would be a lot more work.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by cev...@google.com on 5 Feb 2015 at 1:27

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 5 Feb 2015 at 8:31

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 6 Mar 2015 at 6:04

GoogleCodeExporter commented 9 years ago
https://helpx.adobe.com/security/products/flash-player/apsb15-05.html

Original comment by cev...@google.com on 12 Mar 2015 at 7:36

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 19 Mar 2015 at 7:57