search

codenote / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Flash leak of uninitialized data whilst rendering a 2-component JPEG #44

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
A SWF to reproduce is attached, along with source. To reproduce, host 
JPEGLeak2.swf on the same web server / directory as twocomps.jpg. A screenshot 
of the PoC in action is also attached.

twocomps.jpg is a weird JPEG file that has all sorts of problems (truncated, 
etc.,) but the main problem is that no software really knows how to handle 
2-component JPEGs, as these do not exist in the wild. It looks like Flash's 
response to not knowing how to handle it is to leave the image canvas 
uninitialized. This can be a significant security issue.

The PoC goes most of the way to pulling a pointer value (ASLR defeat) out of 
the uninitialized canvas -- for the 64-bit Linux platform. But you can get the 
point just by refreshing the PoC a lot and seeing the rendered content change.

Since it's very easy to use this vulnerability to read uninitialized memory 
content, a 90-day disclosure deadline applies.

Original issue reported on code.google.com by cev...@google.com on 9 Jul 2014 at 11:22

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 10 Jul 2014 at 12:26

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 21 Aug 2014 at 3:30

GoogleCodeExporter commented 9 years ago 
Bulletin: http://helpx.adobe.com/security/products/flash-player/apsb14-18.html

Original comment by cev...@google.com on 21 Aug 2014 at 3:35

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 21 Aug 2014 at 10:01

GoogleCodeExporter commented 9 years ago 
Blogged about here: 
http://googleprojectzero.blogspot.com/2014/08/what-does-pointer-look-like-anyway
.html

Marking as Fixed since the patch is available since > 1 week.

Original comment by cev...@google.com on 21 Aug 2014 at 10:09