search

ohio813 / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Flash: memory corruption with CEA-708 screen cursor going off-screen #265

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
To reproduce, host the attached SWF and other files on a web server (e.g. 
localhost) and load it like this:

http://localhost/PlayManifest.swf?file=caption_708.m3u8

Press refresh after load to guarantee the crash.

[Note: you'll need this PlayManifest.swf and not an older one from an older bug]

On 64-bit Chrome on Windows canary, v42.0.2306.0, you will see this in WinDbg:

77b0320e 807b0f05     cmp byte ptr [rbx + 0Fh],5  ds:0000001f`ffffffff

Where this value is based on the synthesized pointer value 0x0000002000000000. 
Note that the attacker could synthesize a slightly more fine-grained value if 
desired, although probably not a perfectly-chosen pointer value. The most 
likely attack would probably be a precise clobber of some length variable.

This is an extremely reliable bug; in fact it's kind of cool. It's a write to 
an attacker-chosen offset within a single large object, so there's no 
unreliability due to crossing heap chunks, etc. The crash will always be the 
same, with the same value. Such a bug could be the basis of a 100% reliable 
exploit.

The payload is wrapped a few protocols deep but is effectively the following 
CEA-708 byte sequence (see http://en.wikipedia.org/wiki/CEA-708):

0x92 0x0F 0x26 0x08

Corresponding to:

SetPenLocation (x=15, y=38)  <--- both out of bounds (max 15x42)
Backspace (ASCII 0x08)       <--- writes 0x20 out-of-bounds

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by cev...@google.com on 17 Feb 2015 at 10:56

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 18 Feb 2015 at 12:08

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 10 Apr 2015 at 9:36

GoogleCodeExporter commented 9 years ago 
Fixed: https://helpx.adobe.com/security/products/flash-player/apsb15-06.html

Original comment by cev...@google.com on 14 Apr 2015 at 6:22

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 30 Apr 2015 at 7:20