search

staticanalysis / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Flash corruption after corrupting pre-validated bytecode #125

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
There are various corruptions and unfortunate situations triggered if a Flash 
file edits its own SWF bytes. This is permitted via exposure of the 
"this.loaderInfo.bytes" ByteArray property. Unfortunately, it appears that some 
of the SWF content is validated for security at load time. If the SWF then 
edits itself at run time, the previous security validations can be bypassed.

A repro SWF is attached, along with source. It crashes due to corruption of 
metadata bytecode.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by cev...@google.com on 14 Oct 2014 at 10:58

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 15 Oct 2014 at 4:54

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 10 Jan 2015 at 3:25

GoogleCodeExporter commented 9 years ago 
Fixed: http://helpx.adobe.com/security/products/flash-player/apsb15-01.html

Original comment by cev...@google.com on 14 Jan 2015 at 12:47

GoogleCodeExporter commented 9 years ago 
(Note on dates: I calculated 90 days by simply adding three months which is 
inaccurate; this report may have actually gone over deadline. Going forward, 
we'll investigate a script to calculate 90 days accurately and automatically in 
all cases, for consistency in corner-cases.)

Original comment by cev...@google.com on 14 Jan 2015 at 12:50

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 14 Jan 2015 at 12:51

GoogleCodeExporter commented 9 years ago 
Issue has now been fixed for 7+ days, so opening up for public view.

In case anyone bothers to read here: I'd like to state that I think this is a 
_really_ interesting bug! Being able to programatically corrupt your own 
bytecode via an ActionScript API is super cool, and particularly unusual in 
terms of trigger and level of control for a memory corruption.

If I had more time, I'd have written an exploit for this one. Unfortunately, I 
can't justify spending the time it would take: in Project Zero, we typically 
only write exploits if we think we might learn something new or gain a 
particular insight. I think the exploitation would be pretty run-of-the-mill in 
this case.

Still, this would make an interesting project for anyone learning exploitation. 
I'd be happy to share ideas if anyone made this their project.  Enjoy!

Original comment by cev...@google.com on 26 Jan 2015 at 5:47