search

telnetgmike / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Flash memory corruption in the G711 codec with 4-byte samples #122

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
There is a memory corruption due a wild memmove() in the G711 codec. I think it 
affects all Flash builds except the Pepper plug-in (as used by Chrome). 
Specifically, run the PoC against Flash in Internet Explorer, and a crash is 
observed.

The PoC is the attachment EmbedSoundG711.swf. Press the "Play" button to 
trigger the crash. (This bug can be triggered without user interaction, I just 
happened to base the crafted attack file on a SWF that uses a button.)

EmbedSoundG711.swf is based on EmbedSound.swf (also attached), with the 
difference that a byte 0x2b is changed to 0x8f. This has the affect of changing 
codec selection to G711. Note that EmbedSound.swf is simply an uncompressed 
copy of the demo SWF in the "Embedded Sounds" section at 
http://help.adobe.com/en_US/flex/using/WS2db454920e96a9e51e63e3d11c0bf60546-7ff2
.html

Interestingly, although the crash is in memmove() with a small negative value 
for "length", this would appear exploitable. In some of the mutated test cases 
we've observed, the crash occurs not in memmove(), but in another thread that 
is busy parsing and rendering, where its structures have been trashed by the 
in-process memmove().

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by cev...@google.com on 8 Oct 2014 at 12:45

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 8 Oct 2014 at 5:39

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 8 Nov 2014 at 2:37

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 20 Nov 2014 at 12:53

GoogleCodeExporter commented 9 years ago 
http://helpx.adobe.com/security/products/flash-player/apsb14-24.html

Original comment by cev...@google.com on 20 Nov 2014 at 1:26

GoogleCodeExporter commented 9 years ago 
Attaching a libpepflashplayer.so for Chrome Linux x64.

It's based on:
Google Chrome   41.0.2272.89 (Official Build)
Flash   17.0.0.134

... but with the vulnerability patched back in, which can be done with the 
following (unique) asm opcode edit:

0x41    0xbc    0x1e    0x05    0x00    0x00    mov    $0x51e,%r12d
->
0x41    0xbc    0xde    0x03    0x00    0x00    mov    $0x3de,%r12d

This may be useful in case anyone wished to play with this vulnerability.

Original comment by cev...@google.com on 12 Mar 2015 at 8:14

Attachments:

GoogleCodeExporter commented 9 years ago 
Attaching a working exploit for Linux x64; lots of notes inside the source file.

Original comment by cev...@google.com on 19 Mar 2015 at 8:33

Attachments:

GoogleCodeExporter commented 9 years ago 
Blog post for this exploit: 
http://googleprojectzero.blogspot.ca/2015/03/taming-wild-copy-parallel-thread.ht
ml

Original comment by cev...@google.com on 19 Mar 2015 at 8:42

GoogleCodeExporter commented 9 years ago 
This exploit was presented at CanSecWest. Attaching a PDF of the slides used.

Original comment by cev...@google.com on 19 Mar 2015 at 8:45

Attachments: