New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user
Status: Fixed
Owner:
Email to this user bounced
Closed: Nov 2014
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment
Security: Race condition in Flash workers may cause an exploitable double free
Reported by bilouleh...@gmail.com, Oct 15 2014 Back to list

VULNERABILITY DETAILS
The issue occurs while sharing a bytearray between two workers. If both call bytearray.clear() at the same time, Flash does not correctly handle the race and may double free the array.

VERSION
Chrome Version: [38.0.2125.104] + [stable]
Operating System: [Win 7 SP1 x64 FR]

REPRODUCTION CASE
Use a VM with 2 cores to get a reliable crash, I can't manage to crash a 1-cored VM.
Put exploit/clear_xpl.swf along with exploit/calc_chrome.bin on a web server and run the browser with the --no-sandbox flag to get the calc.
Put poc/poc.swf and browse to in order to crash Chrome, IE or anything.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: crash with calc as a side effect
Crash State: not good

 
flash-clear-rc.rar
23.9 KB Download
Cc: taviso@chromium.org cevans@chromium.org
Labels: Cr-Internals-Plugins-Flash
Owner: cevans@chromium.org
Yes, I'll deal with this one, thanks @inferno :-)

Re-attaching as .zip.

@biloulehibou: .rar is a pain to work with (and a dirty hacker tool :P )
I've re-uploaded as .zip; .zip preferred in future reports.
bug423703.zip
25.3 KB Download
Also pasting notes.txt as a convenience:

---
Race condition in workers may cause an exploitable double free
Tested: Chrome Stable 38.0.2125.104 (pepflashplayer.dll 15.0.0.189 32BIT) on Windows 7 SP1 x64

The issue occurs while sharing a bytearray between two workers. If both call bytearray.clear() at the same time, Flash does not correctly handle the race and may double free the array.
The idea of the exploit is to free first the bytearray, allocate a vector instead and use the double free to free the vector. Its length should then be overwritten by a pointer which is enough to execute arbitrary code.



From pepflashplayer.dll, base at 0x10000000, poc.swf most of the time causes a crash at 0x1056EF3B attempting to write at a null location.

.text:1056EF32 loc_1056EF32:
.text:1056EF32                 mov     eax, [ecx+0Ch]
.text:1056EF35                 mov     edx, [ecx+10h]
.text:1056EF38                 push    [ebp+arg_4]
.text:1056EF3B                 mov     [eax+10h], edx       ; crash here
.text:1056EF3E                 mov     eax, [ecx+10h]
.text:1056EF41                 mov     edx, [ecx+0Ch]
.text:1056EF44                 mov     [eax+0Ch], edx
.text:1056EF47                 and     dword ptr [ecx+0Ch], 0
.text:1056EF4B                 and     dword ptr [ecx+10h], 0


Put exploit/clear_xpl.swf along with exploit/calc_chrome.bin on a web server and run the browser with the --no-sandbox flag to get the calc.
Use a VM with 2 cores to get a reliable crash, I can't manage to crash a 1-cored VM.
Put poc/poc.swf and browse to in order to crash Chrome.


Compile both .fla with Flash CS 5.5. poc.txt and clear_xpl.txt show the content of poc.fla and clear_xpl.fla.

Labels: Security_Impact-Stable Security_Severity-High M-38 reward-topanel
Status: ExternalDependency
Confirm calc.exe in a VM! Chrome Stable 38.0.2125.104 32-bit.

I had to rename calc_chrome.BIN to calc_chrome.bin because my webserver is case sensitive.
@biloulehibou: great report!

Can you help me with a couple of things?
1) poc/poc.txt is empty. Did you mean to have something in that file?

2) Standalone .as files.
Would you be able to provide standalone .as files instead of .fla files? Not everyone has access to the software needed to compile .fla files.
Ideally, the exploit and the PoC would be in .as files (plus support files like .bin, explicitly loaded by the .as file as necessary).
And the .as files should be compilable by the freely downloadable Flex compiler:
http://www.adobe.com/devnet/flex/flex-sdk-download.html
e.g. mxmlc -target-player 14.0 -swf-version 25 DoubleFreeArray.as
(The flags are needed because you've used APIs newer than the default compile version of 11.1 or so. You'll also need to install a new playerglobal.swc file to get this compiler flag to work, I grabbed it from here: http://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html#playerglobal)
@biloulehibou: I've attached my attempt to get the PoC down to a single .as file. It compiles (using flex and the command line above) but it doesn't work. Any chance you can help me fix it? :P
(I don't really know what I'm doing with these worker APIs and I had to comment out the call to .stop() to get it to compile so I've probably done something stupid.)
DoubleFreeArray.as
2.4 KB Download
I'm reposting a "zip", with a "bin", no "fla" and an updated "poc.txt". DoubleFreeMain.swf is the exploit.

@scarybeasts The issue came from loaderInfo, not sure why flex doesnt like it.

Tell me if you need anything else.
DoubleFreeArray.zip
10.5 KB Download
Adobe is tracking as PSIRT-3089.
Labels: CVE-2014-0574
Should be fixed in next week's patch tuesday, with CVE-2014-0574.
Project Member Comment 12 by ClusterFuzz, Nov 13 2014
Labels: -Restrict-View-SecurityTeam Merge-Triage M-39 M-40 Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz
Labels: -reward-topanel reward-unpaid reward-7500
Thanks for the report! This qualified for a $7500 reward.
Labels: -reward-unpaid reward-inprogress
Payment in progress
Labels: -reward-inprogress reward-inprocess
Labels: -Merge-Triage Merge-NA
Labels: Release-NA
Labels: -reward-inprocess
Payment on its way to you (the first time takes the longest due to the supplier registration). You should see it in your account in about 4 weeks from today. If you don't, please contact me directly to chase.
Project Member Comment 19 by ClusterFuzz, Feb 19 2015
Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Project Member Comment 20 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 21 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment