New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 617105 link

Starred by 1 user
Status: Fixed
Owner:
natashenka@google.com
Last visit > 30 days ago
Closed: Jul 2016
Cc:
lafo...@chromium.org
timwillis@google.com
awhalley@chromium.org
adobe-flash@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: use-after-free vulnerability in flash player

Reported by jiezengo...@gmail.com, Jun 3 2016 
VULNERABILITY DETAILS
There is a use-after-free vulnerability in flash player. Which hold a dangling pointer point to the memory had been freed.

In flash player the crash as follow:
001dc9f0 8b442408        mov     eax,dword ptr [esp+8]
001dc9f4 56              push    esi
001dc9f5 57              push    edi
001dc9f6 8bf1            mov     esi,ecx
001dc9f8 85c0            test    eax,eax
001dc9fa 7405            je      flashplayer_21_sa!WinMainSandboxed+0x1dfd7 (001dca01)
001dc9fc 8b4034          mov     eax,dword ptr [eax+34h] ds:0023:02b29074=????????
eax=02b29040 ebx=012e1a90 ecx=02d06000 edx=00000001 esi=02d06000 edi=021d7710
eip=001dc9fc esp=012e17cc ebp=012e1868 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
flashplayer_21_sa!WinMainSandboxed+0x1dfd2:
001dc9fc 8b4034          mov     eax,dword ptr [eax+34h] ds:0023:02b29074=????????

VERSION
Flash player 21.0.0.242 in Chrome 51.0.2704.63 m windows 7 x86(other platform should be trigger)



Please drag the uaf.swf into chrome will crash.The source code file is uaf.as.

Credit is to "JieZeng of Tencent Zhanlu Lab"

And I do not want this issues to be public.

Comment 1 by f...@chromium.org, Jun 3 2016 

Thank you for the report.

Comment 2 by f...@chromium.org, Jun 3 2016

Components: Internals>Plugins>Flash
Owner: natashenka@google.com
natashenka@, could you take a look please?
Project Member

Comment 3 by ClusterFuzz, Jun 4 2016

Status: Assigned (was: Unconfirmed)
Project Member

Comment 4 by ClusterFuzz, Jun 6 2016

Labels: Missing_Severity-1 Missing_Impact-1

Comment 5 by f...@chromium.org, Jun 6 2016

Cc: adobe-flash@chromium.org
Owner: ----
Status: Available (was: Assigned)
adobe-flash@ friends, can any of you help triage this? I am not sure how to pass along bugs to Adobe.

Comment 6 by ihf@chromium.org, Jun 6 2016

Cc: lafo...@chromium.org
Owner: jsc...@chromium.org
Status: Assigned (was: Available)

Comment 7 by jsc...@chromium.org, Jun 6 2016

Owner: natashenka@google.com
These go to Adobe, but I think natashenka@ has been helping here.

Comment 8 by natashenka@google.com, Jun 6 2016 

Yeah, looking at this one, but it's taking awhile because the PoC is so complex. I'll send a bug report to Adobe and update this bug once I figure out why it is crashing :)

Comment 9 by f...@chromium.org, Jun 6 2016 

Great, thanks natashanka@! Someone had told me I shouldn't have assigned it to you, that's why I moved it. :)

Comment 10 by natashenka@google.com, Jun 7 2016 

Just reported it!

JieZeng, you say "And I do not want this issues to be public", but provide a credit, so I'm not sure what you want here. Can you let me know whether or not you want Adobe to name you in the bulletin when they issue an update?

Comment 11 by jiezengo...@gmail.com, Jun 7 2016 

thanks natashanka@!

natashanka@!,please forgive my poor English! I want to say please do not public the vulnerability detail to others, for example MAPP and chrome issuess list. but I want my name in the Security Bulletins of Adobe when they update.

natashanka@,I am your fan! :)

Comment 12 by natashenka@google.com, Jun 7 2016

Cc: timwillis@google.com
Thanks, that makes sense. I'll let Adobe know about your preferences about MAPP, but I can't make any promises, it's their decision.

I'm not sure what we can do about the Chrome issues list, adding timwillis@ for more info.

Comment 13 by wfh@chromium.org, Jun 7 2016

Labels: -Missing_Severity-1 -Missing_Impact-1 Security_Severity-High Security_Impact-Stable Restrict-View-SecurityEmbargo Pri-1

Comment 14 by timwillis@google.com, Jun 7 2016

Labels: reward-topanel
Hey JieZeng,

If you want to keep this report private, we can do that but the credit goes to "anonymous". The reasoning is that we only lock down reports for anonymity reasons.

So, there are two options for you to choose from:

1) You can keep this report and PoC private, but credit goes to "anonymous" in the release notes.
2) This report will eventually become public (approximately 14 weeks after being marked as Fixed), and you can be credited as "JieZeng of Tencent Zhanlu Lab".

Please let me know if you would like Option 1 or Option 2. 

Thanks for the report!
Project Member

Comment 15 by ClusterFuzz, Jun 7 2016 

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5622975151996928

Comment 16 by jiezengo...@gmail.com, Jun 8 2016 

natashanka@,got it,thanks again!Wish you all the best!:)

Comment 17 by jiezengo...@gmail.com, Jun 8 2016 

timwillis@

Hi timwillis,

I got it,I prefer option 2!

Thanks, Best regards!

Comment 18 by wfh@chromium.org, Jun 8 2016

Labels: -Restrict-View-SecurityEmbargo

Comment 19 by timwillis@google.com, Jun 8 2016 

@Jie - thanks for the quick reply. We'll make sure to credit you by name.

Tim

Comment 20 by jiezengo...@gmail.com, Jun 8 2016 

@Tim

Thanks!
Project Member

Comment 21 by sheriffbot@chromium.org, Jun 8 2016

Labels: M-51
Project Member

Comment 22 by ClusterFuzz, Jun 14 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Comment 23 by timwillis@google.com, Jun 14 2016 

@natashenka - can you please pass on Jie's preferred credit string to Adobe for the release notes?
Project Member

Comment 24 by sheriffbot@chromium.org, Jun 14 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 25 by infe...@chromium.org, Jun 14 2016

Labels: -ClusterFuzz-Verified
Status: Assigned (was: Verified)
Sorry for the incorrect ClusterFuzz update, please ignore it. Reopening bug.

Comment 26 by jiezengo...@gmail.com, Jun 15 2016 

Thanks for you reply. I was just about to ask the update from ClusterFuzz  since I can still reproduce it locally.
Project Member

Comment 27 by sheriffbot@chromium.org, Jun 22 2016 

natashenka: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 28 by jecl...@adobe.com, Jun 22 2016 

Here's our current status on this:

I tested this a little more and found out this has been fixed in Townsend by CL 47709, where we added "GCRef<ScriptObjectHandle> soh = GetHandle();" to ScriptObject::GetLength() in splay.cpp.

22_0_d0_136=First Townsend build with Townsend CL 47709
23_0_d0_7=First Underwood build with Main CL 47708
22_0_r0_185=Townsend GM build
23_0_d0_56=Latest Underwood build

[After-fix]
  PASS: FP 22_0_d0_136, 22_0_r0_185, 23_0_d0_56 in Firefox 46.0.1.5966 (32-bit) on Windows 7 x64 SP1
  PASS: FP 22_0_d0_136, 22_0_r0_185, 23_0_d0_56 in IE 11.0.9600.18315 (32-bit) on Windows 7 x64 SP1
  PASS: FP 22_0_d0_136, 23_0_d0_7, 22_0_r0_185, 23_0_d0_56 (PPAPI) in Chrome 51.0.2704.84 (32-bit) on Windows 7 x64 SP1  
  PASS: FP 22_0_d0_136, 22_0_r0_185, 23_0_d0_56 (PPAPI) in Chrome 51.0.2704.84 (64-bit) on Windows 7 x64 SP1  
  
  PASS: FP 22_0_d0_136, 22_0_r0_185, 23_0_d0_56 in Firefox 46.0.1.5966 (32-bit) on Windows 8.1 x64
  PASS: FP 22_0_d0_136, 22_0_r0_185, 23_0_d0_56 in Firefox 46.0.1.5966 (64-bit) on Windows 8.1 x64  
  PASS: FP 22_0_d0_136, 22_0_r0_185, 23_0_d0_56 in Classic IE 11.0.9600.18124 (32-bit) on Windows 8.1 x64
  PASS: FP 22_0_d0_135, 22_0_r0_185, 23_0_d0_56 in Metro IE 11.0.9600.18124 (64-bit) on Windows 8.1 x64  
  PASS: FP 22_0_d0_136, 22_0_r0_185, 23_0_d0_56 (PPAPI) in Chrome 51.0.2704.84 (64-bit) on Windows 8.1 x64  

  PASS: FP 22_0_d0_135, 22_0_r0_185, 23_0_d0_56 in Firefox 46.0.1 on Mac OS 10.10.5 x64 x86_64
  PASS: FP 22_0_d0_135, 22_0_r0_185, 23_0_d0_56 in Safari 9.1.1 (10601.6.17) on Mac OS 10.10.5 x64 x86_64
  PASS: FP 22_0_d0_135, 22_0_r0_185, 23_0_d0_56 (PPAPI) in Chrome 51.0.2704.84 (64-bit) on Mac OS 10.10.5 x64 x86_64

  PASS: FP 22_0_d0_136, 22_0_r0_185, 23_0_d0_56 (PPAPI) in Chrome 51.0.2704.84 (64-bit) on Ubuntu 14.04 x64 trusty
  
[Before-fix]
* FAIL: FP 22_0_d0_135 in Firefox 46.0.1.5966 (32-bit) on Windows 7 x64 SP1
* FAIL: FP 22_0_d0_135 in IE 11.0.9600.18315 (32-bit) on Windows 7 x64 SP1
* FAIL: FP 22_0_d0_135, 23_0_d0_6 (PPAPI) in Chrome 51.0.2704.84 (32-bit) on Windows 7 x64 SP1
  PASS: FP 22_0_d0_135 (PPAPI) in Chrome 51.0.2704.84 (64-bit) on Windows 7 x64 SP1

* FAIL: FP 22_0_d0_135 in Firefox 46.0.1.5966 (32-bit) on Windows 8.1 x64
  PASS: FP 22_0_d0_135 in Firefox 46.0.1.5966 (64-bit) on Windows 8.1 x64
* FAIL: FP 22_0_d0_135 in Classic IE 11.0.9600.18124 (32-bit) on Windows 8.1 x64
  PASS: FP 22_0_d0_135 in Metro IE 11.0.9600.18124 (64-bit) on Windows 8.1 x64
  PASS: FP 22_0_d0_135 (PPAPI) in Chrome 51.0.2704.84 (64-bit) on Windows 8.1 x64

  PASS: FP 22_0_d0_136 in Firefox 46.0.1 on Mac OS 10.10.5 x64 x86_64
  PASS: FP 22_0_d0_136 in Safari 9.1.1 (10601.6.17) on Mac OS 10.10.5 x64 x86_64
  PASS: FP 22_0_d0_136 (PPAPI) in Chrome 51.0.2704.84 (64-bit) on Mac OS 10.10.5 x64 x86_64
  
  PASS: FP 22_0_d0_135 (PPAPI) in Chrome 51.0.2704.84 (64-bit) on Ubuntu 14.04 x64 trusty

Comment 29 by natashenka@google.com, Jun 22 2016 

I agree with the assessment. JieZeng, does this look fixed in the latest Flash update to you?

Comment 30 by jiezengo...@gmail.com, Jun 23 2016 

natashenka,
Yes,it be fixed in 22.0.0.192. sad!
And I have reported another vulnerability which is better. ;) 
Please help me report it as soon as possible.
Project Member

Comment 31 by sheriffbot@chromium.org, Jul 7 2016 

natashenka: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 32 by lafo...@chromium.org, Jul 7 2016

Cc: awhalley@chromium.org
Status: Fixed (was: Assigned)
Marking as fixed, based on comments #29 and #30.

Comment 33 by awhalley@chromium.org, Oct 10 2016

Labels: -reward-topanel reward-unpaid reward-3000

Comment 34 by awhalley@chromium.org, Oct 11 2016

Labels: -reward-unpaid reward-inprocess
Project Member

Comment 35 by sheriffbot@chromium.org, Oct 14 2016

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment