New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 622634 link

Starred by 1 user
Status: Fixed
Owner:
natashenka@google.com
Last visit > 30 days ago
Closed: Sep 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: use-after-free vulnerability in flash player 22.0.0.192

Reported by jiezengo...@gmail.com, Jun 23 2016 
VULNERABILITY DETAILS

There is a use-after-free vulnerability in flash player. Which could lead to code execution.

In chrome the crash as follow:
3:039> r
eax=031b5b30 ebx=0309a348 ecx=0309a348 edx=00000000 esi=03201000 edi=00000000
eip=00000000 esp=00222d60 ebp=00222e18 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
00000000 ??              ???

ub esp:
5864fe0f 8bd9            mov     ebx,ecx
5864fe11 33ff            xor     edi,edi
5864fe13 897c2428        mov     dword ptr [esp+28h],edi
5864fe17 8b03            mov     eax,dword ptr [ebx]
5864fe19 8b500c          mov     edx,dword ptr [eax+0Ch] 
5864fe1c 8d8c24ac000000  lea     ecx,[esp+0ACh]
5864fe23 51              push    ecx
5864fe24 8bcb            mov     ecx,ebx
5864fe26 895c2428        mov     dword ptr [esp+28h],ebx
5864fe2a 897c243c        mov     dword ptr [esp+3Ch],edi
5864fe2e ffd2            call    edx

dd ecx:
0309a348 031b5b30 00000000 00000000 00000000
0309a358 00000000 00000000 00000000 00000000
0309a368 00000000 00000000 00000000 00000000
0309a378 00000000 00000000 00000000 00000000
0309a388 00000000 00000000 00000000 00000000

so this vulnerability can control the EIP.

VERSION
Flash player 22.0.0.192 in Chrome windows 7 x86(other platform should be trigger also)

Please drag the uaftest.swf into chrome will crash.

Please not public in MAPP and public it in chrome issues list 14 weeks after being marked as Fixed.

Credit is to "JieZeng of Tencent Zhanlu Lab".

Please report is as soon as possible.
uaftest.swf
486 bytes Download

Comment 1 by jiezengo...@gmail.com, Jun 23 2016 

why can't I change the contents of the above?

Comment 2 by dominickn@chromium.org, Jun 23 2016

Components: Internals>Plugins>Flash
Owner: natashenka@google.com
Status: Assigned (was: Unconfirmed)
+natashenka, can you please have a look?

Comment 3 by natashenka@google.com, Jun 23 2016 

Thanks, I've reported it!

Comment 4 by natashenka@google.com, Jun 23 2016 

This is PSIRT-5526.

Comment 5 by dominickn@chromium.org, Jun 23 2016

Labels: Security_Severity-High Security_Impact-Stable

Comment 6 by jiezengo...@gmail.com, Jun 24 2016 

@natashenka Thanks!
Project Member

Comment 7 by sheriffbot@chromium.org, Jun 24 2016

Labels: M-51
Project Member

Comment 8 by sheriffbot@chromium.org, Jun 24 2016

Labels: Pri-1
Project Member

Comment 9 by sheriffbot@chromium.org, Jul 8 2016 

natashenka: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 10 by jiezengo...@gmail.com, Jul 10 2016 

Please let me know the progress of this issue!

Thanks!

Comment 11 by natashenka@google.com, Jul 11 2016 

Adobe is still working on this issue, it will not be fixed in the next update, maybe in August instead.

Comment 12 by jiezengo...@gmail.com, Jul 12 2016 

@natashenka Thanks!  Let's keep in touch.

Comment 13 by ta...@google.com, Jul 13 2016

Labels: OS-Windows

Comment 14 by ta...@google.com, Jul 13 2016

Labels: -OS-Windows OS-All

Comment 15 by jiezengo...@gmail.com, Jul 21 2016 

Is it eligible for reward?
Project Member

Comment 16 by sheriffbot@chromium.org, Jul 21 2016

Labels: -M-51 M-52

Comment 17 by mbarbe...@chromium.org, Jul 21 2016

Labels: reward-topanel
Once the fix is released the reward panel will take a look. I don't see any reason to think it wouldn't be, but it's up to the panel to decide.

Comment 18 Deleted

Comment 19 by jiezengo...@gmail.com, Jul 22 2016 

Thanks for letting me know.
Project Member

Comment 20 by sheriffbot@chromium.org, Jul 26 2016 

natashenka: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 21 Deleted

Comment 22 Deleted

Comment 23 by och...@chromium.org, Aug 11 2016

Status: ExternalDependency (was: Assigned)
Project Member

Comment 24 by sheriffbot@chromium.org, Sep 1 2016

Labels: -M-52 M-53

Comment 25 by natashenka@google.com, Sep 22 2016

Status: Fixed (was: ExternalDependency)
Fixed in September update
Project Member

Comment 26 by sheriffbot@chromium.org, Sep 23 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 27 by sheriffbot@chromium.org, Sep 25 2016

Labels: Merge-Request-54

Comment 28 by dimu@chromium.org, Sep 26 2016

Labels: -Merge-Request-54 Merge-Approved-54 Hotlist-Merge-Approved
Your change meets the bar and is auto-approved for M54 (branch: 2840)

Comment 29 by awhalley@chromium.org, Oct 7 2016

Labels: -Merge-Approved-54
Nothing to merge here.

Comment 30 by awhalley@chromium.org, Oct 10 2016

Labels: -reward-topanel reward-unpaid reward-3000

Comment 31 by awhalley@chromium.org, Oct 11 2016 

Very nice - $3,000 for this bug.

Comment 32 by awhalley@chromium.org, Oct 11 2016

Labels: -reward-unpaid reward-inprocess

Comment 33 by jiezengo...@gmail.com, Oct 12 2016 

Thanks!then what do I need?

Comment 34 by awhalley@chromium.org, Nov 7 2016

Labels: -Hotlist-Merge-Approved
Project Member

Comment 35 by sheriffbot@chromium.org, Dec 30 2016

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment