Issue metadata
Sign in to add a comment
|
Security: Adobe Flash MovieClip.duplicateMovieClip Use After Free
Reported by
xiong12...@gmail.com,
Dec 23 2016
|
||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS Adobe Flash MovieClip.duplicateMovieClip Use After Free VERSION Chrome Version: 56.0.2924.28 beta (64-bit) Operating System: Windows 7 en 64-bit REPRODUCTION CASE Open "MovieClip_duplicateMovieClip.html" with chrome and observe the crash. This is a use after free bug when in MovieClip.createEmptyMovieClip. When duplicate a MovieClip to the parent MovieClip at some depth, it will first try to remove the MovieClip in that depth. This will trig a "onKillFocus" event callback, if we remove the parent MovieClip in the callback, a use-after-free occurs. FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION Type of crash: tab Crash State: (1434.1510): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. 000004c1`cf12b780 3800 cmp byte ptr [rax],al ds:000005f0`60b558c8=38 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Users\yuki\AppData\Local\Google\Chrome\User Data\PepperFlash\24.0.0.186\pepflashplayer.dll - 8:100> k Child-SP RetAddr Call Site 00000000`0012c1e8 000007fe`d698d00e 0x4c1`cf12b780 00000000`0012c1f0 000007fe`d698cd3e pepflashplayer!PPP_ShutdownBroker+0x98887e 00000000`0012c230 000007fe`d698c999 pepflashplayer!PPP_ShutdownBroker+0x9885ae 00000000`0012c260 000007fe`d698aeb5 pepflashplayer!PPP_ShutdownBroker+0x988209 00000000`0012c310 000007fe`d6994f84 pepflashplayer!PPP_ShutdownBroker+0x986725 00000000`0012c350 000007fe`d61f5d46 pepflashplayer!PPP_ShutdownBroker+0x9907f4 00000000`0012c390 000007fe`d61f241f pepflashplayer!PPP_ShutdownBroker+0x1f15b6 00000000`0012c3d0 000007fe`d61eb7b9 pepflashplayer!PPP_ShutdownBroker+0x1edc8f 00000000`0012c4d0 000007fe`d6523046 pepflashplayer!PPP_ShutdownBroker+0x1e7029 00000000`0012c510 000007fe`d6214a53 pepflashplayer!PPP_ShutdownBroker+0x51e8b6 00000000`0012c630 000007fe`d63f1c5a pepflashplayer!PPP_ShutdownBroker+0x2102c3 00000000`0012c840 000007fe`d6229a2e pepflashplayer!PPP_ShutdownBroker+0x3ed4ca 00000000`0012cff0 000007fe`d625cb13 pepflashplayer!PPP_ShutdownBroker+0x22529e 00000000`0012d0e0 000007fe`d6241c01 pepflashplayer!PPP_ShutdownBroker+0x258383 00000000`0012d120 000007fe`d6241dc4 pepflashplayer!PPP_ShutdownBroker+0x23d471 00000000`0012d150 000007fe`d61c96c4 pepflashplayer!PPP_ShutdownBroker+0x23d634 00000000`0012d180 000007fe`d61ce099 pepflashplayer!PPP_ShutdownBroker+0x1c4f34 00000000`0012d1e0 000007fe`d61d8d39 pepflashplayer!PPP_ShutdownBroker+0x1c9909 00000000`0012d230 000007fe`d620b9ca pepflashplayer!PPP_ShutdownBroker+0x1d45a9 00000000`0012d550 000007fe`d62a5a44 pepflashplayer!PPP_ShutdownBroker+0x20723a Credit: Please credit "Yuki Chen of Qihoo 360 Vulcan Team" for this bug.
,
Dec 24 2016
,
Dec 24 2016
,
Dec 24 2016
,
Jan 26 2017
,
Feb 13 2017
,
Feb 14 2017
Just reported this.
,
Feb 15 2017
This is PSIRT-6395
,
Mar 6 2017
Yuki, I can't see the PoC anymore, did you delete it? Can you attach it again?
,
Mar 10 2017
,
Mar 22 2017
Adobe is having trouble reproducing this issue on the latest build. Can you please reattached the PoC to *this* bug, and also let me know if it still works for you. Thanks!
,
Mar 23 2017
Here is the poc. I tested it in the latest build and found it Not Works any more. Maybe because of the new "trick" added in March update for MovieClip Uafs.
,
Mar 24 2017
Thanks, closing this issue as it is no longer valid.
,
Mar 25 2017
,
Jul 1 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by aarya@google.com
, Dec 24 2016Owner: natashenka@google.com
Status: ExternalDependency (was: Unconfirmed)