Issue metadata
Sign in to add a comment
|
Security: Adobe Flash Selection.setFocus Use After Free
Reported by
xiong12...@gmail.com,
Dec 23 2016
|
||||||||||||||||||||||
Issue description
VULNERABILITY DETAILS
Adobe Flash Selection.setFocus Use After Free
VERSION
Chrome Version: 56.0.2924.28 beta (64-bit)
Operating System: Windows 7 en 64-bit
REPRODUCTION CASE
Open "Selection_setFocus.html" with chrome and observe the crash.
This is a use after free bug when setting focus to a TextField object.
We have 2 TextField objects, "tf" and "ttf", and we call Selection.setFocusion on them in the following sequece:
Selection.setFocus("ttf");
Selection.setFocus("tf");
And inside the "onSetFocus" event callback of "tf", we delete "ttf" by calling "removeTextField".
Later the "ttf" TextField will still be used after it was deleted, causing the use-after-free issue.
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab
Crash State:
(1e18.17fc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Users\yuki\AppData\Local\Google\Chrome\User Data\PepperFlash\24.0.0.186\pepflashplayer.dll -
pepflashplayer!PPP_ShutdownBroker+0x2254a7:
000007fe`d6529c37 488b4810 mov rcx,qword ptr [rax+10h] ds:00000000`80000000=????????????????
8:093> k
Child-SP RetAddr Call Site
00000000`0028d1b0 000007fe`d651b521 pepflashplayer!PPP_ShutdownBroker+0x2254a7
00000000`0028d2a0 000007fe`d6513d70 pepflashplayer!PPP_ShutdownBroker+0x216d91
00000000`0028d2f0 000007fe`d65076c1 pepflashplayer!PPP_ShutdownBroker+0x20f5e0
00000000`0028d370 000007fe`d65aae35 pepflashplayer!PPP_ShutdownBroker+0x202f31
00000000`0028d3c0 000007fe`d6514a53 pepflashplayer!PPP_ShutdownBroker+0x2a66a5
00000000`0028d460 000007fe`d66f1c5a pepflashplayer!PPP_ShutdownBroker+0x2102c3
00000000`0028d670 000007fe`d64ed547 pepflashplayer!PPP_ShutdownBroker+0x3ed4ca
00000000`0028de20 000007fe`d64ee58e pepflashplayer!PPP_ShutdownBroker+0x1e8db7
00000000`0028de80 000007fe`d65369f9 pepflashplayer!PPP_ShutdownBroker+0x1e9dfe
00000000`0028e140 000007fe`d65369a6 pepflashplayer!PPP_ShutdownBroker+0x232269
00000000`0028e170 000007fe`d64fcbc1 pepflashplayer!PPP_ShutdownBroker+0x232216
00000000`0028e1c0 000007fe`d631b6bd pepflashplayer!PPP_ShutdownBroker+0x1f8431
00000000`0028e250 000007fe`d634114b pepflashplayer!PPP_ShutdownBroker+0x16f2d
00000000`0028e460 000007fe`d634105e pepflashplayer!PPP_ShutdownBroker+0x3c9bb
00000000`0028e4b0 000007fe`d634150c pepflashplayer!PPP_ShutdownBroker+0x3c8ce
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.28\chrome_child.dll -
00000000`0028e4e0 000007fe`df457950 pepflashplayer!PPP_ShutdownBroker+0x3cd7c
00000000`0028e510 000007fe`df49dbd1 chrome_child!IsSandboxedProcess+0x20970
00000000`0028e540 000007fe`df472b3a chrome_child!IsSandboxedProcess+0x66bf1
00000000`0028e5b0 000007fe`df472664 chrome_child!IsSandboxedProcess+0x3bb5a
00000000`0028e5e0 000007fe`df4727ae chrome_child!IsSandboxedProcess+0x3b684
Credit:
Please credit "Yuki Chen of Qihoo 360 Vulcan Team" for this bug.
,
Dec 24 2016
,
Dec 24 2016
,
Dec 24 2016
,
Jan 26 2017
,
Feb 13 2017
,
Feb 14 2017
Sorry, I can't repro this one, are you still able to?
,
Feb 15 2017
@natashenka:
I can still reproduce it with pepflashplayer 24.0.0.221, here's the crash stack:
5:071> g
ModLoad: 000007fe`f93d0000 000007fe`f93f7000 C:\Windows\system32\cryptnet.dll
(1784.1750): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
pepflashplayer!PPP_ShutdownBroker+0x225c17:
000007fe`d927a417 488b4810 mov rcx,qword ptr [rax+10h] ds:00000000`80000000=????????????????
8:117> k
Child-SP RetAddr Call Site
00000000`002fd6f0 000007fe`d926bbe1 pepflashplayer!PPP_ShutdownBroker+0x225c17
00000000`002fd7e0 000007fe`d9264430 pepflashplayer!PPP_ShutdownBroker+0x2173e1
00000000`002fd830 000007fe`d9257c11 pepflashplayer!PPP_ShutdownBroker+0x20fc30
00000000`002fd8b0 000007fe`d92fbb23 pepflashplayer!PPP_ShutdownBroker+0x203411
00000000`002fd900 000007fe`d9265103 pepflashplayer!PPP_ShutdownBroker+0x2a7323
00000000`002fd9a0 000007fe`d9442a15 pepflashplayer!PPP_ShutdownBroker+0x210903
00000000`002fdbb0 000007fe`d923da8a pepflashplayer!PPP_ShutdownBroker+0x3ee215
00000000`002fe360 000007fe`d923eade pepflashplayer!PPP_ShutdownBroker+0x1e928a
00000000`002fe3c0 000007fe`d9287339 pepflashplayer!PPP_ShutdownBroker+0x1ea2de
00000000`002fe680 000007fe`d92872e6 pepflashplayer!PPP_ShutdownBroker+0x232b39
00000000`002fe6b0 000007fe`d924d111 pepflashplayer!PPP_ShutdownBroker+0x232ae6
00000000`002fe700 000007fe`d906b75d pepflashplayer!PPP_ShutdownBroker+0x1f8911
00000000`002fe790 000007fe`d909127b pepflashplayer!PPP_ShutdownBroker+0x16f5d
00000000`002fe9a0 000007fe`d909118e pepflashplayer!PPP_ShutdownBroker+0x3ca7b
00000000`002fe9f0 000007fe`d909163c pepflashplayer!PPP_ShutdownBroker+0x3c98e
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Google\Chrome\Application\57.0.2987.21\chrome_child.dll -
00000000`002fea20 000007fe`e03c2574 pepflashplayer!PPP_ShutdownBroker+0x3ce3c
00000000`002fea50 000007fe`e04080d5 chrome_child!IsSandboxedProcess+0x216f4
00000000`002fea80 000007fe`e03dcf8a chrome_child!IsSandboxedProcess+0x67255
00000000`002feaf0 000007fe`e03dcabc chrome_child!IsSandboxedProcess+0x3c10a
00000000`002feb20 000007fe`e03dcc06 chrome_child!IsSandboxedProcess+0x3bc3c
8:117> lmvm pepflashplayer
start end module name
000007fe`d8f90000 000007fe`dae44000 pepflashplayer (export symbols)
Image name: pepflashplayer.dll
Timestamp: Tue Jan 31 04:19:35 2017 (588F9FD7)
CheckSum: 01DC1A02
ImageSize: 01EB4000
File version: 24.0.0.221
Product version: 24.0.0.221
File flags: 0 (Mask 3F)
File OS: 4 Unknown Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
,
Feb 15 2017
This isn't a very reliable crasher, but I got it to crash, so reporting.
,
Feb 16 2017
This is PSIRT-6404
,
Mar 6 2017
Yuki, I can't see the PoC anymore, did you delete it? Can you attach it again?
,
Mar 10 2017
,
Mar 10 2017
Adobe says this is also CVE-2017-3001
,
Mar 11 2017
,
Feb 16 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by aarya@google.com
, Dec 24 2016Owner: natashenka@google.com
Status: ExternalDependency (was: Unconfirmed)