New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 676781 link

Starred by 1 user
Status: Duplicate
Merged: issue 676773
Owner:
natashenka@google.com
Last visit > 30 days ago
Closed: Mar 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: Adobe Flash TextField Input Use After Free

Reported by xiong12...@gmail.com, Dec 23 2016 

VULNERABILITY DETAILS
Adobe Flash TextField Input Use After Free

VERSION
Chrome Version: 56.0.2924.28 beta (64-bit)
Operating System: Windows 7 en 64-bit

REPRODUCTION CASE

Open "TestText.html" with chrome, then type any key in the text field saying "Type anything here to get crash", and observe the crash.


This is a use after free bug when handling input in the TextField.
When handling user input in a TextField, a user-defined callback function could be trigged.
If we delete the TextField in the callback function, a use-after-free occurs.




FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab
Crash State: 


5:049> g
(1bd4.1298): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Users\yuki\AppData\Local\Google\Chrome\User Data\PepperFlash\24.0.0.186\pepflashplayer.dll - 
pepflashplayer!PPP_ShutdownBroker+0x20fa18:
000007fe`d46641a8 ff4008          inc     dword ptr [rax+8] ds:00000000`7ffffff8=????????

8:097> k
Child-SP          RetAddr           Call Site
00000000`002ce2f0 000007fe`d46659e4 pepflashplayer!PPP_ShutdownBroker+0x20fa18
00000000`002ce4f0 000007fe`d460e5c9 pepflashplayer!PPP_ShutdownBroker+0x211254
00000000`002ce550 000007fe`d446592f pepflashplayer!PPP_ShutdownBroker+0x1b9e39
00000000`002ce8d0 000007fe`d44643a8 pepflashplayer!PPP_ShutdownBroker+0x1119f
00000000`002ce970 000007fe`d4469176 pepflashplayer!PPP_ShutdownBroker+0xfc18
00000000`002cec20 000007fe`d446942f pepflashplayer!PPP_ShutdownBroker+0x149e6
00000000`002cec90 000007fe`d44696dc pepflashplayer!PPP_ShutdownBroker+0x14c9f
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.28\chrome_child.dll - 
00000000`002cecc0 000007fe`df457950 pepflashplayer!PPP_ShutdownBroker+0x14f4c
00000000`002cecf0 000007fe`df457ce1 chrome_child!IsSandboxedProcess+0x20970
00000000`002ced20 000007fe`df457ebe chrome_child!IsSandboxedProcess+0x20d01
00000000`002cedc0 000007fe`df43f728 chrome_child!IsSandboxedProcess+0x20ede
00000000`002cee10 000007fe`df43fff6 chrome_child!IsSandboxedProcess+0x8748
00000000`002cee40 000007fe`ddbd50c0 chrome_child!IsSandboxedProcess+0x9016
00000000`002cee70 000007fe`ddbd503e chrome_child!ovly_debug_event+0x157d0
00000000`002ceea0 000007fe`ddbd7094 chrome_child!ovly_debug_event+0x1574e
00000000`002cefa0 000007fe`ddbd59ef chrome_child!ovly_debug_event+0x177a4
00000000`002cf0c0 000007fe`ddbd4a89 chrome_child!ovly_debug_event+0x160ff
00000000`002cf4b0 000007fe`ddfc0f37 chrome_child!ovly_debug_event+0x15199
00000000`002cf500 000007fe`dee35c9b chrome_child!ChromeMain+0x4a2b
00000000`002cf550 000007fe`ddfbc9dc chrome_child!ChromeMain+0xe7978f




Credit:

Please credit "Yuki Chen of Qihoo 360 Vulcan Team" for this bug.

Comment 1 by aarya@google.com, Dec 24 2016

Components: Internals>Plugins>Flash
Owner: natashenka@google.com
Status: ExternalDependency (was: Unconfirmed)
Natalie, can you please file these bugs with Adobe. Thanks!

Comment 2 by aarya@google.com, Dec 24 2016

Labels: Security_Severity-High Security_Impact-Stable
Project Member

Comment 3 by sheriffbot@chromium.org, Dec 24 2016

Labels: M-55
Project Member

Comment 4 by sheriffbot@chromium.org, Dec 24 2016

Labels: Pri-1
Project Member

Comment 5 by sheriffbot@chromium.org, Jan 26 2017

Labels: -M-55 M-56

Comment 6 by awhalley@chromium.org, Feb 13 2017

Labels: reward-topanel

Comment 7 by natashenka@google.com, Feb 14 2017 

Just reported this one.

Comment 8 by natashenka@google.com, Feb 15 2017 

This is PSIRT-6398

Comment 9 by natashenka@google.com, Mar 6 2017 

Yuki, I can't see the PoC anymore, did you delete it? Can you attach it again?

Comment 10 by xiong12...@gmail.com, Mar 7 2017 

@natashenka,

Yes, I deleted the poc. Because this issue will finally be made available to public, and  I'd like to avoid the risk that my bug might be exploited by bad guys.

Comment 11 by natashenka@google.com, Mar 7 2017 

Adobe asked a question about the PoC, and I need a copy to answer it. Can you please re-attach the PoC?

Comment 12 by xiong12...@gmail.com, Mar 8 2017 

Sure, I have re-attached the 10 PoCs.
flash uaf 10.zip
75.0 KB Download
Project Member

Comment 13 by sheriffbot@chromium.org, Mar 10 2017

Labels: -M-56 M-57

Comment 14 by natashenka@google.com, Mar 10 2017

Mergedinto: 676773
Status: Duplicate (was: ExternalDependency)
Adobe says this is also CVE-2017-3001
Project Member

Comment 15 by sheriffbot@chromium.org, Mar 11 2017

Labels: -reward-topanel reward-ineligible
Project Member

Comment 16 by sheriffbot@chromium.org, Feb 16 2018

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment