Issue metadata
Sign in to add a comment
|
Security: Adobe Flash Player Use After Free Vulnerability Valentine Series (6)
Reported by
xiong12...@gmail.com,
Feb 15 2017
|
||||||||||||||||||||||
Issue descriptionVERSION Chrome Version: 57.0.2987.21 beta (64-bit), pepflashplayer 24.0.0.221 Operating System: Windows 7 en 64-bit REPRODUCTION CASE Open the poc in the attachment with chrome and observe the crash. There is also a detailed write-up about the vulnerability in the attachment. FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION Type of crash: tab Crash State: (d94.13e0): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. (1718.480): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. pepflashplayer!PPP_ShutdownBroker+0x2291d7: 000007fe`df54d9d7 488b4750 mov rax,qword ptr [rdi+50h] ds:00000000`80000040=???????????????? 8:123> k Child-SP RetAddr Call Site 00000000`002cd870 000007fe`df70c401 pepflashplayer!PPP_ShutdownBroker+0x2291d7 00000000`002cd8e0 000007fe`df712aee pepflashplayer!PPP_ShutdownBroker+0x3e7c01 00000000`002cd940 000007fe`df50da8a pepflashplayer!PPP_ShutdownBroker+0x3ee2ee 00000000`002ce0f0 000007fe`df50eade pepflashplayer!PPP_ShutdownBroker+0x1e928a 00000000`002ce150 000007fe`df557339 pepflashplayer!PPP_ShutdownBroker+0x1ea2de 00000000`002ce410 000007fe`df5572e6 pepflashplayer!PPP_ShutdownBroker+0x232b39 00000000`002ce440 000007fe`df51d111 pepflashplayer!PPP_ShutdownBroker+0x232ae6 00000000`002ce490 000007fe`df33b75d pepflashplayer!PPP_ShutdownBroker+0x1f8911 00000000`002ce520 000007fe`df36127b pepflashplayer!PPP_ShutdownBroker+0x16f5d 00000000`002ce730 000007fe`df36118e pepflashplayer!PPP_ShutdownBroker+0x3ca7b 00000000`002ce780 000007fe`df36163c pepflashplayer!PPP_ShutdownBroker+0x3c98e *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Google\Chrome\Application\57.0.2987.21\chrome_child.dll - 00000000`002ce7b0 000007fe`d9372574 pepflashplayer!PPP_ShutdownBroker+0x3ce3c 00000000`002ce7e0 000007fe`d93b80d5 chrome_child!IsSandboxedProcess+0x216f4 00000000`002ce810 000007fe`d938cf8a chrome_child!IsSandboxedProcess+0x67255 00000000`002ce880 000007fe`d938cabc chrome_child!IsSandboxedProcess+0x3c10a 00000000`002ce8b0 000007fe`d938cc06 chrome_child!IsSandboxedProcess+0x3bc3c 00000000`002ce920 000007fe`d935df96 chrome_child!IsSandboxedProcess+0x3bd86 00000000`002cea90 000007fe`d7d123fe chrome_child!IsSandboxedProcess+0xd116 00000000`002ceac0 000007fe`d7cc718c chrome_child!ovly_debug_event+0xc9fce 00000000`002cec20 000007fe`d7d129b6 chrome_child!ovly_debug_event+0x7ed5c Credit: Yuki Chen Of Qihoo 360 Vulcan Team
,
Feb 15 2017
Natalie, would you mind helping with these?
,
Feb 15 2017
Thanks, I've reported this
,
Feb 16 2017
This is PSIRT-6412
,
Mar 10 2017
Adobe says this is the same as 676773.
,
Feb 16 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 Deleted