Issue metadata
Sign in to add a comment
|
Security: Adobe Flash Player Use After Free Vulnerability Valentine Series (7)
Reported by
xiong12...@gmail.com,
Feb 15 2017
|
||||||||||||||||||||||
Issue descriptionVERSION Chrome Version: 57.0.2987.21 beta (64-bit), pepflashplayer 24.0.0.221 Operating System: Windows 7 en 64-bit REPRODUCTION CASE Open the poc in the attachment with chrome and observe the crash. There is also a detailed write-up about the vulnerability in the attachment. FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION Type of crash: tab Crash State: (12b0.74c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. pepflashplayer!PPP_ShutdownBroker+0x3e96d0: 000007fe`d60eded0 3981bc020000 cmp dword ptr [rcx+2BCh],eax ds:00000000`000002bc=???????? 7:101> k Child-SP RetAddr Call Site 00000000`0024d690 000007fe`d60f2ad6 pepflashplayer!PPP_ShutdownBroker+0x3e96d0 00000000`0024d6f0 000007fe`d5eeda8a pepflashplayer!PPP_ShutdownBroker+0x3ee2d6 00000000`0024dea0 000007fe`d5eeeade pepflashplayer!PPP_ShutdownBroker+0x1e928a 00000000`0024df00 000007fe`d5f37339 pepflashplayer!PPP_ShutdownBroker+0x1ea2de 00000000`0024e1c0 000007fe`d5f372e6 pepflashplayer!PPP_ShutdownBroker+0x232b39 00000000`0024e1f0 000007fe`d5efd111 pepflashplayer!PPP_ShutdownBroker+0x232ae6 00000000`0024e240 000007fe`d5d1b75d pepflashplayer!PPP_ShutdownBroker+0x1f8911 00000000`0024e2d0 000007fe`d5d4127b pepflashplayer!PPP_ShutdownBroker+0x16f5d 00000000`0024e4e0 000007fe`d5d4118e pepflashplayer!PPP_ShutdownBroker+0x3ca7b 00000000`0024e530 000007fe`d5d4163c pepflashplayer!PPP_ShutdownBroker+0x3c98e *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Google\Chrome\Application\57.0.2987.21\chrome_child.dll - 00000000`0024e560 000007fe`d9372574 pepflashplayer!PPP_ShutdownBroker+0x3ce3c 00000000`0024e590 000007fe`d93b80d5 chrome_child!IsSandboxedProcess+0x216f4 00000000`0024e5c0 000007fe`d938cf8a chrome_child!IsSandboxedProcess+0x67255 00000000`0024e630 000007fe`d938cabc chrome_child!IsSandboxedProcess+0x3c10a 00000000`0024e660 000007fe`d938cc06 chrome_child!IsSandboxedProcess+0x3bc3c 00000000`0024e6d0 000007fe`d935df96 chrome_child!IsSandboxedProcess+0x3bd86 00000000`0024e840 000007fe`d7d123fe chrome_child!IsSandboxedProcess+0xd116 00000000`0024e870 000007fe`d7cc718c chrome_child!ovly_debug_event+0xc9fce 00000000`0024e9d0 000007fe`d7d129b6 chrome_child!ovly_debug_event+0x7ed5c 00000000`0024eaf0 000007fe`d7d11b8c chrome_child!ovly_debug_event+0xca586 Credit: Yuki Chen Of Qihoo 360 Vulcan Team
,
Feb 15 2017
Natalie, would you mind helping with these?
,
Feb 15 2017
Thanks, I've reported this.
,
Feb 16 2017
This is PSIRT-6410
,
Mar 10 2017
Adobe says this is the same as 676773.
,
Feb 16 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 Deleted