New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 692349 link

Starred by 1 user
Status: Duplicate
Merged: issue 676773
Owner:
natashenka@google.com
Last visit > 30 days ago
Closed: Mar 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Adobe Flash Player Use After Free Vulnerability Valentine Series (11)

Reported by xiong12...@gmail.com, Feb 15 2017 
VERSION
Chrome Version: 57.0.2987.21 beta (64-bit), pepflashplayer 24.0.0.221
Operating System: Windows 7 en 64-bit

REPRODUCTION CASE

Open the poc in the attachment with chrome and observe the crash.
There is also a detailed write-up about the vulnerability in the attachment.


FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab
Crash State: 

(7b0.1738): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.

pepflashplayer!PPP_ShutdownBroker+0x98cc36:
000007fe`d73f1436 4c8b01          mov     r8,qword ptr [rcx] ds:00000000`7ffffff0=????????????????
8:128> k
Child-SP          RetAddr           Call Site
00000000`0026cfc0 000007fe`d6c3766c pepflashplayer!PPP_ShutdownBroker+0x98cc36
00000000`0026cff0 000007fe`d6c74e6f pepflashplayer!PPP_ShutdownBroker+0x1d2e6c
00000000`0026d0a0 000007fe`d6c76094 pepflashplayer!PPP_ShutdownBroker+0x21066f
00000000`0026d2a0 000007fe`d6d16c28 pepflashplayer!PPP_ShutdownBroker+0x211894
00000000`0026d300 000007fe`d6d013f6 pepflashplayer!PPP_ShutdownBroker+0x2b2428
00000000`0026d390 000007fe`d6c75103 pepflashplayer!PPP_ShutdownBroker+0x29cbf6
00000000`0026d470 000007fe`d6e52a15 pepflashplayer!PPP_ShutdownBroker+0x210903
00000000`0026d670 000007fe`d6c4da8a pepflashplayer!PPP_ShutdownBroker+0x3ee215
00000000`0026de20 000007fe`d6c4eade pepflashplayer!PPP_ShutdownBroker+0x1e928a
00000000`0026de80 000007fe`d6c97339 pepflashplayer!PPP_ShutdownBroker+0x1ea2de
00000000`0026e140 000007fe`d6c972e6 pepflashplayer!PPP_ShutdownBroker+0x232b39
00000000`0026e170 000007fe`d6c5d111 pepflashplayer!PPP_ShutdownBroker+0x232ae6
00000000`0026e1c0 000007fe`d6a7b75d pepflashplayer!PPP_ShutdownBroker+0x1f8911
00000000`0026e250 000007fe`d6aa127b pepflashplayer!PPP_ShutdownBroker+0x16f5d
00000000`0026e460 000007fe`d6aa118e pepflashplayer!PPP_ShutdownBroker+0x3ca7b
00000000`0026e4b0 000007fe`d6aa163c pepflashplayer!PPP_ShutdownBroker+0x3c98e
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files (x86)\Google\Chrome\Application\57.0.2987.21\chrome_child.dll - 
00000000`0026e4e0 000007fe`e1c32574 pepflashplayer!PPP_ShutdownBroker+0x3ce3c
00000000`0026e510 000007fe`e1c780d5 chrome_child!IsSandboxedProcess+0x216f4
00000000`0026e540 000007fe`e1c4cf8a chrome_child!IsSandboxedProcess+0x67255
00000000`0026e5b0 000007fe`e1c4cabc chrome_child!IsSandboxedProcess+0x3c10a

00000000`001dec70 000007fe`e1c4cabc chrome_child!IsSandboxedProcess+0x3c10a



Credit:

Yuki Chen Of Qihoo 360 Vulcan Team

Comment 1 Deleted

Comment 2 by och...@chromium.org, Feb 15 2017

Components: Internals>Plugins>Flash
Owner: natashenka@google.com
Status: ExternalDependency (was: Unconfirmed)
Natalie, would you mind helping with these?

Comment 3 by natashenka@google.com, Feb 15 2017 

Thanks, I've reported this to Adobe.

Comment 4 by natashenka@google.com, Feb 16 2017 

This is PSIRT-6406

Comment 5 by natashenka@google.com, Mar 10 2017

Mergedinto: 676773
Status: Duplicate (was: ExternalDependency)
Adobe says this is CVE-2017-3001.
Project Member

Comment 6 by sheriffbot@chromium.org, Feb 16 2018

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment