Issue metadata
Sign in to add a comment
|
pepflashplayer!IAEModule_IAEKernel_UnloadModule+0xdadbf: Crash
Reported by
secut...@gmail.com,
Aug 1 2017
|
||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36 Steps to reproduce the problem: 1. Place index.html and 1.swf on webserver 2. Run index.html What is the expected behavior? Load flash file content What went wrong? Tab Crash "Aw Snap" Did this work before? N/A Chrome version: Version 60.0.3112.78 (Official Build) (32-bit) Channel: stable OS Version: 10.0 Flash Version: 26.0.0.137 (x86) error: out of memory (1718.bc0): Security check failure or stack buffer overrun - code c0000409 (!!! second chance !!!) *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Users\Windows10\AppData\Local\Google\Chrome\User Data\PepperFlash\26.0.0.137\pepflashplayer.dll - eax=00000001 ebx=057f6000 ecx=00000007 edx=002a1000 esi=0549c690 edi=004ff320 eip=04c5d24e esp=004fec94 ebp=004fed3c iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 pepflashplayer!IAEModule_IAEKernel_UnloadModule+0xdadbf: 04c5d24e cd29 int 29h 5:041> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* *** ERROR: Symbol file could not be found. Defaulted to export symbols for chrome.exe - *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Google\Chrome\Application\60.0.3112.78\chrome_child.dll - GetUrlPageData2 (WinHttp) failed: 12002. DUMP_CLASS: 2 DUMP_QUALIFIER: 0 FAULTING_IP: pepflashplayer!IAEModule_IAEKernel_UnloadModule+dadbf 04c5d24e cd29 int 29h EXCEPTION_RECORD: (.exr -1) ExceptionAddress: 04c5d24e (pepflashplayer!IAEModule_IAEKernel_UnloadModule+0x000dadbf) ExceptionCode: c0000409 (Security check failure or stack buffer overrun) ExceptionFlags: 00000001 NumberParameters: 1 Parameter[0]: 00000007 Subcode: 0x7 FAST_FAIL_FATAL_APP_EXIT FAULTING_THREAD: 00000bc0 BUGCHECK_STR: FATAL_APP_EXIT DEFAULT_BUCKET_ID: FATAL_APP_EXIT PROCESS_NAME: chrome.exe ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application. EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application. EXCEPTION_CODE_STR: c0000409 EXCEPTION_PARAMETER1: 00000007 WATSON_BKT_PROCSTAMP: 5976ae77 WATSON_BKT_PROCVER: 60.0.3112.78 PROCESS_VER_PRODUCT: Google Chrome WATSON_BKT_MODULE: pepflashplayer.dll WATSON_BKT_MODSTAMP: 594d52a4 WATSON_BKT_MODOFFSET: 85d24e WATSON_BKT_MODVER: 26.0.0.137 BUILD_VERSION_STRING: 10.0.14393.1198 (rs1_release_sec.170427-1353) MODLIST_WITH_TSCHKSUM_HASH: 2a78117b0686e69fd8fa13ebf5cc78bafa2502c4 MODLIST_SHA1_HASH: 76ef0504fb7c6bc2ab2da9d77ee95851938ec910 NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 PRODUCT_TYPE: 1 SUITE_MASK: 272 ANALYSIS_SESSION_HOST: DESKTOP-7V9JD6D ANALYSIS_SESSION_TIME: 08-01-2017 08:35:02.0819 ANALYSIS_VERSION: 10.0.14321.1024 x86fre THREAD_ATTRIBUTES: OS_LOCALE: ENU PROBLEM_CLASSES: FATAL_APP_EXIT Tid [0x0] Frame [0x00] Failure Bucketing LAST_CONTROL_TRANSFER: from 00000000 to 04c5d24e STACK_TEXT: 004fed3c 00000000 00000000 00010000 f8000302 pepflashplayer!IAEModule_IAEKernel_UnloadModule+0xdadbf THREAD_SHA1_HASH_MOD_FUNC: f6d2ee79ff48333080673ae72fba5ec4209056fc THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 5f363ab2cfd55f89a3b72c644716fba3ca8e79ce THREAD_SHA1_HASH_MOD: 7ca062eef4cdfc9e336a40ab65d0225aa0b11f00 FOLLOWUP_IP: pepflashplayer!IAEModule_IAEKernel_UnloadModule+dadbf 04c5d24e cd29 int 29h FAULT_INSTR_CODE: 16a29cd SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: pepflashplayer!IAEModule_IAEKernel_UnloadModule+dadbf FOLLOWUP_NAME: MachineOwner MODULE_NAME: pepflashplayer IMAGE_NAME: pepflashplayer.dll DEBUG_FLR_IMAGE_TIMESTAMP: 594d52a4 STACK_COMMAND: ~41s ; kb BUCKET_ID: FATAL_APP_EXIT_pepflashplayer!IAEModule_IAEKernel_UnloadModule+dadbf PRIMARY_PROBLEM_CLASS: FATAL_APP_EXIT_pepflashplayer!IAEModule_IAEKernel_UnloadModule+dadbf FAILURE_EXCEPTION_CODE: c0000409 FAILURE_IMAGE_NAME: pepflashplayer.dll BUCKET_ID_IMAGE_STR: pepflashplayer.dll FAILURE_MODULE_NAME: pepflashplayer BUCKET_ID_MODULE_STR: pepflashplayer FAILURE_FUNCTION_NAME: IAEModule_IAEKernel_UnloadModule BUCKET_ID_FUNCTION_STR: IAEModule_IAEKernel_UnloadModule BUCKET_ID_OFFSET: dadbf BUCKET_ID_MODTIMEDATESTAMP: 594d52a4 BUCKET_ID_MODCHECKSUM: 10f7716 BUCKET_ID_MODVER_STR: 26.0.0.137 BUCKET_ID_PREFIX_STR: FATAL_APP_EXIT_ FAILURE_PROBLEM_CLASS: FATAL_APP_EXIT FAILURE_SYMBOL_NAME: pepflashplayer.dll!IAEModule_IAEKernel_UnloadModule FAILURE_BUCKET_ID: FATAL_APP_EXIT_c0000409_pepflashplayer.dll!IAEModule_IAEKernel_UnloadModule WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/chrome.exe/60.0.3112.78/5976ae77/pepflashplayer.dll/26.0.0.137/594d52a4/c0000409/0085d24e.htm?Retriage=1 TARGET_TIME: 2017-08-01T15:35:38.000Z OSBUILD: 14393 OSSERVICEPACK: 1198 SERVICEPACK_NUMBER: 0 OS_REVISION: 0 OSPLATFORM_TYPE: x86 OSNAME: Windows 10 OSEDITION: Windows 10 WinNt SingleUserTS USER_LCID: 0 OSBUILD_TIMESTAMP: 2017-04-27 17:01:24 BUILDDATESTAMP_STR: 170427-1353 BUILDLAB_STR: rs1_release_sec BUILDOSVER_STR: 10.0.14393.1198 ANALYSIS_SESSION_ELAPSED_TIME: dfb1 ANALYSIS_SOURCE: UM FAILURE_ID_HASH_STRING: um:fatal_app_exit_c0000409_pepflashplayer.dll!iaemodule_iaekernel_unloadmodule FAILURE_ID_HASH: {334749a8-b037-d81e-df6a-106fb87b3461} Followup: MachineOwner ---------
,
Aug 2 2017
secutree@gmail.com, do you think this is exploitable and if so why?
,
Aug 4 2017
we did not check for exploitability.
,
Aug 4 2017
Thanks, I'll report this to Adobe, however, for VRP, we'll need some sort of explanation of exploitability. My suspicion is that since the crash happens during shutdown, it will be difficult to perform an exploit, as ActionScript execution has stopped. Would be happy to hear otherwise, though. Also, what name do you want Adobe to use if they credit you on a bulletin?
,
Aug 4 2017
Kindly give credits to: Vuln_Research@SecuTree
,
Jan 25 2018
From Adobe: My apologies for taking so long to get back to you on this case. We determined that this is just an out-of-memory abort, which in chrome is seen as a crash. We do not believe this is exploitable. Please let us know if you disagree.
,
Jan 25 2018
,
May 4 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Aug 2 2017Status: Untriaged (was: Unconfirmed)