New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 751137 link

Starred by 1 user

Issue metadata

Status: WontFix
Owner: ----
Closed: Jan 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug-Security



Sign in to add a comment

pepflashplayer!IAEModule_IAEKernel_UnloadModule+0xdadbf: Crash

Reported by secut...@gmail.com, Aug 1 2017

Issue description

UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36

Steps to reproduce the problem:
1. Place index.html and 1.swf on webserver
2. Run index.html

What is the expected behavior?
Load flash file content

What went wrong?
Tab Crash "Aw Snap"

Did this work before? N/A 

Chrome version: Version 60.0.3112.78 (Official Build) (32-bit)  Channel: stable
OS Version: 10.0
Flash Version: 26.0.0.137 (x86)

error: out of memory
(1718.bc0): Security check failure or stack buffer overrun - code c0000409 (!!! second chance !!!)
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Users\Windows10\AppData\Local\Google\Chrome\User Data\PepperFlash\26.0.0.137\pepflashplayer.dll - 
eax=00000001 ebx=057f6000 ecx=00000007 edx=002a1000 esi=0549c690 edi=004ff320
eip=04c5d24e esp=004fec94 ebp=004fed3c iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
pepflashplayer!IAEModule_IAEKernel_UnloadModule+0xdadbf:
04c5d24e cd29            int     29h
5:041> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

*** ERROR: Symbol file could not be found.  Defaulted to export symbols for chrome.exe - 
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Google\Chrome\Application\60.0.3112.78\chrome_child.dll - 
GetUrlPageData2 (WinHttp) failed: 12002.

DUMP_CLASS: 2

DUMP_QUALIFIER: 0

FAULTING_IP: 
pepflashplayer!IAEModule_IAEKernel_UnloadModule+dadbf
04c5d24e cd29            int     29h

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 04c5d24e (pepflashplayer!IAEModule_IAEKernel_UnloadModule+0x000dadbf)
   ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
  ExceptionFlags: 00000001
NumberParameters: 1
   Parameter[0]: 00000007
Subcode: 0x7 FAST_FAIL_FATAL_APP_EXIT

FAULTING_THREAD:  00000bc0

BUGCHECK_STR:  FATAL_APP_EXIT

DEFAULT_BUCKET_ID:  FATAL_APP_EXIT

PROCESS_NAME:  chrome.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE_STR:  c0000409

EXCEPTION_PARAMETER1:  00000007

WATSON_BKT_PROCSTAMP:  5976ae77

WATSON_BKT_PROCVER:  60.0.3112.78

PROCESS_VER_PRODUCT:  Google Chrome

WATSON_BKT_MODULE:  pepflashplayer.dll

WATSON_BKT_MODSTAMP:  594d52a4

WATSON_BKT_MODOFFSET:  85d24e

WATSON_BKT_MODVER:  26.0.0.137

BUILD_VERSION_STRING:  10.0.14393.1198 (rs1_release_sec.170427-1353)

MODLIST_WITH_TSCHKSUM_HASH:  2a78117b0686e69fd8fa13ebf5cc78bafa2502c4

MODLIST_SHA1_HASH:  76ef0504fb7c6bc2ab2da9d77ee95851938ec910

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

PRODUCT_TYPE:  1

SUITE_MASK:  272

ANALYSIS_SESSION_HOST:  DESKTOP-7V9JD6D

ANALYSIS_SESSION_TIME:  08-01-2017 08:35:02.0819

ANALYSIS_VERSION: 10.0.14321.1024 x86fre

THREAD_ATTRIBUTES: 
OS_LOCALE:  ENU

PROBLEM_CLASSES: 

FATAL_APP_EXIT
    Tid    [0x0]
    Frame  [0x00]
    Failure Bucketing

LAST_CONTROL_TRANSFER:  from 00000000 to 04c5d24e

STACK_TEXT:  
004fed3c 00000000 00000000 00010000 f8000302 pepflashplayer!IAEModule_IAEKernel_UnloadModule+0xdadbf

THREAD_SHA1_HASH_MOD_FUNC:  f6d2ee79ff48333080673ae72fba5ec4209056fc

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  5f363ab2cfd55f89a3b72c644716fba3ca8e79ce

THREAD_SHA1_HASH_MOD:  7ca062eef4cdfc9e336a40ab65d0225aa0b11f00

FOLLOWUP_IP: 
pepflashplayer!IAEModule_IAEKernel_UnloadModule+dadbf
04c5d24e cd29            int     29h

FAULT_INSTR_CODE:  16a29cd

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  pepflashplayer!IAEModule_IAEKernel_UnloadModule+dadbf

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: pepflashplayer

IMAGE_NAME:  pepflashplayer.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  594d52a4

STACK_COMMAND:  ~41s ; kb

BUCKET_ID:  FATAL_APP_EXIT_pepflashplayer!IAEModule_IAEKernel_UnloadModule+dadbf

PRIMARY_PROBLEM_CLASS:  FATAL_APP_EXIT_pepflashplayer!IAEModule_IAEKernel_UnloadModule+dadbf

FAILURE_EXCEPTION_CODE:  c0000409

FAILURE_IMAGE_NAME:  pepflashplayer.dll

BUCKET_ID_IMAGE_STR:  pepflashplayer.dll

FAILURE_MODULE_NAME:  pepflashplayer

BUCKET_ID_MODULE_STR:  pepflashplayer

FAILURE_FUNCTION_NAME:  IAEModule_IAEKernel_UnloadModule

BUCKET_ID_FUNCTION_STR:  IAEModule_IAEKernel_UnloadModule

BUCKET_ID_OFFSET:  dadbf

BUCKET_ID_MODTIMEDATESTAMP:  594d52a4

BUCKET_ID_MODCHECKSUM:  10f7716

BUCKET_ID_MODVER_STR:  26.0.0.137

BUCKET_ID_PREFIX_STR:  FATAL_APP_EXIT_

FAILURE_PROBLEM_CLASS:  FATAL_APP_EXIT

FAILURE_SYMBOL_NAME:  pepflashplayer.dll!IAEModule_IAEKernel_UnloadModule

FAILURE_BUCKET_ID:  FATAL_APP_EXIT_c0000409_pepflashplayer.dll!IAEModule_IAEKernel_UnloadModule

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/chrome.exe/60.0.3112.78/5976ae77/pepflashplayer.dll/26.0.0.137/594d52a4/c0000409/0085d24e.htm?Retriage=1

TARGET_TIME:  2017-08-01T15:35:38.000Z

OSBUILD:  14393

OSSERVICEPACK:  1198

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

OSPLATFORM_TYPE:  x86

OSNAME:  Windows 10

OSEDITION:  Windows 10 WinNt SingleUserTS

USER_LCID:  0

OSBUILD_TIMESTAMP:  2017-04-27 17:01:24

BUILDDATESTAMP_STR:  170427-1353

BUILDLAB_STR:  rs1_release_sec

BUILDOSVER_STR:  10.0.14393.1198

ANALYSIS_SESSION_ELAPSED_TIME: dfb1

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:fatal_app_exit_c0000409_pepflashplayer.dll!iaemodule_iaekernel_unloadmodule

FAILURE_ID_HASH:  {334749a8-b037-d81e-df6a-106fb87b3461}

Followup:     MachineOwner
---------
 
1.swf
140 KB Download
index.html
365 bytes View Download
stack.txt
5.7 KB View Download
Components: Internals>Plugins>Flash
Status: Untriaged (was: Unconfirmed)
Cc: natashenka@google.com
Labels: Needs-Feedback
secutree@gmail.com, do you think this is exploitable and if so why? 

Comment 3 by secut...@gmail.com, Aug 4 2017

we did not check for exploitability. 

Status: ExternalDependency (was: Untriaged)
Thanks, I'll report this to Adobe, however, for VRP, we'll need some sort of explanation of exploitability. My suspicion is that since the crash happens during shutdown, it will be difficult to perform an exploit, as ActionScript execution has stopped. Would be happy to hear otherwise, though.

Also, what name do you want Adobe to use if they credit you on a bulletin? 

Comment 5 by secut...@gmail.com, Aug 4 2017

Kindly give credits to: Vuln_Research@SecuTree
Status: (was: ExternalDependency)
From Adobe:

My apologies for taking so long to get back to you on this case.  We determined that this is just an out-of-memory abort, which in chrome is seen as a crash.  We do not believe this is exploitable.

Please let us know if you disagree.

Status: WontFix
Project Member

Comment 8 by sheriffbot@chromium.org, May 4 2018

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment