New issue
Advanced search Search tips
Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Jan 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: Use after free vulnerability about psdk in the latest version

Reported by jiezengo...@gmail.com, Aug 25 2017

Issue description

VULNERABILITY DETAILS
This is a UAF vulnerability about psdk.

VERSION
pepflashplayer32_26_0_0_151 windows 7 x86
(ther operating systems may also crash,but not test)

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash:
5a6311a0 83c104          add     ecx,4
5a6311a3 8b01            mov     eax,dword ptr [ecx]
5a6311a5 ff10            call    dword ptr [eax]      ds:0023:feeefeee=????????

Crash State:
4:054> dd ecx
00d231c4  feeefeee feeefeee feeefeee feeefeee
00d231d4  feeefeee feeefeee feeefeee feeefeee
00d231e4  feeefeee feeefeee feeefeee feeefeee
00d231f4  feeefeee feeefeee feeefeee feeefeee


 
uaf_poc.swf
2.3 KB Download
Please tell Adobe I do not want to put this poc file in MAPP when report to Adobe.
Thank you!
 Issue 758840  has been merged into this issue.
Components: Internals>Plugins>Flash

Comment 4 by ta...@google.com, Aug 28 2017

Labels: Security_Severity-High Security_Impact-Stable OS-Windows
Owner: natashenka@google.com
Status: Assigned (was: Unconfirmed)
natashenka@, would you be the right person to look at this?
Project Member

Comment 5 by sheriffbot@chromium.org, Aug 29 2017

Labels: M-60
Project Member

Comment 6 by sheriffbot@chromium.org, Aug 29 2017

Labels: Pri-1
I'm sorry I forgot something shown below.

Credit is to "JieZeng of Tencent Zhanlu Lab".

Please report it as soon as possible.
Project Member

Comment 8 by sheriffbot@chromium.org, Sep 6 2017

Labels: -M-60 M-61
Project Member

Comment 9 by sheriffbot@chromium.org, Sep 8 2017

natashenka: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Status: ExternalDependency (was: Assigned)
Thanks, I've reported this to Adobe
Project Member

Comment 11 by sheriffbot@chromium.org, Oct 18 2017

Labels: -M-61 M-62
Project Member

Comment 12 by sheriffbot@chromium.org, Dec 7 2017

Labels: -M-62 M-63
Project Member

Comment 13 by sheriffbot@chromium.org, Jan 25 2018

Labels: -M-63 M-64
Status: Fixed (was: ExternalDependency)
This is PSIRT-7239 and has been fixed
Labels: reward-topanel
Labels: -reward-topanel reward-unpaid reward-5000
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************
And $5,000 for this one :-)
Labels: -reward-unpaid reward-inprocess
OK,I will do not publicly disclose details with others.
Project Member

Comment 20 by sheriffbot@chromium.org, Feb 8

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 21 by sheriffbot@chromium.org, Feb 8

Labels: Merge-Request-65
Project Member

Comment 22 by sheriffbot@chromium.org, Feb 9

Labels: -Merge-Request-65 Merge-Review-65 Hotlist-Merge-Review
This bug requires manual review: M65 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Cc: awhalley@chromium.org
[Bulk Edit]

+awhalley@ (Security TPM) for M65 merge review
Labels: -Merge-Review-65 Merge-Rejected-65
No merge needed
Labels: Release-0-M65

Comment 26 Deleted

Labels: -CVE-2018-6058 CVE-2017-11215
Labels: CVE_description-submitted
Project Member

Comment 29 by sheriffbot@chromium.org, May 4

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment