New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 758863 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Jan 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: Use after free vulnerability about psdk in the latest version of Flash player

Reported by jiezengo...@gmail.com, Aug 25 2017

Issue description

VULNERABILITY DETAILS
This is a UAF vulnerability about psdk.

VERSION
Flash Version: pepflashplayer32_26_0_0_151
Operating System: windows 7 x86 (other operating systems may also crash,but not test)

REPRODUCTION CASE
There are 2 poc file here.
The first one will crash when open the file which name is uaf_poc_open.swf
The second one will crash when quit Chrome which name is uaf_poc_quit.swf

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: 
636b9425 83c108          add     ecx,8
636b9428 6a00            push    0
636b942a 8b01            mov     eax,dword ptr [ecx]
636b942c ff5004          call    dword ptr [eax+4]    ds:0023:feeefef2=????????

Crash State: 
4:049> dd ecx
003cd418  feeefeee feeefeee feeefeee feeefeee
003cd428  feeefeee feeefeee feeefeee feeefeee
003cd438  feeefeee feeefeee feeefeee feeefeee
003cd448  feeefeee feeefeee feeefeee feeefeee
003cd458  feeefeee feeefeee feeefeee feeefeee
003cd468  feeefeee feeefeee feeefeee feeefeee
003cd478  feeefeee feeefeee feeefeee feeefeee


 
uaf_poc_open.swf
3.7 KB Download
uaf_poc_quit.swf
2.2 KB Download
Please tell Adobe I do not want to put this poc file in MAPP when report to Adobe.
Thank you!
Components: Internals>Plugins>Flash

Comment 3 by ta...@google.com, Aug 28 2017

Labels: Security_Severity-High Security_Impact-Stable
Owner: natashenka@google.com
Status: Assigned (was: Unconfirmed)
natashenka@, would you be the right person to look at this?

Comment 4 by ta...@google.com, Aug 28 2017

Labels: OS-Windows
Project Member

Comment 5 by sheriffbot@chromium.org, Aug 29 2017

Labels: M-60
Project Member

Comment 6 by sheriffbot@chromium.org, Aug 29 2017

Labels: Pri-1
I'm sorry I forgot something shown below.

Credit is to "JieZeng of Tencent Zhanlu Lab".

Please report it as soon as possible.
Project Member

Comment 8 by sheriffbot@chromium.org, Sep 6 2017

Labels: -M-60 M-61
Project Member

Comment 9 by sheriffbot@chromium.org, Sep 8 2017

natashenka: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Thanks, I've reported this to Adobe.
Cc: ihf@chromium.org
ihf: do we typically mark these as externaldependency once they have been reported? 

Comment 12 by ihf@chromium.org, Sep 19 2017

Status: ExternalDependency (was: Assigned)
Yes, ExternalDependency is correct here. Normally I would also CC/assign Adobe the bug, but it sounds like in this case this is different?
Yeah, for security bugs, we send them to the Adobe Security Team. So just cc me on these bugs and I can send them in.
Project Member

Comment 14 by sheriffbot@chromium.org, Oct 18 2017

Labels: -M-61 M-62

Comment 15 Deleted

@natashenka hi!
This bug has been fixed, but I have questions.
Why the acknowledgments is "Jie Zeng of Tencent Zhanlu Lab" instead of "JieZeng of Tencent Zhanlu Lab working with the Chromium Vulnerability Rewards Program" on this page: https://helpx.adobe.com/security/products/flash-player/apsb17-33.html?
Project Member

Comment 17 by sheriffbot@chromium.org, Dec 7 2017

Labels: -M-62 M-63

Comment 18 Deleted

@natashenka hi!
Can anyone answer my question here?

I reported 3 bugs,they are  issue 758848 ,   768762  ,758863. And there are only 2 CVEs credit to me on the November's Adobe Security Bulletins and Advisories page: https://helpx.adobe.com/security/products/flash-player/apsb17-33.html . And all of 3 bugs are fixed.

Thanks!
 Issue 758848  is still open with Adobe, I'll check what's going on with it. 
According to Adobe: We found that PSIRT-7347 was a dupe of PSIRT-7239 (CVE-2017-11215). So one issue was a duplicate. 
Hi!
I do not know how Adobe definition repeated submission,but I know they may be wrong.

If there are duplicate pocs, they should be  issue 768762  and  issue 758863 .But their trigger path is different.

Thanks.
Anyone there? Why two months have passed without any new progress?
Sorry, can you provide a quick explanation of why you think they are different bugs, and I'll provide it to Adobe?

Comment 25 Deleted

Hi natashenka!
I was wrong in comment 19 and we start from here.

First: I want to know PSIRT-7347 is which one issue in comment 22 ?
I assume PSIRT-7347 is   issue 768762   ,because   Issue 758848   and  Issue 758863  were fixed in the November patch(I saw pocs form November mapp). And I also know the PSIRT-7239 (CVE-2017-11215) is  Issue 758848 .

So I will explanation   Issue 768762  is different from  Issue 758848  or  Issue 758863 .

Second: The reason is as follows:
The key point is to register the event handler in   Issue 768762  ,and free the problem object in the event handler.The source code is as follows:

public function main(){
    //some code
    try{ mediaPlayer = PSDK.pSDK.createMediaPlayer(eventDisp); } catch(e:Error){}
    //...
    try{ mediaPlayer.addEventListener(118,Listen); } catch(e:Error){}
}
public funciton Listen(e:PSDKEvent){
    //free internally
    try{ audSetting.getObject.call(contentResolver,ob_toStr); } catch(e:Error){}
    try{ tempVar3 = psdk.createMediaPlayer(eventDisp); } catch(e:Error){}
    try{ audSetting.setObject(ob_toStr,tempVar3); } catch(e:Error){}
    try{ tempVar3 = psdk.createDispatcher(); } catch(e:Error){}
    return;
}

However in  Issue 758848  or  Issue 758863  do not have the register the event handler code. So their trigger path are different.

Last: Please contact me if have any other questions!
PSIRT-7347 is 768762. I'll send this info to Adobe and see what they say.
PSIRT-7347 is 768762 and PSIRT-7239 is 758863. I'll give Adobe your explanation and let you know what I hear.
Thanks!
Adobe doesn't have any response?
From Adobe:

Apologies for the delayed reply.  While we agree that the two submissions are not exactly the same, they are nevertheless related, and were resolved with the same code change.  

This is the dev's comment:

I can see that this is a problem revolving around the MediaPlayer object being released similarly to how the QOSProvider object was mistakenly released in PSIRT-7239.

The fix for PSIRT-7239 was a very general fix and repairs issues with QOSProvider, MediaPlayer and MediaPlayerItemLoader.
Ok, I understand.

I agree.
Project Member

Comment 33 by sheriffbot@chromium.org, Jan 25 2018

Labels: -M-63 M-64
Status: Fixed (was: ExternalDependency)
Labels: reward-topanel
Cc: natashenka@google.com
 Issue 768762  has been merged into this issue.
Labels: -reward-topanel reward-unpaid reward-5000
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************
Hi jiezengoftencentzhanlulab@! The VRP decided to award $5,000 for this report. Many thanks!
Labels: -reward-unpaid reward-inprocess
OK,I will do not publicly disclose details with others,but until when?

This bug has been fixed two months ago.
Project Member

Comment 41 by sheriffbot@chromium.org, Feb 8 2018

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 42 by sheriffbot@chromium.org, Feb 8 2018

Labels: Merge-Request-65
Project Member

Comment 43 by sheriffbot@chromium.org, Feb 9 2018

Labels: -Merge-Request-65 Merge-Review-65 Hotlist-Merge-Review
This bug requires manual review: M65 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Cc: awhalley@chromium.org
[Bulk Edit]

+awhalley@ (Security TPM) for M65 merge review
Labels: -Merge-Review-65 Merge-Rejected-65
No merge needed.
Labels: -M-64 Release-0-M65 M-65
Labels: -Release-0-M65
Labels: Release-0-M65
Apologies, you're OK to disclose this and 758848 now. We push flash updates out of band of the main release cycle so this didn't get picked up for release notes until now.

Comment 49 Deleted

The CVE number may not be correct, and the correct CVE should be CVE-2017-11215 or CVE-2017-11225?

Labels: -CVE-2018-6059 CVE-2017-11225
Thanks for flagging! Fixing here and on the release blog.
Labels: CVE_description-submitted
Project Member

Comment 53 by sheriffbot@chromium.org, May 4 2018

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment