New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 768762 link

Starred by 2 users
Status: Duplicate
Merged: issue 758863
Owner:
natashenka@google.com
Last visit > 30 days ago
Closed: Jan 2018
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: Use after free vulnerability about psdk in the latest version of Flash player

Reported by jiezengo...@gmail.com, Sep 26 2017 
VULNERABILITY DETAILS
This is a UAF vulnerability about psdk.

VERSION
Flash Version: pepflashplayer32_27_0_0_130
Operating System: windows 7 x86 (other operating systems may also crash,but not test)

VULNERABILITY DETAILS
Please provide a brief explanation of the security issue.


REPRODUCTION CASE
The file uaf_new.swf

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash:
572e9a60 8b4e10          mov     ecx,dword ptr [esi+10h]
572e9a63 85c9            test    ecx,ecx
572e9a65 7408            je      pepflashplayer32_27_0_0_130!PPP_ShutdownBroker+0x358ebf (572e9a6f)
572e9a67 83c104          add     ecx,4
572e9a6a 8b01            mov     eax,dword ptr [ecx]
572e9a6c ff5004          call    dword ptr [eax+4]    ds:0023:feeefef2=????????

Crash State:
4:048> r
eax=feeefeee ebx=0518be38 ecx=0095bd64 edx=57c18fc0 esi=0094ada0 edi=0094ada4
eip=572e9a6c esp=0031f150 ebp=00fb20a0 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
pepflashplayer32_27_0_0_130!PPP_ShutdownBroker+0x358ebc:
572e9a6c ff5004          call    dword ptr [eax+4]    ds:0023:feeefef2=????????

4:048> dd ecx
0095bd64  feeefeee feeefeee feeefeee feeefeee
0095bd74  feeefeee feeefeee feeefeee feeefeee
0095bd84  feeefeee feeefeee feeefeee feeefeee
0095bd94  feeefeee feeefeee feeefeee feeefeee



Credit is to "JieZeng of Tencent Zhanlu Lab".

Please tell Adobe I do not want to put this poc file in MAPP when report to Adobe.
Thank you!
uaf_new.swf
1.4 KB Download

Comment 1 by elawrence@chromium.org, Sep 26 2017

Components: Internals>Plugins>Flash

Comment 2 by infe...@chromium.org, Sep 26 2017

Labels: Security_Severity-High Security_Impact-Stable Pri-1
Owner: natashenka@google.com
Status: Assigned (was: Unconfirmed)
Natalie, can you please help to report this to Adobe.

Comment 3 by infe...@chromium.org, Sep 26 2017

Labels: M-62

Comment 4 by natashenka@google.com, Sep 26 2017

Status: ExternalDependency (was: Assigned)
Thanks, I've reported it
Project Member

Comment 5 by sheriffbot@chromium.org, Dec 7 2017

Labels: -M-62 M-63
Project Member

Comment 6 by sheriffbot@chromium.org, Jan 25 2018

Labels: -M-63 M-64

Comment 7 by natashenka@google.com, Jan 25 2018 

This is PSIRT-7347

Comment 8 by mbarbella@google.com, Jan 31 2018

Mergedinto: 758863
Status: Duplicate (was: ExternalDependency)
Marking this as a duplicate based on c#28 on  issue 758863
Project Member

Comment 9 by sheriffbot@chromium.org, May 10 2018

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment