New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 804198 link

Starred by 2 users
Status: Fixed
Owner:
natashenka@google.com
Last visit > 30 days ago
Closed: Mar 2018
Cc:
mu...@chromium.org
rohi...@chromium.org
ihf@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: Adobe Flash NetStream Object Use After Free

Reported by xiong12...@gmail.com, Jan 22 2018 

VULNERABILITY DETAILS

This is a use after free vulnerability. A NetStream object could be used after it is freed.

This vulnerability exists because we can set a callback function in the middle of other object’s constructor function (e.g. a PrintJob object). When our callback function gets called, we can call the NetStream constructor function on the “this” object, which makes the “this” object become a NetStream object. Then we use the NetStream object to connect to a remote server. In this way, the flash runtime will keeps a reference to the NetStream object.

Then we return from our callback function and the PrintJob constructor function continues to execute, and the object becomes a PrintJob object again. 

This will finally results in a dangling pointer to the NetStream object.



VERSION
Chrome Version: Version 64.0.3282.100 (Official Build) beta (64-bit)
Operating System: Windows 7 64-bits

REPRODUCTION CASE

1. Start a command line, cd to the "poc" folder

2. Start a server using the "poc" folder as the root directory by executing:
   python -m SimpleHTTPServer

3. Start chrome, visit 
   http://127.0.0.1:8000/index.html




FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION

Type of crash: Tab

0:016> g
(5a8.1be8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
pepflashplayer!PPP_ShutdownBroker+0x1e1368:
000007fe`d7b15678 48395038        cmp     qword ptr [rax+38h],rdx ds:00000000`00000038=????????????????
0:000> k
Child-SP          RetAddr           Call Site
00000000`003ee480 000007fe`d7dfa2d3 pepflashplayer!PPP_ShutdownBroker+0x1e1368
00000000`003ee4b0 000007fe`d7df5dbc pepflashplayer!PPP_ShutdownBroker+0x4c5fc3
00000000`003ee4e0 000007fe`d7df64b4 pepflashplayer!PPP_ShutdownBroker+0x4c1aac
00000000`003ee510 000007fe`d7dfa043 pepflashplayer!PPP_ShutdownBroker+0x4c21a4
00000000`003ee540 000007fe`d7dc6610 pepflashplayer!PPP_ShutdownBroker+0x4c5d33
00000000`003ee570 000007fe`d7b2d944 pepflashplayer!PPP_ShutdownBroker+0x492300
00000000`003ee5a0 000007fe`d79436aa pepflashplayer!PPP_ShutdownBroker+0x1f9634
00000000`003ee620 000007fe`d794238e pepflashplayer!PPP_ShutdownBroker+0xf39a
00000000`003ee680 000007fe`d7942724 pepflashplayer!PPP_ShutdownBroker+0xe07e
00000000`003ee6b0 000007fe`d7aca1d1 pepflashplayer!PPP_ShutdownBroker+0xe414
00000000`003ee6e0 000007fe`d7938f6c pepflashplayer!PPP_ShutdownBroker+0x195ec1
00000000`003ee710 000007fe`d7939044 pepflashplayer!PPP_ShutdownBroker+0x4c5c
00000000`003ee8c0 000007fe`e17df7a5 pepflashplayer!PPP_ShutdownBroker+0x4d34
00000000`003ee8f0 000007fe`e17de9b6 chrome_child!IsSandboxedProcess+0x4f9f4d
00000000`003ee920 000007fe`e17df460 chrome_child!IsSandboxedProcess+0x4f915e
00000000`003ee9c0 000007fe`e17d3a1f chrome_child!IsSandboxedProcess+0x4f9c08
00000000`003eea10 000007fe`dfcffb4c chrome_child!IsSandboxedProcess+0x4ee1c7
00000000`003eeae0 000007fe`df8cf476 chrome_child!ChromeMain+0x10a294
00000000`003eeb10 000007fe`df7c42e4 chrome_child!ovly_debug_event+0x11d1f6
00000000`003eec20 000007fe`df8cf882 chrome_child!ovly_debug_event+0x12064

0:000> dq rcx	<= RCX points to the freed object
000005d0`56d72508  000005d0`56d72570 00000000`00000000
000005d0`56d72518  00000000`00000000 00000000`00000000
000005d0`56d72528  00000000`00000000 00000000`00000000
000005d0`56d72538  00000000`00000000 00000000`00000000
000005d0`56d72548  00000000`00000000 00000000`00000000
000005d0`56d72558  00000000`00000000 00000000`00000000
000005d0`56d72568  00000000`00000000 000005d0`56d725d8
000005d0`56d72578  00000000`00000000 00000000`00000000

Comment 1 by nparker@chromium.org, Jan 22 2018

Components: Internals>Plugins>PDF
Owner: dsinclair@chromium.org

Comment 2 by dsinclair@chromium.org, Jan 22 2018

Components: -Internals>Plugins>PDF Internals>Plugins>Flash
Owner: ----
Looks like this is Flash, not PDF.

Comment 3 by elawrence@chromium.org, Jan 22 2018

Owner: natashenka@google.com

Comment 4 by xiong12...@gmail.com, Jan 23 2018 

Please credit "Yuki Chen of Qihoo 360 Vulcan Team", thank you!

Comment 5 by natashenka@google.com, Jan 25 2018 

This is PSIRT-7807

Comment 6 by mea...@chromium.org, Jan 30 2018

Status: ExternalDependency (was: Unconfirmed)

Comment 7 by mea...@chromium.org, Jan 30 2018

Labels: Security_Severity-High Security_Impact-Stable
Project Member

Comment 8 by sheriffbot@chromium.org, Jan 30 2018

Labels: M-64
Project Member

Comment 9 by sheriffbot@chromium.org, Jan 30 2018

Labels: Pri-1
Project Member

Comment 10 by sheriffbot@chromium.org, Mar 7 2018

Labels: -M-64 M-65

Comment 11 by mbarbe...@chromium.org, Mar 12 2018

Labels: OS-Chrome OS-Linux OS-Mac OS-Windows

Comment 12 by natashenka@google.com, Mar 13 2018

Status: Fixed (was: ExternalDependency)
This was resolved today as CVE-2018-4919

Comment 13 by awhalley@google.com, Mar 13 2018

Labels: reward-topanel CVE-2018-4919
Project Member

Comment 14 by sheriffbot@chromium.org, Mar 14 2018

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 15 by sheriffbot@chromium.org, Mar 16 2018

Labels: Merge-Request-66
Project Member

Comment 16 by sheriffbot@chromium.org, Mar 16 2018

Labels: -Merge-Request-66 Merge-Review-66 Hotlist-Merge-Review
This bug requires manual review: M66 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), josafat@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 17 by abdulsyed@google.com, Mar 19 2018 

What's the fix that needs to be merged?

Comment 18 by awhalley@chromium.org, Mar 19 2018

Labels: -reward-topanel reward-unpaid reward-3000
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************

Comment 19 by awhalley@google.com, Mar 19 2018 

The VRP panel decided to award $3,000 for this report, thank you!

Comment 20 by awhalley@google.com, Mar 19 2018

Labels: -reward-unpaid reward-inprocess

Comment 21 by abdulsyed@google.com, Mar 20 2018

Labels: -Merge-Review-66
no merge needed

Comment 22 by awhalley@chromium.org, Apr 25 2018

Labels: CVE_description-missing
Project Member

Comment 23 by sheriffbot@chromium.org, Jun 20 2018

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 24 by awhalley@google.com, Oct 5

Labels: -CVE_description-missing CVE_description-submitted

Sign in to add a comment