165 - UaF on Adobe's Flash - project-zero

Starred by 2 users

Status:	Fixed
Owner:	█ cevans@google.com Email to this user bounced
Closed:	Jan 2015
Cc:	project-...@google.com
Fixed-2015-Jan-13 ISE-TPS-bug Reported-2014-Nov-12 Deadline-90 CCProjectZeroMembers Finder-cevans Product-Flash Severity-High Vendor-Adobe CVE-2015-0308 Finder-fjserna

UaF on Adobe's Flash

Reported by fjserna@google.com, Nov 12 2014

Back to list

The attached SWF file generates a NULL deref on IE, Chrome, standalone projector, etc.

The interesting part is behind this NULL deref hides a use after free that gets exposed on debug builds. 
Chris did some research and here are his comments:

"I should add a note why I think it's a use-after-free: I have access to a debug build and in the debug build, there's a fault at 0xcdcdcdcdcdcdcdcd which I believe is a debugging aid designed to illustrate use-after-free more clearly. It looks like a display object has a stale reference for its parent."

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

fuzz-fermin_swfbf-32401.27731-8feb34f77321d753.swf
2.5 MB Download

Comment 1 by cevans@google.com, Jan 10 2015

Labels: CVE-2015-0308

Comment 2 by cevans@google.com, Jan 14 2015

Labels: Fixed-2015-Jan-13
Status: Fixed

Fixed: http://helpx.adobe.com/security/products/flash-player/apsb15-01.html

Comment 3 by cevans@google.com, Feb 12 2015

Labels: -Restrict-View-Commit

► Sign in to add a comment