237 - Flash: use-after-free(?) in bitmap decoding(?) from KeenTeam - project-zero

Starred by 2 users

Status:	Fixed
Owner:	█ cevans@google.com Email to this user bounced
Closed:	Feb 2015
Cc:	█ lv.sam...@gmail.com █ woo...@gmail.com project-...@google.com
Fixed-2015-Feb-5 Deadline-90 Finder-external CVE-2015-0322 Id-3260 Finder-keen Reported-2015-Jan-27 CCProjectZeroMembers Product-Flash Severity-High Vendor-Adobe

Flash: use-after-free(?) in bitmap decoding(?) from KeenTeam

Reported by cevans@google.com, Jan 27 2015

Back to list

Credit is to "Jihui Lu of KeenTeam (@K33nTeam), working with the Chromium vulnerability reward program"

Flash Player 16.0.0.296 in Chrome 40 Linux x64

I believe this is a use-after-free, due to quite varying crash stack trace depending on platform, etc. One example crash in the release build of Pepper Flash Player is:

=> 0x00007f471374f965:	movl   $0x1,0x60(%rdi)

rdi            0x7f471348bc10	139943242939408

7f4713206000-7f47141a0000 r-xp 00000000 fd:01 674828                     /opt/google/chrome/PepperFlash/libpepflashplayer.so

TL;DR: this is an attempt to write to the executable text of the Flash library.

PoC.swf is attached. I expect it's a fuzz case; source not available.


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

PoC.swf
1.3 KB Download

Comment 1 by cevans@google.com, Jan 28 2015

Labels: Id-3260

Comment 2 by cevans@google.com, Feb 4 2015

Labels: CVE-2015-0322

Comment 3 by cevans@google.com, Feb 6 2015

Labels: Fixed-2015-Feb-5
Status: Fixed

https://helpx.adobe.com/security/products/flash-player/apsb15-04.html

Comment 4 by cevans@google.com, Feb 12 2015

Labels: -Restrict-View-Commit

Comment 5 by cevans@google.com, Mar 26 2015

Cc: woo...@gmail.com lv.sam...@gmail.com

Comment 6 by cevans@google.com, May 6 2015

Reward tracking: https://code.google.com/p/chromium/issues/detail?id=470749

► Sign in to add a comment