256 - Flash: memory corruption with -1 length string in titl tag - project-zero

Starred by 2 users

Status:	Fixed
Owner:	█ cevans@google.com Email to this user bounced
Closed:	Apr 2015
Cc:	project-...@google.com
Deadline-90 CVE-2015-0360 Id-3284 CCProjectZeroMembers Finder-cevans Reported-2015-Feb-5 Product-Flash Severity-High Vendor-Adobe

Flash: memory corruption with -1 length string in titl tag

Reported by cevans@google.com, Feb 6 2015

Back to list

To reproduce, host the attached SWF and other files on a web server (e.g. localhost) and load it like this:

http://localhost/PlayManifest.swf?file=titl.mpd

The fault condition appears to be a wild copy. Sometimes, though, exploitable looking crashes are obtained, e.g. this one on Linux x64:

mov    0x30(%rax),%rax
rax            0x4141414141414141	4702111234474983745


To compile the .as file, I had to use special flags to flex:

mxmlc -target-player 14.0 -swf-version 25 -static-link-runtime-shared-libraries ./PlayManifest.as
(This also requires that you have v14.0 of playerglobals.swc installed. Any newer version should also be fine.)

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

PlayManifest.swf
7.4 KB Download

titl.mpd
622 bytes Download

PlayManifest.as
1.8 KB Download

titl.mp4
64.0 KB Download

Comment 1 by cevans@google.com, Feb 7 2015

Labels: Id-3284

Comment 2 by cevans@google.com, Apr 10 2015

Labels: CVE-2015-0360

Comment 3 by cevans@google.com, Apr 14 2015

Status: Fixed

Fixed: https://helpx.adobe.com/security/products/flash-player/apsb15-06.html

Comment 4 by cevans@google.com, Apr 30 2015

Labels: -Restrict-View-Commit

► Sign in to add a comment