To reproduce, host the attached SWF and other files on a web server (e.g. localhost) and load it like this:

http://localhost/PlayManifest.swf?file=caption_708.m3u8

Press refresh after load to guarantee the crash.

[Note: you'll need this PlayManifest.swf and not an older one from an older bug]

On 64-bit Chrome on Windows canary, v42.0.2306.0, you will see this in WinDbg:

77b0320e 807b0f05     cmp byte ptr [rbx + 0Fh],5  ds:0000001f`ffffffff

Where this value is based on the synthesized pointer value 0x0000002000000000. Note that the attacker could synthesize a slightly more fine-grained value if desired, although probably not a perfectly-chosen pointer value. The most likely attack would probably be a precise clobber of some length variable.

This is an extremely reliable bug; in fact it's kind of cool. It's a write to an attacker-chosen offset within a single large object, so there's no unreliability due to crossing heap chunks, etc. The crash will always be the same, with the same value. Such a bug could be the basis of a 100% reliable exploit.

The payload is wrapped a few protocols deep but is effectively the following CEA-708 byte sequence (see http://en.wikipedia.org/wiki/CEA-708):

0x92 0x0F 0x26 0x08

Corresponding to:

SetPenLocation (x=15, y=38)  <--- both out of bounds (max 15x42)
Backspace (ASCII 0x08)       <--- writes 0x20 out-of-bounds


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

 

PlayManifest.as 2.2 KB Download

caption_708.m3u8 162 bytes Download

prog_index_caption_708.m3u8 172 bytes Download

PlayManifest.swf 7.5 KB Download

caption_708.ts 752 bytes Download