266 - Flash: memory corruption with large length in EAC3 packet - project-zero

Starred by 2 users

Status:	Fixed
Owner:	█ cevans@google.com Email to this user bounced
Closed:	Apr 2015
Cc:	project-...@google.com
CVE-2015-0353 Deadline-90 Id-3318 CCProjectZeroMembers Finder-cevans Product-Flash Reported-2015-Feb-18 Severity-High Vendor-Adobe

Flash: memory corruption with large length in EAC3 packet

Reported by cevans@google.com, Feb 18 2015

Back to list

To reproduce, host the attached SWF and other files on a web server (e.g. localhost) and load it like this:

http://localhost/PlayManifest.swf?file=eac3.m3u8

On 32-bit Chrome on Windows, v40.0.2214.111, WinDbg sees the crash like this:

6dcca5e7 f3a5    rep movs dword ptr es:[edi],dword ptr [esi]

esi = 0x02c31000
edi = 0x02c2fffc
ecx = 0x3ff3f789

So, a wild memcpy-type fault but I'm in the process of writing up how these are exploitable in Flash, and this one looks nearly identical to another bug where I've proven exploitability.

For reference, the EAC3 packet data (type = 0x87) is:

0x0B 0x77 0x00 0x01 0x0B 0x77 0xFF 0xFF

Where 0xFF 0xFF is the large length.


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

prog_index_eac3.m3u8
165 bytes Download

eac3.ts
564 bytes Download

PlayManifest.as
2.4 KB Download

eac3.m3u8
155 bytes Download

PlayManifest.swf
7.6 KB Download

Comment 1 by cevans@google.com, Feb 19 2015

Labels: Id-3318

Comment 2 by cevans@google.com, Apr 10 2015

Labels: CVE-2015-0353

Comment 3 by cevans@google.com, Apr 14 2015

Status: Fixed

Fixed: https://helpx.adobe.com/security/products/flash-player/apsb15-06.html

Comment 4 by cevans@google.com, Apr 30 2015

Labels: -Restrict-View-Commit

► Sign in to add a comment