280 - Flash: broker-based sandbox escape via timing attack against file moving - project-zero

Starred by 2 users

Status:	Fixed
Owner:	█ cevans@google.com Email to this user bounced
Closed:	May 2015
Cc:	█ lv.sam...@gmail.com █ woo...@gmail.com project-...@google.com
Reported-2015-Mar-6 Id-3448 Deadline-90 Finder-external Fixed-2015-May-12 Finder-keen CCProjectZeroMembers Product-Flash Severity-High Vendor-Adobe CVE-2015-3081

Flash: broker-based sandbox escape via timing attack against file moving

Reported by cevans@google.com, Mar 7 2015

Back to list

PoC is attached.

Credit is to KEEN Team.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

PoC_FlashBroker_MoveFileEx_TOCTOU.zip
45.4 KB Download

Comment 1 by cevans@google.com, Mar 9 2015

Labels: Id-3448

Comment 2 by cevans@google.com, May 7 2015

Labels: CVE-2015-3081

Comment 3 by cevans@google.com, May 7 2015

Credit is to Jihui Lu of KeenTeam (@K33nTeam)

Comment 4 by cevans@google.com, May 12 2015

Labels: Fixed-2015-May-12
Status: Fixed

https://helpx.adobe.com/security/products/flash-player/apsb15-09.html

Project Member Comment 5 by natashenka@google.com, Aug 18 2015

Labels: -Restrict-View-Commit

► Sign in to add a comment