350 - Adobe Flash bad free condition - project-zero

Starred by 2 users

Status:	Fixed
Owner:	mjurczyk@google.com
Closed:	Jul 2015
Cc:	project-...@google.com
CVE-2015-3123 Deadline-90 Fixed-2015-Jul-8 Id-3618 CCProjectZeroMembers Product-Flash Severity-High Vendor-Adobe Reported-2015-Apr-27 Finder-mjurczyk

Adobe Flash bad free condition

Project Member Reported by mjurczyk@google.com, Apr 27 2015

Back to list

The following crash has been encountered while performing dumb fuzzing of Adobe Flash against malformed SWF files:

--- cut ---
FAULTING_IP: 
kernel32!InterlockedCompareExchange+c
75671398 f00fb111        lock cmpxchg dword ptr [ecx],edx

EXCEPTION_RECORD:  ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 0000000075671398 (kernel32!InterlockedCompareExchange+0x000000000000000c)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000001
   Parameter[1]: 000000000000099d
Attempt to write to address 000000000000099d

CONTEXT:  0000000000000000 -- (.cxr 0x0;r)
eax=00000000 ebx=00000000 ecx=0000099d edx=00000001 esi=09864000 edi=0000099d
eip=75671398 esp=002ce700 ebp=75671454 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210202
kernel32!InterlockedCompareExchange+0xc:
75671398 f00fb111        lock cmpxchg dword ptr [ecx],edx ds:002b:0000099d=????????

[...]

STACK_TEXT:  
002ce6fc 0191717c 0000099d 00000001 00000000 kernel32!InterlockedCompareExchange+0xc
WARNING: Stack unwind information not available. Following frames may be wrong.
002ce720 0142a7a2 1bd99768 1bd99768 1bd9a000 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x69cec
002ce734 0142b9b8 1bd99000 0191f8a6 00000000 FlashPlayer!WinMainSandboxed+0x67442
002ce73c 0191f8a6 00000000 09693000 0969345c FlashPlayer!WinMainSandboxed+0x68658
002ce764 0191d07b 00000000 09693000 000003ae FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x72416
002ce778 0191dfe3 00000000 09693000 002ce83c FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x6fbeb
00000000 00000000 00000000 00000000 00000000 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x70b53
--- cut ---

The crash reproduces reliably using the latest Flash Player Projector for Windows, and in Chrome. The offending x86 instruction has been observed to always be an XCHG (in our tests), and the location of the crash in Flash code appears to be related to the internal flash heap manager (i.e. looks like a bad free or similar condition).

The diff between the crashing testcase and original file has been minimized to a single byte change, 0x4F => 0x9B, at offset 0xC74. Attached are both the mutated and original files.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.

poc.swf
4.7 KB Download

original.swf
4.7 KB Download

Project Member Comment 1 by mjurczyk@google.com, Apr 27 2015

Labels: Id-3618

Comment 2 by cevans@google.com, Jul 5 2015

Labels: CVE-2015-3123

Comment 3 by cevans@google.com, Jul 9 2015

Labels: Fixed-2015-Jul-8
Status: Fixed

Fixed: https://helpx.adobe.com/security/products/flash-player/apsb15-16.html

Project Member Comment 4 by mjurczyk@google.com, Jul 17 2015

Labels: -Restrict-View-Commit

► Sign in to add a comment