375 - Flash: uninitialized memory information leak when shading into a ByteArray (#2) - project-zero

Starred by 2 users

Status:	Fixed
Owner:	█ cevans@google.com Email to this user bounced
Closed:	Jun 2015
Cc:	project-...@google.com
Severity-Medium CVE-2015-3108 Deadline-90 Id-3674 Fixed-2015-Jun-9 Reported-2015-May-12 CCProjectZeroMembers Finder-cevans Product-Flash Vendor-Adobe

Flash: uninitialized memory information leak when shading into a ByteArray (#2)

Reported by cevans@google.com, May 12 2015

Back to list

A PoC (source and SWF) are attached, along with a screenshot of the rendering of the uninitialized content into a Bitmap.

Sometimes, the PoC will render just a black image. To get things a bit more leaky, I found that playing a Flash video in a second tab whilst refreshing the PoC seems to do the trick reliably.

Unfortunately, this appears to be an incorrect fix for https://code.google.com/p/google-security-research/issues/detail?id=319.  Bug 319  used a zero mask to cause uninitialized memory, and that PoC does seem to be fixed. This latest PoC uses a non-zero but non-complete mask to achieve a similar affect.


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

	shaderjobleak2.png 29.7 KB View Download

ShaderJobLeak2.swf
994 bytes Download

ShaderJobLeak2.as
1.3 KB Download

Comment 1 by cevans@google.com, May 12 2015

Labels: Id-3674

Comment 2 by cevans@google.com, Jun 4 2015

Labels: CVE-2015-3108

Comment 3 by cevans@google.com, Jun 9 2015

Status: Fixed

https://helpx.adobe.com/security/products/flash-player/apsb15-11.html

Comment 4 by cevans@google.com, Jun 26 2015

Labels: Fixed-2015-Jun-9

Comment 5 by cevans@google.com, Jun 26 2015

Labels: -Restrict-View-Commit

► Sign in to add a comment