47 - Flash leak of uninitialized data when image zlib stream ends prematurely - project-zero

Starred by 5 users

Status:	Fixed
Owner:	█ cevans@google.com Email to this user bounced
Closed:	Aug 2014
Cc:	project-...@google.com
Fixed-2014-Aug-12 Severity-Medium Deadline-90 CVE-2014-0544 Id-2890 Reported-2014-Jul-14 CCProjectZeroMembers Finder-cevans Product-Flash Vendor-Adobe

Flash leak of uninitialized data when image zlib stream ends prematurely

Reported by cevans@google.com, Jul 14 2014

Back to list

A SWF to reproduce is attached, along with source. To reproduce, host the additional resource SWF "imglossless8bpp.swf" on the same web server / directory as Lossless8bppLeak.swf

I'm fairly sure this is a very different bug to the "Lossless1bppLeak.swf" bug. To manifest this bug, we pull a fun little trick: we terminate the image data zlib stream early, before emitting any pixel data for the image. This leaves uninitialized data in the canvas which we can read out to script. The demo SWF file grabs a pointer value and displays it (64-bit Linux) to illustrate the point.

A screenshot is attached for convenience.

Since it's very easy to use this vulnerability to read uninitialized memory content, a 90-day disclosure deadline applies.

Lossless8bppLeak.as
1.9 KB Download

	8bppleak.png 12.4 KB View Download

Lossless8bppLeak.swf
1.2 KB Download

imglossless8bpp.swf
1.4 KB Download

Comment 1 by cevans@google.com, Jul 15 2014

Labels: Id-2890

Comment 2 by cevans@google.com, Aug 21 2014

Labels: CVE-2014-0544

Comment 3 by cevans@google.com, Aug 21 2014

Labels: Fixed-2014-Aug-12

Bulletin: http://helpx.adobe.com/security/products/flash-player/apsb14-18.html

Comment 4 by cevans@google.com, Aug 21 2014

Labels: -Restrict-View-Commit

Comment 5 by cevans@google.com, Aug 21 2014

Status: Fixed

Blogged about here: http://googleprojectzero.blogspot.com/2014/08/what-does-pointer-look-like-anyway.html

Marking as Fixed since the patch is available since > 1 week.

► Sign in to add a comment