New issue
Advanced search Search tips

Issue 716 link

Starred by 3 users

Issue metadata

Status: Fixed
Owner:
Closed: Mar 2016
Cc:



Sign in to add a comment

Adobe Flash: Uninitialized Stack Parameter Access in Object.unwatch UaF Fix

Project Member Reported by natashenka@google.com, Feb 2 2016

Issue description

The ActionScript parameter conversion in the fix for an issue in the December Flash bulletin (https://helpx.adobe.com/security/products/flash-player/apsb15-32.html, most likely one of the UaFs reported by Yuki Chen) can sometimes access a parameter on the native stack that is uninitialized.

If:

var o = {};
o.unwatch();

is called in ActionScript, a parameter array is allocated using alloca(0), which leads to a 16-byte (the minimum size length for alloca in the implementation) that does not get initialized. The conversion function in the UaF check then assumes that at least one parameter has been allocated, and attempts to convert the stack parameter to a string, even though it is a previous value (a UTF string "fffff ... " in the PoC).

A PoC is attached, it is a bit finicky but crashes in the most recent Chrome Flash update. To reproduce, load crasher2.swf?num=15, and then immediately loading crasher2.swf?num=4. The num parameter shifts the stack (for nums between 0 and 31), so changing it around should lead to crashes in different browsers.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
 
Project Member

Comment 1 by natashenka@google.com, Feb 2 2016

crasher2.fla
5.6 KB Download
crasher2.swf
1.2 KB Download
Project Member

Comment 2 by natashenka@google.com, Feb 3 2016

Labels: -Reported-2015-Feb-2 Reported-2015-Feb-3 Finder-mjurczyk
Project Member

Comment 3 by natashenka@google.com, Mar 22 2016

Labels: -Restrict-View-Commit CVE-2016-0998
Status: Fixed (was: New)
Fixed in March bulletin
Project Member

Comment 4 by natashenka@google.com, Mar 28 2016

Adding exploit, part 1
test.cgi
1.1 KB View Download
crasher73.swf
3.0 KB Download
sound.html
1.2 KB View Download
soundPCM.swf
3.2 KB Download
soundtop.html
267 bytes View Download
Project Member

Comment 5 by natashenka@google.com, Mar 28 2016

Adding exploit, part 2

crasher2.fla is the source for new.swf
SoundPCM.as and killer.as are the source for soundPCM.swf 

crasher2.fla
5.5 KB Download
soundPCM.as
5.6 KB View Download
killer.as
221 bytes View Download

Sign in to add a comment