Lucene search

K

Adobe Flash - Pointer Crash in Drawing and Bitmap Handling

🗓️ 19 Aug 2015 00:00:00Reported by Google Security ResearchType 
exploitdb
 exploitdb
🔗 www.exploit-db.com👁 24 Views

Adobe Flash - Pointer Crash in Drawing and Bitmap Handlin

Show more
Related
Code
ReporterTitlePublishedViews
Family
Check Point Advisories
Adobe Flash Player Memory Corruption (APSB15-19: CVE-2015-5544)
16 Aug 201500:00
checkpoint_advisories
CVE
CVE-2015-5545
14 Aug 201501:59
cve
CVE
CVE-2015-5552
14 Aug 201501:59
cve
CVE
CVE-2015-5548
14 Aug 201501:59
cve
CVE
CVE-2015-5549
14 Aug 201501:59
cve
CVE
CVE-2015-5547
14 Aug 201501:59
cve
CVE
CVE-2015-5544
14 Aug 201501:59
cve
CVE
CVE-2015-5546
14 Aug 201501:59
cve
CVE
CVE-2015-5553
14 Aug 201501:59
cve
Prion
Memory corruption
14 Aug 201501:59
prion
Rows per page
Source: https://code.google.com/p/google-security-research/issues/detail?id=396&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id

A nasty looking crash is manifesting in various different ways under fuzzing, apparently related to drawing and bitmap handling.

A trigger is attached, signal_sigsegv_7ffff5b5aee2_252_0688bbd450e7c095265d00be2fca50ab.swf

The base file from which this fuzz case was generated is attached, 0688bbd450e7c095265d00be2fca50ab.swf

The crash on 64-bit Linux looks like this:

=> 0x00007f69314b8f7d:	cmpl   $0xc,0x174(%rax)

rax            0x83071500ff0300	36881008741516032

If we trace through the usages of %rax, we can get to some bad writes pretty easily:

=> 0x00007f69314b8f7d:	cmpl   $0xc,0x174(%rax)
   0x00007f69314b8f84:	je     0x7f69314b8fa0
...
   0x00007f69314b8fa0:	mov    (%rax),%rdi      <-- rdi compromised
   0x00007f69314b8fa3:	callq  0x7f69314b8810
...
   0x00007f69314b8810:	mov    (%rsi),%edx
   0x00007f69314b8812:	cmp    $0x7ffffff,%edx
   0x00007f69314b8818:	je     0x7f69314b8862
   0x00007f69314b881a:	mov    0x10(%rdi),%eax
   0x00007f69314b881d:	cmp    $0x7ffffff,%eax
   0x00007f69314b8822:	je     0x7f69314b8868
   0x00007f69314b8824:	sub    $0x1,%edx
   0x00007f69314b8827:	cmp    %eax,%edx
   0x00007f69314b8829:	cmovg  %eax,%edx
   0x00007f69314b882c:	mov    0x14(%rdi),%eax
   0x00007f69314b882f:	mov    %edx,0x10(%rdi)  <---- rdi written to

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37866.zip

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
19 Aug 2015 00:00Current
7.4High risk
Vulners AI Score7.4
24
.json
Report