Adobe Flash - Pointer Crash in Drawing and Bitmap Handlin
Reporter | Title | Published | Views | Family All 79 |
---|---|---|---|---|
Check Point Advisories | Adobe Flash Player Memory Corruption (APSB15-19: CVE-2015-5544) | 16 Aug 201500:00 | – | checkpoint_advisories |
CVE | CVE-2015-5545 | 14 Aug 201501:59 | – | cve |
CVE | CVE-2015-5552 | 14 Aug 201501:59 | – | cve |
CVE | CVE-2015-5548 | 14 Aug 201501:59 | – | cve |
CVE | CVE-2015-5549 | 14 Aug 201501:59 | – | cve |
CVE | CVE-2015-5547 | 14 Aug 201501:59 | – | cve |
CVE | CVE-2015-5544 | 14 Aug 201501:59 | – | cve |
CVE | CVE-2015-5546 | 14 Aug 201501:59 | – | cve |
CVE | CVE-2015-5553 | 14 Aug 201501:59 | – | cve |
Prion | Memory corruption | 14 Aug 201501:59 | – | prion |
Source: https://code.google.com/p/google-security-research/issues/detail?id=396&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
A nasty looking crash is manifesting in various different ways under fuzzing, apparently related to drawing and bitmap handling.
A trigger is attached, signal_sigsegv_7ffff5b5aee2_252_0688bbd450e7c095265d00be2fca50ab.swf
The base file from which this fuzz case was generated is attached, 0688bbd450e7c095265d00be2fca50ab.swf
The crash on 64-bit Linux looks like this:
=> 0x00007f69314b8f7d: cmpl $0xc,0x174(%rax)
rax 0x83071500ff0300 36881008741516032
If we trace through the usages of %rax, we can get to some bad writes pretty easily:
=> 0x00007f69314b8f7d: cmpl $0xc,0x174(%rax)
0x00007f69314b8f84: je 0x7f69314b8fa0
...
0x00007f69314b8fa0: mov (%rax),%rdi <-- rdi compromised
0x00007f69314b8fa3: callq 0x7f69314b8810
...
0x00007f69314b8810: mov (%rsi),%edx
0x00007f69314b8812: cmp $0x7ffffff,%edx
0x00007f69314b8818: je 0x7f69314b8862
0x00007f69314b881a: mov 0x10(%rdi),%eax
0x00007f69314b881d: cmp $0x7ffffff,%eax
0x00007f69314b8822: je 0x7f69314b8868
0x00007f69314b8824: sub $0x1,%edx
0x00007f69314b8827: cmp %eax,%edx
0x00007f69314b8829: cmovg %eax,%edx
0x00007f69314b882c: mov 0x14(%rdi),%eax
0x00007f69314b882f: mov %edx,0x10(%rdi) <---- rdi written to
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37866.zip
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo