Adobe Flash Pointer Crash in XML Handling

ID EDB-ID:37870
Type exploitdb
Reporter Google Security Research
Modified 2015-08-19T00:00:00


Adobe Flash Pointer Crash in XML Handling. CVE-2015-5548. Dos exploit for linux platform


The attached sample file, signal_sigsegv_7ffff637297a_8900_e3f87b25c25db8f9ec3c975f8c1211cc.swf, crashes, perhaps relating to XML handling.

The crash looks like this on Linux x64:

=> 0x00007f6931226f22:	mov    0x8(%rcx),%eax
rcx            0x303030303030300	217020518514230016

The wider context shows that the wild pointer target can be incremented with this vulnerability, which is typically enough for an exploit:

=> 0x00007f6931226f22:	mov    0x8(%rcx),%eax    <--- read
   0x00007f6931226f25:	test   %eax,%eax
   0x00007f6931226f27:	je     0x7f6931226f80
   0x00007f6931226f29:	test   $0x40000000,%eax
   0x00007f6931226f2e:	jne    0x7f6931226f80
   0x00007f6931226f30:	add    $0x1,%eax         <--- increment
   0x00007f6931226f33:	cmp    $0xff,%al
   0x00007f6931226f35:	mov    %eax,0x8(%rcx)    <--- write back

The base sample from which this fuzz case was generated is also attached, e3f87b25c25db8f9ec3c975f8c1211cc.swf

Proof of Concept: