Lucene search
K

Adobe Flash - .SWF Out-of-Bounds Memory Read (2)

🗓️ 19 Aug 2015 00:00:00Reported by Google Security ResearchType 
exploitpack
 exploitpack
👁 12 Views

Adobe Flash Player plugin access violation due to out-of-bounds memory read, caused by an overly large index value

Code
Source: https://code.google.com/p/google-security-research/issues/detail?id=362&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id

The following access violation was observed in the Adobe Flash Player plugin:

(1dec.1af0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for FlashPlayer.exe - 
eax=00006261 ebx=00001501 ecx=010ae1e4 edx=00006262 esi=0736dda0 edi=05a860d0
eip=0044ae55 esp=010ae170 ebp=010ae564 iopl=0         nv up ei ng nz ac pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210297
FlashPlayer!WinMainSandboxed+0x57aee:
0044ae55 803c3000        cmp     byte ptr [eax+esi],0       ds:002b:07374001=??

0:000> !address esi
[...]
Usage:                  <unknown>
Base Address:           06e60000
End Address:            07374000
Region Size:            00514000
State:                  00001000	MEM_COMMIT
Protect:                00000004	PAGE_READWRITE
Type:                   00020000	MEM_PRIVATE
Allocation Base:        06e60000
Allocation Protect:     00000001	PAGE_NOACCESS

0:000> db esi
0736dda0  8e 56 fa 1b 00 13 e3 85-00 0c 54 72 65 62 75 63  .V........Trebuc
0736ddb0  68 65 74 20 4d 53 3e 00-7e 00 80 00 9f 00 21 01  het MS>.~.....!.
0736ddc0  4c 01 76 01 85 01 97 01-e9 01 02 02 40 02 9a 02  L.v.........@...
0736ddd0  c4 02 1d 03 49 03 d8 03-26 04 4f 04 b5 04 fd 04  ....I...&.O.....
0736dde0  1d 05 39 05 90 05 b1 05-e2 05 f6 05 22 06 40 06  ..9.........".@.
0736ddf0  97 06 da 06 2d 07 94 07-ac 07 d8 07 02 08 21 08  ....-.........!.
0736de00  3f 08 af 08 fb 08 40 09-92 09 e2 09 1c 0a c9 0a  ?.....@.........
0736de10  00 0b 35 0b 5b 0b 77 0b-cd 0b 04 0c 52 0c 9d 0c  ..5.[.w.....R...

Notes:

- Reliably reproduces with latest Adobe Flash Player Projector for Windows and Google Chrome for Windows.

- The out-of-bounds read appears to be caused by an overly large index value (stored in the "EAX" register at the time of the crash) relative to a dynamically allocated buffer pointed to by "ESI".

- The memory under "ESI" contains a section of the input file starting at offset 0x50dda0.

- Attached samples: signal_sigsegv_7ffff6d8a235_3103_51dea5ced16249520f1fa0a7a63d7b36 (crashing file), 51dea5ced16249520f1fa0a7a63d7b36 (original file). The total difference between the two files is 19 bytes.

Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/37857.zip

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation