Flash (IBB): use-after-free vulnerability in Flash Player

2014-07-03T05:06:17
ID H1:18843
Type hackerone
Reporter yopwn
Modified 2019-11-12T09:44:13

Description

It looks there is an use-after-free vulnerability in Adobe Flash Player when it's working with Internet Explorer. Following are the steps to reproduce the crash:

  1. The OS is Windows 7 x64 with IE 11, Flash Player is the latest 14.0.0.125, all is fully updated. Please use the 64bit Windows since I found it's not easy to trigger it on 32bit.
  2. To trigger the vulnerability better, let's enable page heap for IE, using the command "gflags.exe /p /enable iexplore.exe /full".
  3. Serve the attached "repro.html" file (password: "infected") to a http sever.

Visit the "repro.html" like "http://10.10.10.1/repro.html", it will take you about 30 seconds to redirect to another url "http://damncok.blogspot.com", as you may find the following html in the beginning:

-- <meta content='30;URL=http://damncok.blogspot.com/' http-equiv='refresh'/> --

Sometimes, IE will crash at the moment when it's redirecting to the "http://damncok.blogspot.com", if it doesn't crash, try close the IE after the page "http://damncok.blogspot.com" is loaded. Anyway, you will see a crash like:

-- (670.1050): C++ EH exception - code e06d7363 (first chance) (670.1050): C++ EH exception - code e06d7363 (first chance) (670.1050): C++ EH exception - code e06d7363 (first chance) (670.1050): C++ EH exception - code e06d7363 (first chance) (670.1050): C++ EH exception - code e06d7363 (first chance) (670.1050): C++ EH exception - code e06d7363 (first chance) (670.1050): C++ EH exception - code e06d7363 (first chance) (670.1050): C++ EH exception - code e06d7363 (first chance) (670.1050): C++ EH exception - code e06d7363 (first chance) error: out of memory error: out of memory (670.1050): C++ EH exception - code e06d7363 (first chance) (670.1050): C++ EH exception - code e06d7363 (first chance) (670.1050): C++ EH exception - code e06d7363 (first chance) (670.1050): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. 20296425 ?? ??? 1:020:x86> kv ChildEBP RetAddr Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong. 0a52c21c 68c6513f 38fa0000 68fba654 38fa0000 0x20296425 0a52c224 68fba654 38fa0000 0a52c270 0a52c328 Flash32_14_0_0_125!DllUnregisterServer+0xa725d 0a52c238 68fba7a1 0a52c270 00000001 00000000 Flash32_14_0_0_125!IAEModule_IAEKernel_UnloadModule+0x716f4 00000000 00000000 00000000 00000000 00000000 Flash32_14_0_0_125!IAEModule_IAEKernel_UnloadModule+0x71841 1:020:x86> ub 68c6513f Flash32_14_0_0_125!DllUnregisterServer+0xa7240: 68c65122 8d442403 lea eax,[esp+3] 68c65126 83c404 add esp,4 68c65129 e9ed760f00 jmp Flash32_14_0_0_125!DllUnregisterServer+0x19e939 (68d5c81b) 68c6512e 56 push esi 68c6512f 8bf1 mov esi,ecx 68c65131 8b8e98050000 mov ecx,dword ptr [esi+598h] 68c65137 8b01 mov eax,dword ptr [ecx] 68c65139 ff90f0000000 call dword ptr [eax+0F0h] 1:020:x86> dd esi+598 638bdda8 3904d000 66d0dff0 80000000 00000000 638bddb8 39055f60 6d7cc090 00000000 00000000 638bddc8 00000000 39054ba0 00000000 00020000 638bddd8 00000000 00000000 00000000 00000000 638bdde8 63921038 00000000 00000000 00000000 638bddf8 00000000 00000000 00000001 66c3b868 638bde08 66c3b880 00000000 00000000 00000000 638bde18 00000000 695692ec 00000000 00000000 1:020:x86> dd 3904d000 3904d000 69689c5c 00000000 373c6740 373cf4d0 3904d010 00000000 00000000 00000000 6959f5a0 3904d020 6994ce70 38fa0000 00000000 00000000 3904d030 3904d000 695ad63c 00000000 638bd810 3904d040 373c5140 00000000 3904e081 3904f041 3904d050 00000000 39059030 38fa0000 00000000 3904d060 69974360 00000054 00000030 00000000 3904d070 00000000 00000000 00000000 00000000 1:020:x86> dd 69689c5c+f0 69689d4c 20296425 6c636572 656d6961 64252064 69689d5c 6f687720 7020656c 73656761 64252820 69689d6c 29626b20 206e6920 66322e25 6c696d20 69689d7c 2073696c 342e2528 29732066 0000000a 69689d8c 6d656d5b 7773205d 2d706565 72617473 69689d9c 00000a74 2e63672e 6c6c6f43 00746365 69689dac 2e63672e 6c6c6f43 69746365 6f576e6f 69689dbc 00006b72 68fbaf60 68fba890 68fbaf80 1:020:x86> db 69689c5c+f0-10 69689d3c 00 00 00 00 5b 6d 65 6d-5d 20 73 77 65 65 70 28 ....[mem] sweep( 69689d4c 25 64 29 20 72 65 63 6c-61 69 6d 65 64 20 25 64 %d) reclaimed %d 69689d5c 20 77 68 6f 6c 65 20 70-61 67 65 73 20 28 25 64 whole pages (%d 69689d6c 20 6b 62 29 20 69 6e 20-25 2e 32 66 20 6d 69 6c kb) in %.2f mil 69689d7c 6c 69 73 20 28 25 2e 34-66 20 73 29 0a 00 00 00 lis (%.4f s).... 69689d8c 5b 6d 65 6d 5d 20 73 77-65 65 70 2d 73 74 61 72 [mem] sweep-star 69689d9c 74 0a 00 00 2e 67 63 2e-43 6f 6c 6c 65 63 74 00 t....gc.Collect. 69689dac 2e 67 63 2e 43 6f 6c 6c-65 63 74 69 6f 6e 57 6f .gc.CollectionWo --

The bytes at 0x69689d4c is a part of a string, but it's wrongly used as a pointer.

With a little debugging, you will find that the vulnerability is highly exploitable. Attackers can easily spray bytes to replace the freed object for future exploitation, even, the attacker can just spray around the memory 0x20296425 (though, it requires a "jit-spray" to bypass DEP).

Some notes:

  1. This bug is actually quite strange (found by visiting some random page that loads that PoC as a frame:P), I tried to reduce the PoC, unfortunately it became unstable. I'm not sure exactly why, but I'd bet the root cause is due to some "out-of-memory" conditions - probably Flash Player doesn't handle some OOM condition correctly which causes future code in an use-after-free situation. (I'd be very glad to hear from the vendor for root cause discussions, if possible.:-))

  2. On my computer, most times it will reproduce successfully. Please note that most times you need to wait for 30 seconds after it redirects to another url, then close the IE, you will see the crash. However, if you find it's really hard to reproduce even after trying many times, let me know (email to haifei.van@gmail.com). Maybe I will share a Fiddler .saz traffic to you.

Thanks, Haifei