Internet Bug Bounty: Adobe Flash Player Out-of-Bound Read/Write Vulnerability

I. Summary
Adobe Flash Player is prone to a vulnerability which leads to Out-of-Bound access of memory. During the compilation of a malformed regular expression, relevant operations would cause Out-of-Bound Read/Write of stack and heap memory. Successful exploits may allow an attacker to gain access to sensitive memory addresses information in the context of the user running the affected application, which could be used to bypass ASLR protection. Advanced Heap Fengshui techniques may even allow an attacker to rewrite stack or heap variable, resulting in arbitrary code execution in the context of the user running the affected application.

II. Description
Building RegExp Object via a malformed regular expression, such as:

var exp:RegExp=new RegExp(“(?:(VenusTech)(?2){0,1020}(b))?)”);

will normally cause memory crash because of Out-of-Bound read of stack memory.
RegExp object used a fixed size stack variable cworkspace during the compilation. Since cworkspace can get filled up by repetitions of forward references, expanding cworkspace mechanism is introduced. After a potential stack overflow is detected, the original cworkspace will be replaced by a block of newly created heap block that is large enough to hold everything. Pointers related to cworkspace will also be updated to newly created heap memory block.

The problem is, the updating of cworkspace pointers happens inside a recursively called function. A local variable of cworkspace pointer is not synchronizing upon different calls.

Further operations try to copy the content of the original cworkspace, beginning with the out-of-date local pointer of cworkspace and ending up with a pointer of newly created heap block. Since the local variable of cworkspace is still a stack pointer, it is normally in lower address than the newly created heap memory. The copying operations will read values out of bound of the stack.

With advanced technique (such as Heap Fengshui), stack can adjacent to another block of heap memory controlled by the attacker. Copying operations may allow the modification to the length field of Vector.<int>, gaining attacker the ability to read and write arbitrary memory address. Or else, one could simply use Out-of-Bound read to gain the address of ActionScript objects or OS structs.

III. Impact
Out-of-Bound Read/Write

IV. Affected
Adobe Flash Player under Windows XP and Windows 7.
Other versions may also be affected.

V. Reference
It has got assigned as CVE-2014-0564.
http://helpx.adobe.com/security/products/flash-player/apsb14-22.html

VI. Credit
Wen Guanxing from Venustech ADLAB is credited for this vulnerability.