Flash Uninitialized Stack Variable MPD Parsing Memory Corruption

🗓️ 19 Aug 2015 00:00:00Reported by bilouType

zdt🔗 0day.today👁 32 Views

Flash Uninitialized Stack Variable MPD Parsing Memory Corruption in Chrome 41.0.2272.10

Reporter	Title	Published	Views	Family All 63
Tenable Nessus	Flash Player < 13.0.0.289 / 17.0.0.188 Multiple Vulnerabilities (APSB15-09)	10 Jul 201500:00	–	nessus
Tenable Nessus	Adobe AIR < 17.0.0.172 Multiple Vulnerabilities (APSB15-09)	10 Jul 201500:00	–	nessus
Tenable Nessus	Flash Player < 17.0.0.189 (inferred) Multiple Vulnerabilities (APSB15-06 through 11)	24 Jul 201500:00	–	nessus
Tenable Nessus	Adobe AIR <= 17.0.0.144 Multiple Vulnerabilities (APSB15-09)	12 Jun 201500:00	–	nessus
Tenable Nessus	Adobe Flash Player <= 17.0.0.169 Multiple Vulnerabilities (APSB15-09)	12 May 201500:00	–	nessus
Tenable Nessus	FreeBSD : Adobe Flash Player -- critical vulnerabilities (e206df57-f97b-11e4-b799-c485083ca99c)	14 May 201500:00	–	nessus
Tenable Nessus	GLSA-201505-02 : Adobe Flash Player: Multiple vulnerabilities	1 Jun 201500:00	–	nessus
Tenable Nessus	Google Chrome < 42.0.2311.152 Multiple Vulnerabilities	12 May 201500:00	–	nessus
Tenable Nessus	Adobe AIR for Mac <= 17.0.0.144 Multiple Vulnerabilities (APSB15-09)	12 Jun 201500:00	–	nessus
Tenable Nessus	Adobe Flash Player <= 17.0.0.169 Multiple Vulnerabilities (APSB15-09) (Mac OS X)	12 May 201500:00	–	nessus

Source: https://code.google.com/p/google-security-research/issues/detail?id=316&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
 
[Tracking for: https://code.google.com/p/chromium/issues/detail?id=472201]
 
Credit is to bilou, working with the Chromium Vulnerability Rewards Program.
 
---
VULNERABILITY DETAILS
Loading a weird MPD file can corrupt flash player's memory.
 
VERSION
Chrome version 41.0.2272.101, Flash 17.0.0.134
Operating System: Win 7 x64 SP1
 
REPRODUCTION CASE
I'm ripping most of this from scarybeasts' sources. I'm sure he's ok with that =D.
 
"To reproduce, host the attached SWF and other files on a web server (e.g. localhost) and load it like this:"
 
"http://localhost/PlayManifest.swf?file=gen.mpd
 
"To compile the .as file, I had to use special flags to flex:"
 
"mxmlc -target-player 14.0 -swf-version 25 -static-link-runtime-shared-libraries ./PlayManifest.as"
"(This also requires that you have v14.0 of playerglobals.swc installed. Any newer version should also be fine.)"
 
 
On Win7 x64 sp1 with Chrome 32 bit, crash like this:
6AA8B67C | 8B C3                    | mov eax,ebx                             |
6AA8B67E | E8 A1 05 00 00           | call pepflashplayer.6AA8BC24            |
6AA8B683 | EB A8                    | jmp pepflashplayer.6AA8B62D             |
6AA8B685 | 89 88 D0 00 00 00        | mov dword ptr ds:[eax+D0],ecx           |  // crash here, eax points somewhere in pepflashplayer.dll
6AA8B68B | 8B 88 88 00 00 00        | mov ecx,dword ptr ds:[eax+88]           |
6AA8B691 | 33 D2                    | xor edx,edx                             |
6AA8B693 | 3B CA                    | cmp ecx,edx                             |
6AA8B695 | 74 07                    | je pepflashplayer.6AA8B69E              |
6AA8B697 | 39 11                    | cmp dword ptr ds:[ecx],edx              |
6AA8B699 | 0F 95 C1                 | setne cl                                |
 
 
At first sight this looks to be an uninitialized stack variable but I might be wrong.
---
 
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37845.zip

#  0day.today [2018-01-26]  #

19 Aug 2015 00:00Current

0.3Low risk

Vulners AI Score0.3

EPSS0.55434