Loading a weird MPD file can corrupt flash player's memory.

vendor:

Windows 7

by:

bilou

8.8

CVSS

HIGH

Memory Corruption

119

CWE

Product Name: Windows 7

Affected Version From: Chrome 41.0.2272.101, Flash 17.0.0.134

Affected Version To: Chrome 41.0.2272.101, Flash 17.0.0.134

Patch Exists: YES

Related CWE: CVE-2015-5119

CPE: o:microsoft:windows_7::-:sp1

Metasploit: https://www.rapid7.com/db/vulnerabilities/freebsd-vid-348bfa69-25a2-11e5-ade1-0011d823eebd/, https://www.rapid7.com/db/vulnerabilities/suse-cve-2015-5119/, https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2015-5119/, https://www.rapid7.com/db/vulnerabilities/adobe-air-cve-2015-5119/, https://www.rapid7.com/db/vulnerabilities/adobe-flash-apsb15-16-cve-2015-5119/, https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2015-1214/

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2015

Loading a weird MPD file can corrupt flash player’s memory.

Loading a weird MPD file can corrupt flash player's memory. On Win7 x64 sp1 with Chrome 32 bit, crash like this: 6AA8B67C | 8B C3 | mov eax,ebx | 6AA8B67E | E8 A1 05 00 00 | call pepflashplayer.6AA8BC24 | 6AA8B683 | EB A8 | jmp pepflashplayer.6AA8B62D | 6AA8B685 | 89 88 D0 00 00 00 | mov dword ptr ds:[eax+D0],ecx | // crash here, eax points somewhere in pepflashplayer.dll 6AA8B68B | 8B 88 88 00 00 00 | mov ecx,dword ptr ds:[eax+88] | 6AA8B691 | 33 D2 | xor edx,edx | 6AA8B693 | 3B CA | cmp ecx,edx | 6AA8B695 | 74 07 | je pepflashplayer.6AA8B69E | 6AA8B697 | 39 11 | cmp dword ptr ds:[ecx],edx | 6AA8B699 | 0F 95 C1 | setne cl | At first sight this looks to be an uninitialized stack variable.

Mitigation:

Update to the latest version of Chrome and Flash

Source

Exploit-DB raw data:

Source: https://code.google.com/p/google-security-research/issues/detail?id=316&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id

[Tracking for: https://code.google.com/p/chromium/issues/detail?id=472201]

Credit is to bilou, working with the Chromium Vulnerability Rewards Program.

---
VULNERABILITY DETAILS
Loading a weird MPD file can corrupt flash player's memory.

VERSION
Chrome version 41.0.2272.101, Flash 17.0.0.134
Operating System: Win 7 x64 SP1

REPRODUCTION CASE
I'm ripping most of this from scarybeasts' sources. I'm sure he's ok with that =D.

"To reproduce, host the attached SWF and other files on a web server (e.g. localhost) and load it like this:"

"http://localhost/PlayManifest.swf?file=gen.mpd

"To compile the .as file, I had to use special flags to flex:"

"mxmlc -target-player 14.0 -swf-version 25 -static-link-runtime-shared-libraries ./PlayManifest.as"
"(This also requires that you have v14.0 of playerglobals.swc installed. Any newer version should also be fine.)"


On Win7 x64 sp1 with Chrome 32 bit, crash like this:
6AA8B67C | 8B C3                    | mov eax,ebx                             |
6AA8B67E | E8 A1 05 00 00           | call pepflashplayer.6AA8BC24            |
6AA8B683 | EB A8                    | jmp pepflashplayer.6AA8B62D             |
6AA8B685 | 89 88 D0 00 00 00        | mov dword ptr ds:[eax+D0],ecx           |  // crash here, eax points somewhere in pepflashplayer.dll
6AA8B68B | 8B 88 88 00 00 00        | mov ecx,dword ptr ds:[eax+88]           |
6AA8B691 | 33 D2                    | xor edx,edx                             |
6AA8B693 | 3B CA                    | cmp ecx,edx                             |
6AA8B695 | 74 07                    | je pepflashplayer.6AA8B69E              |
6AA8B697 | 39 11                    | cmp dword ptr ds:[ecx],edx              |
6AA8B699 | 0F 95 C1                 | setne cl                                |


At first sight this looks to be an uninitialized stack variable but I might be wrong.
---

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37845.zip