The flaw exists while flash player processes 'avcC' box of mp4 file H264 encoded. Process copy num_ref_frames_in_pic_order_cnt_cycle times to user supplied data from offset_for_ref_frame into a fixed-length buffer on the stack. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the browser.
The vulnerability is in function sub_1005B396.
(Flash10u.ocx ver. 10.3.181.34)
.text:1005B482 call SubReadUExpGlomb ; read pic_order_cnt_type
.text:1005B487 mov [esi+40h], eax
.text:1005B48A cmp eax, ebp ; if pic_order_cnt_type not equal zero (ebp=0)
.text:1005B48C jnz short loc_1005B49D
; .....
.text:1005B49D xor ebx, ebx
.text:1005B49F inc ebx
.text:1005B4A0 cmp eax, ebx
.text:1005B4A2 jnz short loc_1005B4EF ; if pic_order_cnt_type != 1 then jump
.text:1005B4A4 mov ecx, edi
.text:1005B4A6 call SubReadBit ; read delta_pic_order_always_zero_flag
.text:1005B4AB mov ecx, edi
.text:1005B4AD mov [esi+48h], al
.text:1005B4B0 call SubReadSExpGlomb ; read offset_for_non_ref_pic
.text:1005B4B5 mov ecx, edi
.text:1005B4B7 mov [esi+54h], eax
.text:1005B4BA call SubReadSExpGlomb ; read offset_for_non_ref_pic
.text:1005B4BF mov ecx, edi
.text:1005B4C1 mov [esi+50h], eax
.text:1005B4C4 call SubReadUExpGlomb ; read num_ref_frames_in_pic_order_cnt_cycle
.text:1005B4C9 mov [esi+4Ch], eax
.text:1005B4CC test eax, eax
.text:1005B4CE jbe short loc_1005B4EF ; if num_ref_frames_in_pic_order_cnt_cycle == 0 then jump
.text:1005B4D0 lea eax, [esi+58h]
.text:1005B4D3 mov [esp+10h+ptr], eax
.text:1005B4D7
.text:1005B4D7 loc_1005B4D7: ; CODE XREF: SubParseSeqParameterSet+157 j
.text:1005B4D7 mov ecx, edi
.text:1005B4D9 call SubReadSExpGlomb ; read offset_for_ref_frame
.text:1005B4DE mov ecx, [esp+10h+ptr]
.text:1005B4E2 add [esp+10h+ptr], 4
.text:1005B4E7 inc ebp ; ebp - cycle counter
.text:1005B4E8 mov [ecx], eax ; ecx points to buffer on the stack
.text:1005B4EA cmp ebp, [esi+4Ch] ; compare counter with num_ref_frames_in_pic_order_cnt_cycle
.text:1005B4ED jb short loc_1005B4D7
Function SubReadUExpGlomb() reads from file unsigned exponential-Golomb code, and decodes value. SubReadSExpGlomb() reads and decodes signed exponential-Golomb code. Function SubReadBit() reads one bit. As we can see in code above there is no any checks of num_ref_frames_in_pic_order_cnt_cycle value.
Flash player don't use stack cookies mitigation, and so an attacker can take control under eip register without any problems.
Notes about Information Security, Reverse Engeneering and so on..
would you like to share some idea about how to exploit it (bypassing DEP+SAFESEH needed).I know that I can overwrite SEH handler by bof,
ReplyDeleteIn my exploit I uses ROP+heapspray to bypass DEP and ASLR. For ROP I used MSVCR71.dll, GrooveUtil.dll and msxml5.dll (I did three variants). As I remember there was possibility direct overwrite return address and no need to overwrite SEH. If my memory does not fail so it is.
ReplyDeleteThanks for sharing this useful info. Keep updating same way for Adobe day CQ5.
ReplyDeleteRegards,Siddu Corporate Training