Thursday, November 24, 2011

Analysis of CVE 2011-2140 Adobe Flash Player MP4 sequenceParameterSetNALUnit Vulnerability

The flaw exists while flash player processes 'avcC' box of mp4 file H264 encoded. Process copy num_ref_frames_in_pic_order_cnt_cycle times to user supplied data from offset_for_ref_frame into a fixed-length buffer on the stack. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the browser.

The vulnerability is in function sub_1005B396.
(Flash10u.ocx ver.

.text:1005B482                 call    SubReadUExpGlomb            ; read pic_order_cnt_type
.text:1005B487                 mov     [esi+40h], eax
.text:1005B48A                 cmp     eax, ebp                      ; if pic_order_cnt_type not equal zero (ebp=0)
.text:1005B48C                 jnz     short loc_1005B49D
; .....  
.text:1005B49D                 xor     ebx, ebx
.text:1005B49F                 inc     ebx
.text:1005B4A0                 cmp     eax, ebx                    
.text:1005B4A2                 jnz     short loc_1005B4EF            ; if pic_order_cnt_type != 1 then jump
.text:1005B4A4                 mov     ecx, edi
.text:1005B4A6                 call    SubReadBit                    ; read delta_pic_order_always_zero_flag
.text:1005B4AB                 mov     ecx, edi
.text:1005B4AD                 mov     [esi+48h], al
.text:1005B4B0                 call    SubReadSExpGlomb              ; read offset_for_non_ref_pic
.text:1005B4B5                 mov     ecx, edi
.text:1005B4B7                 mov     [esi+54h], eax
.text:1005B4BA                 call    SubReadSExpGlomb              ; read offset_for_non_ref_pic
.text:1005B4BF                 mov     ecx, edi
.text:1005B4C1                 mov     [esi+50h], eax
.text:1005B4C4                 call    SubReadUExpGlomb              ; read num_ref_frames_in_pic_order_cnt_cycle
.text:1005B4C9                 mov     [esi+4Ch], eax
.text:1005B4CC                 test    eax, eax
.text:1005B4CE                 jbe     short loc_1005B4EF            ; if num_ref_frames_in_pic_order_cnt_cycle == 0 then jump
.text:1005B4D0                 lea     eax, [esi+58h]
.text:1005B4D3                 mov     [esp+10h+ptr], eax
.text:1005B4D7 loc_1005B4D7:                           ; CODE XREF: SubParseSeqParameterSet+157 j
.text:1005B4D7                 mov     ecx, edi
.text:1005B4D9                 call    SubReadSExpGlomb              ; read offset_for_ref_frame
.text:1005B4DE                 mov     ecx, [esp+10h+ptr]
.text:1005B4E2                 add     [esp+10h+ptr], 4
.text:1005B4E7                 inc     ebp                           ; ebp - cycle counter
.text:1005B4E8                 mov     [ecx], eax                    ; ecx points to buffer on the stack
.text:1005B4EA                 cmp     ebp, [esi+4Ch]                ; compare counter with num_ref_frames_in_pic_order_cnt_cycle
.text:1005B4ED                 jb      short loc_1005B4D7

   Function SubReadUExpGlomb() reads from file unsigned exponential-Golomb code, and decodes value. SubReadSExpGlomb() reads and decodes signed exponential-Golomb code. Function SubReadBit() reads one bit. As we can see in code above there is no any checks of num_ref_frames_in_pic_order_cnt_cycle value.
   Flash player don't use stack cookies mitigation, and so an attacker can take control under eip register without any problems.


  1. would you like to share some idea about how to exploit it (bypassing DEP+SAFESEH needed).I know that I can overwrite SEH handler by bof,

  2. In my exploit I uses ROP+heapspray to bypass DEP and ASLR. For ROP I used MSVCR71.dll, GrooveUtil.dll and msxml5.dll (I did three variants). As I remember there was possibility direct overwrite return address and no need to overwrite SEH. If my memory does not fail so it is.

  3. Thanks for sharing this useful info. Keep updating same way for Adobe day CQ5.

    Regards,Siddu Corporate Training

  4. thanks for giving us good info