Adobe Flash (Linux x64) - Bad Dereference at 0x23c
Author: Google Security Research
type: dos
platform: linux_x86-64
port:
date_added: 2015-08-19
date_updated: 2015-08-19
verified: 1
codes: CVE-2015-5546
tags:
aliases:
screenshot_url:
application_url:
raw file: 37868.txt
type: dos
platform: linux_x86-64
port:
date_added: 2015-08-19
date_updated: 2015-08-19
verified: 1
codes: CVE-2015-5546
tags:
aliases:
screenshot_url:
application_url:
raw file: 37868.txt
Source: https://code.google.com/p/google-security-research/issues/detail?id=398&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id The attached sample, signal_sigsegv_7ffff603deef_1525_268381c02bc3b05c84578ebaeafc02f0.swf, typically crashes in this way on my Linux x64 build (Flash v17.0.0.188): => 0x00007f693155bf58: mov (%rdi),%rbx rdi 0x23c 572 At first glance this might appear to be a NULL dereference but sometimes it crashes trying to access 0xc8 and different builds have shown crashes at much wilder addresses, so there is probably a use-after-free or other non-deterministic condition going on. For example, our fuzzing cluster saw a crash at 0x400000001. The base sample from which the fuzz case is derived is also attached. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37868.zip
Copyright © 2024 Irfan TOOR all rights reserved.