
22 new exploits Windows NDProxy - Privilege Escalation XP SP3 x86 and 2003 SP2 x86 (MS14-002) Windows XP SP3 x86 and 2003 SP2 x86 - NDProxy Privilege Escalation (MS14-002) exim <= 4.84-3 - Local Root Exploit Exim <= 4.84-3 - Local Root Exploit CoolPlayer (Standalone) build 2.19 - .m3u Stack Overflow OS X / iOS Suid Binary Logic Error Kernel Code Execution Multiple CCTV-DVR Vendors - Remote Code Execution MiCollab 7.0 - SQL Injection Vulnerability Comodo Antivirus Forwards Emulated API Calls to the Real API During Scans Avira - Heap Underflow Parsing PE Section Headers Comodo - PackMan Unpacker Insufficient Parameter Validation Comodo - LZMA Decoder Heap Overflow via Insufficient Parameter Checks Comodo - Integer Overlow Leading to Heap Overflow Parsing Composite Documents Wireshark - dissect_ber_integer Static Out-of-Bounds Write Comodo - Integer Overflow Leading to Heap Overflow in Win32 Emulation Comodo Antivirus - Heap Overflow in LZX Decompression OS X Kernel - Code Execution Due to Lack of Bounds Checking in AppleUSBPipe::Abort Adobe Flash - Shape Rendering Crash Adobe Flash - Zlib Codec Heap Overflow Adobe Flash - Sprite Creation Use-After-Free Adobe Flash - Uninitialized Stack Parameter Access in AsBroadcaster.broadcastMessage UaF Fix Adobe Flash - Uninitialized Stack Parameter Access in Object.unwatch UaF Fix Adobe Flash - Uninitialized Stack Parameter Access in MovieClip.swapDepths UaF Fix OS X Kernel - AppleKeyStore Use-After-Free OS X Kernel - Unchecked Array Index Used to Read Object Pointer Then Call Virtual Method in nVidia Geforce Driver OS X Kernel Use-After-Free and Double Delete Due to Incorrect Locking in Intel GPU Driver
16 lines
1.2 KiB
Text
Executable file
16 lines
1.2 KiB
Text
Executable file
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=715
|
|
|
|
The ActionScript parameter conversion in the fix for issue 403 (https://code.google.com/p/google-security-research/issues/detail?id=403) can sometimes access a parameter on the native stack that is uninitialized.
|
|
|
|
If:
|
|
|
|
mc.swapDepths();
|
|
|
|
is called in ActionScript, a parameter array is allocated using alloca(0), which leads to a 16-byte (the minimum size length for alloca in the implementation) that does not get initialized. The conversion function in the UaF check then assumes that at least one parameter has been allocated, and attempts to convert the stack parameter to a string, even though it is a previous value (a UTF string "fffff ... " in the PoC).
|
|
|
|
A PoC is attached, it is a bit finicky and depends a lot on the specific Flash version. It crashes currently in chrome-unstable, by loading crasher2.swf?num=15, and then immediately loading crasher2.swf?num=4. The num parameter shifts the stack (for nums between 0 and 31), so changing it around should lead to crashes in different browsers.
|
|
|
|
|
|
Proof of Concept:
|
|
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39613.zip
|
|
|