Adobe Flash Player 24.0.0.186 – ‘ActionGetURL2’ Out-of-Bounds Memory Corruption (2)

• Exploit Database
• 17 阅读

• 作者： COSIG
  日期： 2017-01-11
• 类别：

  • dos
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/41012/

• Source: https://cosig.gouv.qc.ca/en/cosig-2017-01-en/
  
  #####################################################################################
  
  # Application: Adobe Flash Player
  # Platforms: Windows,OSX
  # Versions: 24.0.0.186 and earlier
  # Author: Francis Provencher of COSIG
  # Website: https://cosig.gouv.qc.ca/en/advisory/
  # Twitter: @COSIG_
  # Date: January 10, 2017
  # CVE-2017-2930
  # COSIG-2016-35
  
  #####################################################################################
  
  1) Introduction
  2) Report Timeline
  3) Technical details
  4) POC
  
  #####################################################################################
  
  ================
  1) Introduction
  ================
  
  Adobe Flash Player (labeled Shockwave Flash in Internet Explorer and Firefox) is a freeware software for using content created
  on the Adobe Flash platform, including viewing multimedia, executing rich Internet applications, and streaming video and audio.
  Flash Player can run from a web browser as a browser plug-in or on supported mobile devices.[7] Flash Player was created by Macromedia
  and has been developed and distributed by Adobe Systems since Adobe acquired Macromedia.
  
  (https://en.wikipedia.org/wiki/Adobe_Flash_Player)
  
  #####################################################################################
  
  ============================
  2) Rapport de Coordination
  ============================
  
  2016-11-13: Francis Provencher of COSIG report this vulnerability to Adobe PSIRT;
  2016-11-14: Adobe PSIRT confirm this vulnerability;
  2017-01-10: Adobe publish a patch (APSB17-02);
  2017-01-10: Advisory released by COSIG;
  
  #####################################################################################
  
  =====================
  3) Technical details
  =====================
  
  The vulnerability allows a remote attacker to execute malicious code or access to a part of the dynamically allocated memory using a user interaction
  visiting a Web page or open a specially crafted SWF file, an attacker is able to create an “out of bound” memory corruption. A file with an “ActionRecord”
  structure that contain an invalid value in “ActionGetURL2” could lead to remote code execution in the context of the current user.
  
  #####################################################################################
  
  ===========
  4) POC:
  ===========
  
  https://cosig.gouv.qc.ca/wp-content/uploads/2017/01/COSIG-2017-01.zip
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41012.zip
  
  ####################################################################################