To trigger the bug the flash player module has to be loaded into Firefox's virtual address space. And this can be achieved if Flash Player protected mode is disabled and Firefox plugin container process is disabled too.
The bug involves to dereference arbitrary memory address via a CALL instruction in the vtable dispatcher. Here you can see the bug in the exception state.
Implementation limit exceeded: attempting to allocate too-large object
error: out of memory
(170fc.16998): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=00000000 ecx=0034f670 edx=00000000 esi=1600f2c8 edi=0000001c
eip=5996bd5f esp=0034f638 ebp=0034f668 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_14_0_0_145.dll -
NPSWF32_14_0_0_145!unuse_netscape_plugin_Plugin+0x5c2:
5996bd5f 8b461c mov eax,dword ptr [esi+1Ch] ds:002b:1600f2e4=????????
0:000> u eip L10
NPSWF32_14_0_0_145!unuse_netscape_plugin_Plugin+0x5c2:
5996bd5f 8b461c mov eax,dword ptr [esi+1Ch] <--Read unmapped address
5996bd62 a801 test al,1
5996bd64 7420 je NPSWF32_14_0_0_145!unuse_netscape_plugin_Plugin+0x5e9 (5996bd86)
5996bd66 33d2 xor edx,edx
5996bd68 39550c cmp dword ptr [ebp+0Ch],edx
5996bd6b 7519 jne NPSWF32_14_0_0_145!unuse_netscape_plugin_Plugin+0x5e9 (5996bd86)
5996bd6d 8b4e04 mov ecx,dword ptr [esi+4]
5996bd70 83e0fe and eax,0FFFFFFFEh
5996bd73 89461c mov dword ptr [esi+1Ch],eax
5996bd76 8b06 mov eax,dword ptr [esi] <--Read unmapped address
5996bd78 51 push ecx
5996bd79 8bce mov ecx,esi
5996bd7b 895604 mov dword ptr [esi+4],edx
5996bd7e 895618 mov dword ptr [esi+18h],edx
5996bd81 ff500c call dword ptr [eax+0Ch] <--Dereference arbitrary memory content
5996bd84 eb06 jmp NPSWF32_14_0_0_145!unuse_netscape_plugin_Plugin+0x5ef (5996bd8c)
I had reported this bug to Adobe and they opened a case PSIRT-2707 on 14/April/2014 but so far Adobe didn't confirm whether or not it was able to reproduce the bug or the exception state reported.
Again, the bug doesn't affect the default configuration, and so very unlikely you're affected by this. However, users using Firefox with plugin-container disabled as well as Flash Player plugin with protected mode disabled are affected by this issue.
The original report is about Flash Player 13_0_0_182 and Firefox 28.0 but the testcase fails with Flash Player 14_0_0_145 and Firefox 30.0 (latest available till today).
These are the steps to reproduce the bug.
- Edit mms.cfg to have ProtectedMode=0 to disable protected mode in Flash Player
- Start cmd.exe and type "set MOZ_DISABLE_OOP_PLUGINS=1" to disable plugin-container in Firefox
- Start Firefox from command prompt opened previously
- Open fuzzed.swf in Firefox (drag n drop should work)
- Attach firefox.exe process to Windbg when you notice that Firefox is hanging
- Exception should occur in few second. If you see the out-of-memory error in the debugger log without exception you may restart the browser and try again.
Drop me an email if you think you need the testcase.
