Researchers at FortiGuard Labs recently discovered another heap overflow vulnerability in the Adobe Flash Player. The vulnerability, CVE-2015-5129, is similar to a larger group of security issues found in Flash Player, all of which could be exploited to allow remote code execution on the host system.
Although FortiGuard has not observed active exploits for this particular vulnerability in the wild, we did find multiple products that incorporate Flash with the vulnerability. This includes the Google Chrome browser. Additionally, the vulnerability could affect mobile developers on both Android and Apple iOS if Adobe AIR SDK & Compiler220.127.116.11 has been used. Perhaps more importantly, many active exploits have been developed for similar vulnerabilities, making future exploit development more straightforward.
That said, Adobe not only patched this vulnerability very quickly but has also implemented layers of security, including the Adobe Sandbox, in recent versions of Flash that make it far more difficult to compromise a system by exploiting Flash. While new, arguably more secure web technologies are enabling rich media in ways that only Flash could in the past, Flash remains a nearly ubiquitous technology on PCs and a variety of embedded systems, making the ongoing maintenance and security of the application a critical task.
Here's a closer look at the vulnerability and a demonstration of the use of regular expression parsing to generate a heap overflow. The following analysis is based on flashplayer_17_sa_169.exe. The crash location may be different when Flash Player plug-in runs in web browser.
First, the regular expression parsing engine in Flash Player generates the compiled code in a heap buffer. The compiled code buffer looks like:
The length of the compiled code buffer is 0x7d50.
The following match function in pcre lib is called.
match(REGISTER USPTR eptr, REGISTER const uschar *ecode, const uschar *mstart, int offset_top, match_data *md, unsigned long int ims, eptrblock *eptrb, int flags, unsigned int rdepth)
The individual arguments are explained below:
eptr - pointer to current character in subject
ecode - pointer to current position in compiled code
mstart - pointer to the current match start position (can be modified by encountering \K)
offset_top current - top pointer
md - pointer to "static" info for the match
ims - current /i, /m, and /s options
eptrb - pointer to chain of blocks containing eptr at start of brackets - for testing for empty matches
flags - can contain
match_condassert - this is an assertion condition
match_cbegroup - this is the start of an unlimited repeat group that can match an empty string
rdepth - the recursion depth
The function could return the following results:
MATCH_MATCH if matched
MATCH_NOMATCH if failed to match
A negative PCRE_ERROR_xxx value if aborted by an error condition (e.g. stopped by repeated call or recursion limit)
The pointer ecode points to the current position in the compiled code buffer, which has a value of 0x0C54602C.
Since the specifically crafted regular expression is incorrectly compiled, eventually when executing the string match, it causes an out-of-bounds read crash in heap buffer.
The assembly code snippet is shown below:
01892AB7 . 894F 08 mov dword ptr [edi+8], ecx //ecx is 0x0C54DD36
01892ABA > 8B47 08 mov eax, dword ptr [edi+8] //eax is 0x0C54DD36
01892ABD . 0FB648 04 movzx ecx, byte ptr [eax+4]
01892AC1 . 0FB650 05 movzx edx, byte ptr [eax+5]
01892AC5 . C1E1 08 shl ecx, 8
01892AC8 . 0BCA or ecx, edx //ecx is 0x2438
01892ACA . 8D4401 03 lea eax, dword ptr [ecx+eax+3] //eax is 0x0C550171 which points to an invalid heap address and
causes the heap overflow
01892ACE . 8947 08 mov dword ptr [edi+8], eax
01892AD1 . 8038 53 cmp byte ptr [eax], 53 //crash occurs here
This vulnerability could potentially be exploited to execute arbitrary code with Advanced Heap Manipulation techniques.
Fortinet blocks this vulnerability with IPS Signature: Adobe.Flash.ActionScript.Regexp.Heap.Overflow. Thanks to Kai Lu for discovering this vulnerability.