CVE-2015-5133 : Détail

CVE-2015-5133

Overflow
75.43%V3
Network
2015-08-13
23h00 +00:00
2018-01-04
18h57 +00:00
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

Buffer overflow in Adobe Flash Player before 18.0.0.232 on Windows and OS X and before 11.2.202.508 on Linux, Adobe AIR before 18.0.0.199, Adobe AIR SDK before 18.0.0.199, and Adobe AIR SDK & Compiler before 18.0.0.199 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-5131 and CVE-2015-5132.

Informations du CVE

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 10 AV:N/AC:L/Au:N/C:C/I:C/A:C [email protected]

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Informations sur l'Exploit

Exploit Database EDB-ID : 37858

Date de publication : 2015-08-18 22h00 +00:00
Auteur : Google Security Research
EDB Vérifié : Yes

Source: https://code.google.com/p/google-security-research/issues/detail?id=363&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id The following access violation was observed in the Adobe Flash Player plugin: (1ba8.1c60): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for FlashPlayer.exe - eax=0004c800 ebx=00000000 ecx=08982000 edx=00002588 esi=00001200 edi=0042d46c eip=017723c0 esp=0042d278 ebp=0042d3c4 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x254f0: 017723c0 8b0408 mov eax,dword ptr [eax+ecx] ds:002b:089ce800=???????? 0:000> kb ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 0042d3c4 0177cfaf 0042d3e0 0042d46c 00000001 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x254f0 0042d3ec 0177d112 0042d414 0042d46c 00001376 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x300df 0042d424 0177d4c2 0042d454 0042d46c 00000006 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x30242 0042d4e0 0176ec7a 00000000 0042d540 03497440 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x305f2 0042d544 01788715 08875020 47535542 6c61746e FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x21daa 0042d7d8 01775c95 0042d814 01775f31 01775f41 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x3b845 0042d7e0 01775f31 01775f41 03497440 00000000 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x28dc5 0042d828 017834d2 03497440 00000000 00000030 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x29061 00000000 00000000 00000000 00000000 00000000 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x36602 0:000> db ecx 08982000 35 00 00 00 01 00 00 00-00 00 00 00 00 00 00 ff 5............... 08982010 00 00 00 00 00 00 00 00-01 00 00 00 00 00 00 00 ................ 08982020 80 a4 b7 01 00 00 00 00-00 00 00 00 00 10 00 00 ................ 08982030 00 00 00 00 18 a8 b7 01-20 50 87 08 00 00 00 00 ........ P...... 08982040 03 30 02 00 49 00 00 00-01 00 00 00 00 00 00 00 .0..I........... 08982050 00 00 00 ff 00 00 00 00-00 00 00 00 01 00 00 00 ................ 08982060 00 00 00 00 80 a4 b7 01-00 00 00 00 00 00 00 00 ................ 08982070 00 10 00 00 00 00 00 00-18 a8 b7 01 20 50 87 08 ............ P.. 0:000> !address ecx [...] Usage: <unknown> Base Address: 08906000 End Address: 08990000 Region Size: 0008a000 State: 00001000 MEM_COMMIT Protect: 00000004 PAGE_READWRITE Type: 00020000 MEM_PRIVATE Allocation Base: 087f0000 Allocation Protect: 00000001 PAGE_NOACCESS Notes: - Reliably reproduces with latest Adobe Flash Player Projector for Windows and Google Chrome for Windows. - The out-of-bounds read appears to be caused by an overly large index value (stored in the "EAX" register at the time of the crash) relative to a dynamically allocated buffer pointed to by "ECX". - The 32-bit value read from the unmapped memory address is in fact a pointer, and is used to immediately read 12 bytes from in one function up the call chain. - Attached samples: signal_sigsegv_7ffff710e9d3_881_11431348555663755408.ttf.swf (crashing file), 11431348555663755408.ttf.swf (original file). Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37858.zip

Products Mentioned

Configuraton 0

Adobe>>Flash_player >> Version To (including) 11.2.202.491

Linux>>Linux_kernel >> Version -

Configuraton 0

Adobe>>Air >> Version To (including) 18.0.0.180

Adobe>>Air_sdk >> Version To (including) 18.0.0.180

Adobe>>Air_sdk_\&_compiler >> Version To (including) 18.0.0.180

Configuraton 0

Adobe>>Flash_player >> Version To (including) 18.0.0.209

Apple>>Mac_os_x >> Version -

Microsoft>>Windows >> Version -

Configuraton 0

Opensuse>>Evergreen >> Version 11.4

Références

https://security.gentoo.org/glsa/201508-01
Tags : vendor-advisory, x_refsource_GENTOO
http://www.securityfocus.com/bid/76284
Tags : vdb-entry, x_refsource_BID
https://www.exploit-db.com/exploits/37858/
Tags : exploit, x_refsource_EXPLOIT-DB
http://www.securitytracker.com/id/1033235
Tags : vdb-entry, x_refsource_SECTRACK
http://rhn.redhat.com/errata/RHSA-2015-1603.html
Tags : vendor-advisory, x_refsource_REDHAT