The attached testcase crashes Windows 7 32-bit due to a pool buffer overflow in an ioctl handler. Enabling special on ndis.sys netio.sys and ntoskrnl helps to track down the issue, however it will crash due to a bad pool header without special pool as well.
3403491c7fbf36174b15a563987a49c4a34c9dfe661dfceec3ca982b901368adThe proof of concept works by triggering a wild copy in order to demonstrate the crash. But other side-effects are possible such as decrementing the refcount of an out-of-bounds index.
d354b53a4080ae486dd69761b4252b5e10b5e424aae7f11b794443c70d285daaThere is a use-after-free in MovieClip.swapDepths in Adobe Flash.
fdc90abdb1b2a25ee44d0715804979dcd608cbd02e9a1639cbcdf73c438f77f6Researchers have encountered a Windows kernel crash in the win32k!fsc_BLTHoriz function while processing corrupted TTF font files.
5b06b6212cc51d413bdd06023037f42808725455f1165b6efd62121434c36394Researchers have encountered a Windows kernel crash in the win32k!fsc_RemoveDups function while processing corrupted TTF font files.
49ff9762af828d1e6b2e50488ceae9afbbccea4122ec458cc3e8a553d5f7e5aaThe attached sample file, signal_sigsegv_7ffff637297a_8900_e3f87b25c25db8f9ec3c975f8c1211cc.swf, crashes, perhaps relating to XML handling.
4c1acddf8f07f6545317d049c59f4af89211c523cf6ef53842973345239d2469The attached sample, signal_sigsegv_7ffff60a1429_9554_f4dc661554237404dfe394d4c6c3e674.swf, crashes on Linux x64.
576dca8249e5bf441b6ff1587895439d38da0d1c81ab8174fa260345c26a6b1bThe attached sample, signal_sigsegv_7ffff603deef_1525_268381c02bc3b05c84578ebaeafc02f0.swf, typically crashes on Linux x64 build (Flash v17.0.0.188).
fd12f01c9fd51ba81094c5dc05092a2ce0cc36a748d2d389573b850c73ad3728The attached swf file in Google Chrome (Linux x64) will eventually result in dialog offering to terminate the slow script.
17b207be2be2c98b9917a15b28b622575b3a5ea1d9db9361a651b483559ced30A nasty looking crash is manifesting in various different ways under fuzzing, apparently related to drawing and bitmap handling.
e53bbf5ffe51ba5e1ba406eb0b58ff40edd25c9943807440ef21cb92a486578dResearchers have encountered a number of Windows kernel crashes in the ATMFD.DLL OpenType driver while processing corrupted OTF font files.
67e07a94bd3af7f8fb477b9542888d1cf25f1dc629893818446d17a6c15e0452An out-of-bounds memory read occurs when Adobe Flash parses a mutated TTF file embedded in a swf.
3e2118575612a001e7d4cabff18c63bc1b2734d53f9b701a601c82011bcff5beThere is a use after free vulnerability in the ActionScript 2 TextField.filters array property.
c8c4ddb8248e3234cb7f686b990e44c2c471253c71a58e09d477456af6b8c3b9Issues in DefineBitsLossless and DefineBitsLossless2 leads to using uninitialized memory while rendering a picture. This is caused by the returned value of a zlib function not properly checked.
396c2a8d45a861b578261ac35463e414a0c7141b924077f21e2a31daf61bcf90Loading a weird MPD file can corrupt flash player's memory.
838fb72db8a1b4cff405ee11b823ee6860c72fe5b2122b2eea654ffdf46183a5Use After Free in Flash AVSS.setSubscribedTags, setCuePointTags and setSubscribedTagsForBackgroundManifest can be abused to write pointers to String to freed locations.
4fd920218793a46ab9cce3ab98f7a35862ab1c6417a8854638fed40036695f51An integer overflow while calling Function.apply can lead to enter an ActionScript function without correctly validating the supplied arguments. Chrome version 41.0.2272.101 stable with Flash version 17.0.0.134 is affected.
851dccc1f099ae9b266f4f0571a50d127e908035fc85ecbce224da0685db6067Flash suffers from a broker-based sandbox escape.
989036efd58bbccc9c007b2a7121bd6ba170455cc7d74bc71d5f4bbe336962f7Flash suffers from a broker-based sandbox escape.
ff44243af4b26853124e63a9869c6b81f401bc2ad222680958329a437559b8efFlash suffers from a broker-based sandbox escape.
32f8d2576cdd393f19c2a9cdbb6d3476d8fda0611004641c02e347365ebea2aeThe "transient array" specified in the "Type 2 Charstring format" specs but also available in Type1 fonts (originally for the purpose of facilitating Multiple Master fonts) is allocated dynamically only if the CoolType interpreter encounters an instruction which requires the presence of the array, such as "get" or "store". While allocating the array, however, the routine does not automatically clear the contents of the newly created buffer.
6ace69fba4e02dc5c9eedf369a1611909bcd055bd1c38c7a835323a1176ce061There is an error in the PCRE engine version used in Flash that allows the execution of arbitrary PCRE bytecode, with potential for memory corruption and remote code execution.
f100f0c5cc96a2a407b46491520f1bce43ba7ca526f4e6c69f5887bf768c2ecaThe Type1/CFF CharString interpreter code in the Adobe Type Manager Font Driver (ATMFD.DLL) Windows kernel module does not perform nearly any verification that the operand stack is large enough to contain the required instruction operands, which can lead to up to "off-by-three" overreads and overwrites on the interpreter function stack.
51ba13f671a701f0476a89dfbec32f4088b01330862ec09c0a793c9e3d8643a0The system call NtPowerInformation performs a check that the caller is an administrator before performing some specific power functions. The check is done in the PopUserIsAdmin function. On Windows 7 this check is bypassable because the SeTokenIsAdmin function doesn't take into account the impersonation level of the token and the rest of the code also doesn't take it into account.
8e80a5edbfcfa8ce64460f4e9edf0e6164d6af2253e064cbdbd72a18a7cc6f4aResearchers have encountered a number of Windows kernel crashes in the ATMFD.DLL OpenType driver while processing corrupted OTF font files.
211858c5b9e08bfdb94ac6f00d553181d66e260d3e96b6772ee5d08a2eeebad8Researchers have encountered a number of Windows kernel crashes in the win32k!scl_ApplyTranslation function while processing corrupted TTF font files.
04fddfcac6b041b9767e037c57308e83d27c063d91368ef64e5e28a5f2f828ad
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed