Attacker Value
Unknown
(1 user assessed)
Exploitability
Unknown
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
0

Adobe Flash Overflow in ID3 Tag Parsing

Disclosure Date: August 14, 2015 Last updated February 13, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Integer overflow in Adobe Flash Player before 18.0.0.232 on Windows and OS X and before 11.2.202.508 on Linux, Adobe AIR before 18.0.0.199, Adobe AIR SDK before 18.0.0.199, and Adobe AIR SDK & Compiler before 18.0.0.199 allows attackers to execute arbitrary code via unspecified vectors. If an mp3 file contains compressed ID3 data that is larger than 0x2aaaaaaa bytes, an integer overflow will occur in allocating the buffer to contain its converted string data, leading to a large copy into a small buffer. A sample fla, swf and mp3 are attached. Put id34.swf and tag.mp3 in the same folder to reproduce the issue. This issue only works on 64 bit platforms.

Add Assessment

1
Technical Analysis

Details

The decode_buffer_size is calculated this way in Flash:

decode_buffer_size = (encode_data_size  1) * 6 + 2

In asm:

.text:10024F13 loc_10024F13:                           ; CODE XREF: sub_10024C79+278j
.text:10024F13                 mov     eax, ebx
.text:10024F15                 imul    eax, 6
.text:10024F18                 add     eax, 2
.text:10024F1B                 cmp     [esi+28h], eax
.text:10024F1E                 mov     [ebp+var_20], eax
.text:10024F21                 jge     short loc_10024F4D

During decoding, the buffer can be reallocated:

int current_buffer_size

int decoded_buffer_size

if (current_buffer_size  < decoded_buffer_size) {

// reallocate the decode buffer

}

If the encode_data_size is larger than 0x2aaaaaab, it will cause an integer overflow in the
calculation of (encode_data_size –1) * 6 + 2

Patch for CVE-2015-5560

Version 18.0.0.232:

.text:10024E3E                 mov     eax, [ebp+var_14]
.text:10024E41                 imul    eax, 6
.text:10024E44                 inc     eax
.text:10024E45                 inc     eax
.text:10024E46                 cmp     eax, [ebp+var_14]
.text:10024E49                 jbe     loc_10024FB8
(encode_data_size * 6 + 2) >  encode_data_size

Note that it seems this patch can be bypassed, see CVE-2015-8446

General Information

Additional Info

Technical Analysis