Attacker Value
Unknown
(1 user assessed)
Exploitability
Unknown
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
0

Adobe Flash ID3 Decode Integer Overflow

Disclosure Date: December 10, 2015 Last updated February 13, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Heap-based buffer overflow in Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.228 on Windows and OS X and before 11.2.202.554 on Linux, Adobe AIR before 20.0.0.204, Adobe AIR SDK before 20.0.0.204, and Adobe AIR SDK & Compiler before 20.0.0.204 allows attackers to execute arbitrary code via an MP3 file with COMM tags that are mishandled during memory allocation, a different vulnerability than CVE-2015-8438.

Add Assessment

1
Technical Analysis

Details

This is a vulnerability in Adobe Flash. It is due to an incomplete patch of CVE-2015-5560. The decode_buffer_size is calculated this way in Flash:

decode_buffer_size = (encode_data_size  1) * 6 + 2

In asm:

.text:10024F13 loc_10024F13:                           ; CODE XREF: sub_10024C79+278j
.text:10024F13                 mov     eax, ebx
.text:10024F15                 imul    eax, 6
.text:10024F18                 add     eax, 2
.text:10024F1B                 cmp     [esi+28h], eax
.text:10024F1E                 mov     [ebp+var_20], eax
.text:10024F21                 jge     short loc_10024F4D

During decoding, the buffer can be reallocated:

int current_buffer_size

int decoded_buffer_size

if (current_buffer_size  < decoded_buffer_size) {

// reallocate the decode buffer

}

If the encode_data_size is larger than 0x2aaaaaab, it will cause an integer overflow in the
calculation of (encode_data_size –1) * 6 + 2

Patch for CVE-2015-5560

Version 18.0.0.232:

.text:10024E3E                 mov     eax, [ebp+var_14]
.text:10024E41                 imul    eax, 6
.text:10024E44                 inc     eax
.text:10024E45                 inc     eax
.text:10024E46                 cmp     eax, [ebp+var_14]
.text:10024E49                 jbe     loc_10024FB8
(encode_data_size * 6 + 2) >  encode_data_size

Analysis of CVE-2015-8446

If the patch is bypassed, we have CVE-2015-8446.

If encode_data_size is 0x15555580:

(0x15555580 – 1) * 6 + 2 = 0x800000FC

Which is less than 0.

And then that can cause an overflow.

ByteArray Length Protection

Adobe introduced the ByteArray Length Protection in December, which would make exploitation
difficult against newer versions of Adobe Flash.

It is likely the exploit in the wild exploited an older version of Adobe Flash (this needs to be
confirmed).

General Information

Technical Analysis