Closed Bug 510230 Opened 16 years ago Closed 12 years ago

Exploitable - Guard Page Violation starting at NPSWF32!native_ShockwaveFlash_TCallLabel

Categories

(External Software Affecting Firefox Graveyard :: Flash (Adobe), defect)

x86
Windows XP
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED INVALID

People

(Reporter: cbook, Unassigned)

References

()

Details

(Keywords: crash, sec-vector, Whiteboard: [sg:vector-critical (flash)])

Steps to reproduce: -> Load http://pages.ebay.de/viewitem/tutorial.html (da0.8b8): Guard page violation - code 80000001 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=0a624000 ebx=00000010 ecx=0012e4f4 edx=0b8f0000 esi=0b8f0000 edi=0012e4f4 eip=0a358d2a esp=0012e2cc ebp=00000003 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00250202 NPSWF32!native_ShockwaveFlash_TCallLabel+0xdd9f4: 0a358d2a 881e mov byte ptr [esi],bl ds:0023:0b8f0000=00 0:000> !exploitable -v HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception Exception Faulting Address: 0xa358d2a First Chance Exception Type: STATUS_GUARD_PAGE_VIOLATION (0x80000001) Exception Hash (Major/Minor): 0x00000000.0x00000007 Stack Trace: NPSWF32!native_ShockwaveFlash_TCallLabel+0xdd9f4 NPSWF32!native_ShockwaveFlash_TCallLabel+0xddc87 Instruction Address: 0x000000000a358d2a Description: Guard Page Violation Short Description: GuardPage Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - Guard Page Violation starting at NPSWF32!native_ShockwaveFlash_TCallLabel+0x00000000000dd9f4 (Hash=0x00000000.0x00000007) 0:000> kp ChildEBP RetAddr WARNING: Stack unwind information not available. Following frames may be wrong. 0012e2d8 0a358fbd NPSWF32!native_ShockwaveFlash_TCallLabel+0xdd9f4 00000000 00000000 NPSWF32!native_ShockwaveFlash_TCallLabel+0xddc87 FAULTING_IP: NPSWF32!native_ShockwaveFlash_TCallLabel+dd9f4 0a358d2a 881e mov byte ptr [esi],bl EXCEPTION_RECORD: ffffffff -- (.exr ffffffffffffffff) ExceptionAddress: 0a358d2a (NPSWF32!native_ShockwaveFlash_TCallLabel+0x000dd9f4) ExceptionCode: 80000001 (Guard page violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000001 Parameter[1]: 0b8f0000 FAULTING_THREAD: 000008b8 BUGCHECK_STR: 80000001 DEFAULT_BUCKET_ID: APPLICATION_FAULT PROCESS_NAME: firefox.exe ERROR_CODE: (NTSTATUS) 0x80000001 - {EXCEPTION} Guard Page Exception A page of memory that marks the end of a data structure, such as a stack or an array, has been accessed. LAST_CONTROL_TRANSFER: from 0a358fbd to 0a358d2a STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. 0012e2d8 0a358fbd 00000010 00000003 0012e4f4 NPSWF32!native_ShockwaveFlash_TCallLabel+0xdd9f4 00000000 00000000 00000000 00000000 00000000 NPSWF32!native_ShockwaveFlash_TCallLabel+0xddc87 FOLLOWUP_IP: NPSWF32!native_ShockwaveFlash_TCallLabel+dd9f4 0a358d2a 881e mov byte ptr [esi],bl SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: NPSWF32!native_ShockwaveFlash_TCallLabel+dd9f4 FOLLOWUP_NAME: MachineOwner MODULE_NAME: NPSWF32 IMAGE_NAME: NPSWF32.dll DEBUG_FLR_IMAGE_TIMESTAMP: 4a613f8d STACK_COMMAND: ~0s ; kb FAILURE_BUCKET_ID: 80000001_NPSWF32!native_ShockwaveFlash_TCallLabel+dd9f4 BUCKET_ID: 80000001_NPSWF32!native_ShockwaveFlash_TCallLabel+dd9f4 Followup: MachineOwner ---------
Thst's a flash error: did you file it with Adobe?
No, but he notified Adobe by including Charles in the cc list. The consensus was to file them here.
Keywords: crash
Whiteboard: [sg:vector-critical (flash)]
A first chance exception on a guard page violation are typically not exploitable with Flash Player. Flash Player should catch the guard page exception and handle it appropriately. Change your debugger to ignore guard page exceptions and try to reproduce it again.
I am unable to reproduce this on Windows 7 with FF 3.5.2 and Flash Player 10.0.32.18. No crash.
(In reply to comment #4) > I am unable to reproduce this on Windows 7 with FF 3.5.2 and Flash Player > 10.0.32.18. No crash. Hi Charles its no crash, its a first exception that i saw when i tested with windgb. I used windbg http://www.microsoft.com/whdc/DevTools/Debugging/default.mspx and !exploitable http://www.codeplex.com/msecdbg To setup windbg i used the how to from https://developer.mozilla.org/en/How_to_get_a_stacktrace_with_WinDbg and for !exploitable to run the !load winext\MSEC.dll command. After loading the url from comment#0 i got this expection
Charles, the same exception can be seen when opening the following page: http://www.teamsolutions.fr/ Does it help you?
Group: core-security
Component: Plug-ins → Flash (Adobe)
Product: Core → Plugins
QA Contact: plugins → adobe-flash
Version: 1.9.1 Branch → unspecified
Group: core-security
Keywords: sec-vector
Keywords: sec-other
INVALID per Peleus.
Group: core-security
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID
Product: External Software Affecting Firefox → External Software Affecting Firefox Graveyard
You need to log in before you can comment on or make changes to this bug.