Exploitable - Guard Page Violation starting at NPSWF32!native_ShockwaveFlash_TCallLabel

RESOLVED INVALID

Status

RESOLVED INVALID
9 years ago
6 years ago

People

(Reporter: cbook, Unassigned)

Tracking

({crash, sec-vector})

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:vector-critical (flash)], URL)

(Reporter)

Description

9 years ago
Steps to reproduce:
-> Load http://pages.ebay.de/viewitem/tutorial.html

(da0.8b8): Guard page violation - code 80000001 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0a624000 ebx=00000010 ecx=0012e4f4 edx=0b8f0000 esi=0b8f0000 edi=0012e4f4
eip=0a358d2a esp=0012e2cc ebp=00000003 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00250202
NPSWF32!native_ShockwaveFlash_TCallLabel+0xdd9f4:
0a358d2a 881e            mov     byte ptr [esi],bl          ds:0023:0b8f0000=00
0:000> !exploitable -v
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0xa358d2a
First Chance Exception Type: STATUS_GUARD_PAGE_VIOLATION (0x80000001)

Exception Hash (Major/Minor): 0x00000000.0x00000007

Stack Trace:
NPSWF32!native_ShockwaveFlash_TCallLabel+0xdd9f4
NPSWF32!native_ShockwaveFlash_TCallLabel+0xddc87
Instruction Address: 0x000000000a358d2a

Description: Guard Page Violation
Short Description: GuardPage
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Guard Page Violation starting at NPSWF32!native_ShockwaveFlash_TCallLabel+0x00000000000dd9f4 (Hash=0x00000000.0x00000007)
0:000> kp
ChildEBP RetAddr  
WARNING: Stack unwind information not available. Following frames may be wrong.
0012e2d8 0a358fbd NPSWF32!native_ShockwaveFlash_TCallLabel+0xdd9f4
00000000 00000000 NPSWF32!native_ShockwaveFlash_TCallLabel+0xddc87
FAULTING_IP: 
NPSWF32!native_ShockwaveFlash_TCallLabel+dd9f4
0a358d2a 881e            mov     byte ptr [esi],bl

EXCEPTION_RECORD:  ffffffff -- (.exr ffffffffffffffff)
ExceptionAddress: 0a358d2a (NPSWF32!native_ShockwaveFlash_TCallLabel+0x000dd9f4)
   ExceptionCode: 80000001 (Guard page violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: 0b8f0000

FAULTING_THREAD:  000008b8

BUGCHECK_STR:  80000001

DEFAULT_BUCKET_ID:  APPLICATION_FAULT

PROCESS_NAME:  firefox.exe

ERROR_CODE: (NTSTATUS) 0x80000001 - {EXCEPTION}  Guard Page Exception  A page of memory that marks the end of a data structure, such as a stack or an array, has been accessed.

LAST_CONTROL_TRANSFER:  from 0a358fbd to 0a358d2a

STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
0012e2d8 0a358fbd 00000010 00000003 0012e4f4 NPSWF32!native_ShockwaveFlash_TCallLabel+0xdd9f4
00000000 00000000 00000000 00000000 00000000 NPSWF32!native_ShockwaveFlash_TCallLabel+0xddc87


FOLLOWUP_IP: 
NPSWF32!native_ShockwaveFlash_TCallLabel+dd9f4
0a358d2a 881e            mov     byte ptr [esi],bl

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  NPSWF32!native_ShockwaveFlash_TCallLabel+dd9f4

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: NPSWF32

IMAGE_NAME:  NPSWF32.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  4a613f8d

STACK_COMMAND:  ~0s ; kb

FAILURE_BUCKET_ID:  80000001_NPSWF32!native_ShockwaveFlash_TCallLabel+dd9f4

BUCKET_ID:  80000001_NPSWF32!native_ShockwaveFlash_TCallLabel+dd9f4

Followup: MachineOwner
---------

Comment 1

9 years ago
Thst's a flash error: did you file it with Adobe?

Comment 2

9 years ago
No, but he notified Adobe by including Charles in the cc list. The consensus was to file them here.
Keywords: crash
Whiteboard: [sg:vector-critical (flash)]

Comment 3

9 years ago
A first chance exception on a guard page violation are typically not exploitable with Flash Player.  Flash Player should catch the guard page exception and handle it appropriately.  Change your debugger to ignore guard page exceptions and try to reproduce it again.

Comment 4

9 years ago
I am unable to reproduce this on Windows 7 with FF 3.5.2 and Flash Player 10.0.32.18.  No crash.
(Reporter)

Comment 5

9 years ago
(In reply to comment #4)
> I am unable to reproduce this on Windows 7 with FF 3.5.2 and Flash Player
> 10.0.32.18.  No crash.

Hi Charles

its no crash, its a first exception that i saw when i tested with windgb.

I used windbg http://www.microsoft.com/whdc/DevTools/Debugging/default.mspx and !exploitable http://www.codeplex.com/msecdbg

To setup windbg i used the how to from https://developer.mozilla.org/en/How_to_get_a_stacktrace_with_WinDbg and for !exploitable to run the !load winext\MSEC.dll command. After loading the url from comment#0 i got this expection
Charles, the same exception can be seen when opening the following page:
http://www.teamsolutions.fr/ Does it help you?

Updated

9 years ago
Group: core-security
Component: Plug-ins → Flash (Adobe)
Product: Core → Plugins
QA Contact: plugins → adobe-flash
Version: 1.9.1 Branch → unspecified
Group: core-security
Keywords: sec-vector
Keywords: sec-other

Comment 7

6 years ago
INVALID per Peleus.
Group: core-security
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.