Closed
Bug 510230
Opened 16 years ago
Closed 12 years ago
Exploitable - Guard Page Violation starting at NPSWF32!native_ShockwaveFlash_TCallLabel
Categories
(External Software Affecting Firefox Graveyard :: Flash (Adobe), defect)
External Software Affecting Firefox Graveyard
Flash (Adobe)
x86
Windows XP
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: cbook, Unassigned)
References
()
Details
(Keywords: crash, sec-vector, Whiteboard: [sg:vector-critical (flash)])
Steps to reproduce:
-> Load http://pages.ebay.de/viewitem/tutorial.html
(da0.8b8): Guard page violation - code 80000001 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0a624000 ebx=00000010 ecx=0012e4f4 edx=0b8f0000 esi=0b8f0000 edi=0012e4f4
eip=0a358d2a esp=0012e2cc ebp=00000003 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00250202
NPSWF32!native_ShockwaveFlash_TCallLabel+0xdd9f4:
0a358d2a 881e mov byte ptr [esi],bl ds:0023:0b8f0000=00
0:000> !exploitable -v
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0xa358d2a
First Chance Exception Type: STATUS_GUARD_PAGE_VIOLATION (0x80000001)
Exception Hash (Major/Minor): 0x00000000.0x00000007
Stack Trace:
NPSWF32!native_ShockwaveFlash_TCallLabel+0xdd9f4
NPSWF32!native_ShockwaveFlash_TCallLabel+0xddc87
Instruction Address: 0x000000000a358d2a
Description: Guard Page Violation
Short Description: GuardPage
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Guard Page Violation starting at NPSWF32!native_ShockwaveFlash_TCallLabel+0x00000000000dd9f4 (Hash=0x00000000.0x00000007)
0:000> kp
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
0012e2d8 0a358fbd NPSWF32!native_ShockwaveFlash_TCallLabel+0xdd9f4
00000000 00000000 NPSWF32!native_ShockwaveFlash_TCallLabel+0xddc87
FAULTING_IP:
NPSWF32!native_ShockwaveFlash_TCallLabel+dd9f4
0a358d2a 881e mov byte ptr [esi],bl
EXCEPTION_RECORD: ffffffff -- (.exr ffffffffffffffff)
ExceptionAddress: 0a358d2a (NPSWF32!native_ShockwaveFlash_TCallLabel+0x000dd9f4)
ExceptionCode: 80000001 (Guard page violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 0b8f0000
FAULTING_THREAD: 000008b8
BUGCHECK_STR: 80000001
DEFAULT_BUCKET_ID: APPLICATION_FAULT
PROCESS_NAME: firefox.exe
ERROR_CODE: (NTSTATUS) 0x80000001 - {EXCEPTION} Guard Page Exception A page of memory that marks the end of a data structure, such as a stack or an array, has been accessed.
LAST_CONTROL_TRANSFER: from 0a358fbd to 0a358d2a
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
0012e2d8 0a358fbd 00000010 00000003 0012e4f4 NPSWF32!native_ShockwaveFlash_TCallLabel+0xdd9f4
00000000 00000000 00000000 00000000 00000000 NPSWF32!native_ShockwaveFlash_TCallLabel+0xddc87
FOLLOWUP_IP:
NPSWF32!native_ShockwaveFlash_TCallLabel+dd9f4
0a358d2a 881e mov byte ptr [esi],bl
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: NPSWF32!native_ShockwaveFlash_TCallLabel+dd9f4
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: NPSWF32
IMAGE_NAME: NPSWF32.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 4a613f8d
STACK_COMMAND: ~0s ; kb
FAILURE_BUCKET_ID: 80000001_NPSWF32!native_ShockwaveFlash_TCallLabel+dd9f4
BUCKET_ID: 80000001_NPSWF32!native_ShockwaveFlash_TCallLabel+dd9f4
Followup: MachineOwner
---------
Comment 1•16 years ago
|
||
Thst's a flash error: did you file it with Adobe?
Comment 2•16 years ago
|
||
No, but he notified Adobe by including Charles in the cc list. The consensus was to file them here.
Keywords: crash
Whiteboard: [sg:vector-critical (flash)]
Comment 3•15 years ago
|
||
A first chance exception on a guard page violation are typically not exploitable with Flash Player. Flash Player should catch the guard page exception and handle it appropriately. Change your debugger to ignore guard page exceptions and try to reproduce it again.
I am unable to reproduce this on Windows 7 with FF 3.5.2 and Flash Player 10.0.32.18. No crash.
Reporter | ||
Comment 5•15 years ago
|
||
(In reply to comment #4)
> I am unable to reproduce this on Windows 7 with FF 3.5.2 and Flash Player
> 10.0.32.18. No crash.
Hi Charles
its no crash, its a first exception that i saw when i tested with windgb.
I used windbg http://www.microsoft.com/whdc/DevTools/Debugging/default.mspx and !exploitable http://www.codeplex.com/msecdbg
To setup windbg i used the how to from https://developer.mozilla.org/en/How_to_get_a_stacktrace_with_WinDbg and for !exploitable to run the !load winext\MSEC.dll command. After loading the url from comment#0 i got this expection
Comment 6•15 years ago
|
||
Charles, the same exception can be seen when opening the following page:
http://www.teamsolutions.fr/ Does it help you?
Group: core-security
Component: Plug-ins → Flash (Adobe)
Product: Core → Plugins
QA Contact: plugins → adobe-flash
Version: 1.9.1 Branch → unspecified
Updated•15 years ago
|
Group: core-security
Updated•13 years ago
|
Keywords: sec-vector
Comment 7•12 years ago
|
||
INVALID per Peleus.
Group: core-security
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID
Updated•2 years ago
|
Product: External Software Affecting Firefox → External Software Affecting Firefox Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•