Closed Bug 739864 Opened 14 years ago Closed 13 years ago

Probably Exploitable - Data from Faulting Address controls Code Flow starting at <Unloaded_RT40.dll>+0x0000000004eaa617 (Hash=0x1a482f78.0x7a2d3e4b)

Categories

(Plugins Graveyard :: Silverlight (Microsoft), defect)

Product:
Plugins Graveyard
Component:
Silverlight (Microsoft)
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: bc, Unassigned)

References

(
URL
)

Details

(Keywords: crash, sec-vector, Whiteboard: [sg:vector-critical (Microsoft)])

Attachments

(1 file)

windbg output
15.52 KB, text/plain
Details
Attached file windbg output
1. http://social.zune.net/bingplayer/?v=1.0#mid=7F8D2800-0100-11DB-89CA-0019B92A3933&title=Go%20No%20More%20A-Roving&artist=Leonard%20Cohen&album=Dear%20Heather&artistid=9C070000-0600-11DB-89CA-0019B92A3933&albumid=798D2800-0100-11DB-89CA-0019B92A3933&dto=1& 2. Crash Beta/12, Aurora/13, Nightly/14 Debug builds Silverlight 5.0.61118.0 Windows XP/Windows 7. Opt builds can't play the content but don't appear to crash. Operating system: Windows NT 6.1.7601 Service Pack 1 CPU: x86 GenuineIntel family 6 model 37 stepping 1 2 CPUs Crash reason: EXCEPTION_ACCESS_VIOLATION_READ Crash address: 0x730083 Assertion: Unknown assertion type 0x00000000 Thread 11 (crashed) 0 agcore.dll + 0x33c4a eip = 0x70db3c4a esp = 0x0484f520 ebp = 0x0484f7f4 ebx = 0x8000ffff esi = 0x0073006f edi = 0x03c4c0f8 eax = 0x00000039 ecx = 0x03c4c190 edx = 0x00000000 efl = 0x00010206 Found by: given as instruction pointer in context 1 agcore.dll + 0x33ebd eip = 0x70db3ebe esp = 0x0484f7fc ebp = 0x0484f82c Found by: previous frame's frame pointer 2 agcore.dll + 0x33e78 eip = 0x70db3e79 esp = 0x0484f834 ebp = 0x0484f844 Found by: previous frame's frame pointer 3 kernel32.dll + 0x13399 eip = 0x762e339a esp = 0x0484f84c ebp = 0x0484f850 Found by: previous frame's frame pointer 4 ntdll.dll + 0x39ef1 eip = 0x77169ef2 esp = 0x0484f858 ebp = 0x0484f890 Found by: previous frame's frame pointer 5 ntdll.dll + 0x39ec4 eip = 0x77169ec5 esp = 0x0484f898 ebp = 0x0484f8a8 Found by: previous frame's frame pointer minidump exploitable analyzer calls this low exploitability. !exploitable is a bit more dire: PROBABLY_EXPLOITABLE
Keywords: sec-vector
Keywords: sec-other
No longer reproducible on Windows XP, WIndows 7 Firefox 19, 20, 21 with Silverlight 5.1.10411 but they've moved their site to xbox.com so I'm not sure visiting the url now is effectively testing this. I'll try to arrange a scan of xbox music and see what's up.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WORKSFORME
Group: core-security → core-security-release
Product: Plugins → Plugins Graveyard
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: