From: "MustLive" <email@example.com> To: <firstname.lastname@example.org> Subject: DoS in Adobe Flash (BSOD) in Mozilla Firefox Date: Sun, 24 Feb 2013 23:50:33 +0200 -----//----- Hello Mozilla! Here is information about vulnerability in Adobe Flash. This is Denial of Service (memory corruption) leaded to BSOD. This hole is related to Adobe Flash, but it can be interesting for you too (as it BSOD in Firefox). I've found it at 27.01.2013 and after that recorded video which demonstrated this DoS and informed Adobe. They have fixed this hole in February. Because BSOD only works in Firefox (including 18.0.1 the last at that time), so it must be interesting for you. Here is video file, which I've made to demonstrate this issue: http://websecurity.com.ua/uploads/Adobe%20Flash%20DoS%20BSOD.avi Attack is going on a browser with Adobe Flash 11.5.502.146 plugin and VideoJS Flash Component v3.0 is used in the PoC. In February I've also informed developers of VideoJS. In Mozilla Firefox 15.0.1 and 18.0.1 - freezing of the browser (which can't even be closed) and BSOD of the OS. In Mozilla Firefox 3.0.19 - nothing (everything works fine). In Opera 10.62 - freezing of the browser (interface doesn't react, video is playing, but browser still can be closed). Adobe has fixed this hole in version 11.6.602.168 at 12.02.2013. So I'm planning to disclose this video PoC and information about vulnerability soon. Meanwhile you can watch this video. Best wishes & regards, Eugene Dokukin aka MustLive Administrator of Websecurity web site http://websecurity.com.ua >>>>>>>>>>>>>> From: Mozilla Security <email@example.com> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130216 Thunderbird/17.0.3 MIME-Version: 1.0 To: MustLive <firstname.lastname@example.org> Subject: Re: DoS in Adobe Flash (BSOD) in Mozilla Firefox -----//----- Thanks for the information Eugene. We obviously can't fix this but we can use this information when considering options with Click To Play. -- Curtis Koenig Mozilla Corp. Security Program Manager >>>>>>>>>>>>>> From: "MustLive" <email@example.com> To: <firstname.lastname@example.org> Subject: Re: DoS in Adobe Flash (BSOD) in Mozilla Firefox Date: Tue, 26 Feb 2013 23:50:13 +0200 -----//----- Hi Curtis! Yes, of course use this information for improving your Click To Play feature. But I see that this crash of Firefox (and my video PoC) can be useful for Mozilla also from another point of view. Earlier you have made such feature in Firefox (since Firefox 4) as playing flash in separate process. It should make your browser more stable in crashes of flash player plugin. But in result, as you can see from this case, it leaded to not just to crashing of the browser, but to crashing of OS (to BSOD). Old versions of the browser (such as 3.0.x, 3.5.x and 3.6.x and even 10.0.7 ESR) are not affected to this hole, as I've wrote in my description. Only affected are newer versions - 15.0.1 and 18.0.1 (which I've tested). So this separation feature (to run plugins such as flash via separate application plugin-container.exe in separate process) will lead to this problem. Not earlier versions of Firefox, nor Chrome and Opera are creating BSOD (in Opera the browsers just freezes). So you need to improve separation feature. Best wishes & regards, Eugene Dokukin aka MustLive Administrator of Websecurity web site http://websecurity.com.ua
Can we get the about:support information from the affected computer? In particular I'm interested in the OS version and graphics card information, because if this is only with AMD Radeon cards I suspect it is related to a recent ATI driver problem we are debugging.
Component: Security → Plug-ins
Curtis. It's exactly what I've meant (made a hint in my letter). That you need to open entry in bugzilla. And investigate it more thoroughly. I Mozilla need, I can send you working PoC/exploit for this crash (BSOD). Which leads to BSOD as showed in my video PoC.
Benjamin! I've tested this DoS hole in multiple computers. Works only on ATI/AMD cards and doesn't work on nVidia cards. On affected computers with Radeon cards were used Windows XP (with Firefox 15.0.1) and Windows 7 (with Firefox 18.0.1). I'm using Radeon HD6770 and I don't know which Radeon is using my friend on his computer with Windows 7 (only know that it's exactly Radeon). > if this is only with AMD Radeon cards I suspect it is related to a recent ATI driver problem we are debugging. Yes, only Radeon as I see from all computers on which I've tested. But I see the root is in Flash 11.5.502.146, because in Flash 11.4 and all previous versions which I've used there were no problems. Just after updating from 11.4 to 11.5.502.146 I've see such instability (one non-repeatable crash on YouTube and this constant crash with BDOS on VideoJS player) with video playback. > Can we get the about:support information Here is information from my PC (about browser and graphics card): Application Basics Name Firefox Version 15.0.1 User Agent Mozilla/5.0 (Windows NT 5.1; rv:15.0) Gecko/20100101 Firefox/15.0.1 Graphics Adapter Description ASUS EAH6770 Series Vendor ID 0x1002 Device ID 0x68ba Adapter RAM Unknown Adapter Drivers ati2dvag Driver Version 8.841.0.0 Driver Date 4-5-2011 WebGL Renderer Google Inc. -- ANGLE (ASUS EAH6770 Series) -- OpenGL ES 2.0 (ANGLE 22.214.171.1241) GPU Accelerated Windows 0
(In reply to MustLive from comment #2) > Curtis. > > It's exactly what I've meant (made a hint in my letter). That you need to > open entry in bugzilla. And investigate it more thoroughly. > > I Mozilla need, I can send you working PoC/exploit for this crash (BSOD). > Which leads to BSOD as showed in my video PoC. If you can attach the PoC to this bug that would be helpful. Also as :bsmedberg asked if you have a crash ID (about:crashes) or can attach the output from about:support to the comments here in the bug that would also be very helpful for our investigation.
Created attachment 719096 [details] PoC/exploit for DoS (BSOD) The exploit for crash in Adobe Flash. The exploit (BSOD) works at turning on/off sound (via "sound icon") or at mouse clicking in flash player area. But in the last case the crash occurs slowly, so clicking on "sound icon" is faster way to BSOD.
Curtis! The output from about:support I've posted earlier, and now I've added rar-archive with poc/exploit. For testing locally you can use my DoS exploit. In this case you will need to have web server and start it at localhost, i.e. http://localhost/poc.htm - because swf-file is working in network mode only. For my exploit you need to have mp4 file (any video) near the exploit - put it near poc.htm. I've not placed poc.mp4 into archive to decrease its size - you can put any video file (it should work), or if you want the same atmosphere as in my video PoC, then you can download that video with dog and place it as poc.mp4 to the folder with exploit.
(In reply to MustLive from comment #6) > Curtis! > > The output from about:support I've posted earlier, and now I've added > rar-archive with poc/exploit. > > For testing locally you can use my DoS exploit. In this case you will need > to have web server and start it at localhost, i.e. http://localhost/poc.htm > - because swf-file is working in network mode only. > > For my exploit you need to have mp4 file (any video) near the exploit - put > it near poc.htm. I've not placed poc.mp4 into archive to decrease its size - > you can put any video file (it should work), or if you want the same > atmosphere as in my video PoC, then you can download that video with dog and > place it as poc.mp4 to the folder with exploit. Thanks for all the info, we'll look into this as soon as we can.
Can I also have the source of the .swf?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash, csec-dos, sec-vector, testcase
Whiteboard: Radeon/ati2dvag driver issue?
So far, I can't reproduce this on an AMD machine which has experienced our other crashes. At this point, I don't think we really want to track this in the Mozilla butracker. You should file it either with Adobe or with AMD (or both). I'm cc'ing a couple of our Adobe contacts in case they would like to file it directly.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Component: Plug-ins → Flash (Adobe)
Keywords: crash, csec-dos, sec-vector, testcase
Product: Core → Plugins
Resolution: --- → INVALID
Whiteboard: Radeon/ati2dvag driver issue?
Version: 18 Branch → unspecified
(In reply to Benjamin Smedberg [:bsmedberg] from comment #9) > So far, I can't reproduce this on an AMD machine which has experienced our > other crashes. At this point, I don't think we really want to track this in > the Mozilla butracker. You should file it either with Adobe or with AMD (or > both). I'm cc'ing a couple of our Adobe contacts in case they would like to > file it directly. I think part of the point here is that the current version of firefox is preforming worse than previous versions, so we might have a performance regression here at the least.
Adobe PSIRT is working with the researcher and has been in direct communication. This is *not* reproducible in current Flash Player versions (as confirmed by researcher), and we're unable to reproduce this on the dozen or so AMD machines that we looked at using the reported version.
Guys! This is additional information for you. This is from browser's about:support about graphics card of my friend, where BSOD also occurred (in Firefox 18.0.1). Graphics Direct2D enabled true DirectWrite enabled true (6.1.7601.17514) GPU #2 active false GPU Accelerated Windows 1/1 Direct3D 10 Driver Version 8.761.0.0 WebGL Renderer Google Inc. -- ANGLE (ATI Mobility Radeon HD 4200 Series) Driver Date 7-27-2010 Adapter Drivers aticfx32 aticfx32 atiumdag atidxx32 atiumdva Vendor ID 0x1002 Device ID 0x9712 Adapter RAM 256 Adapter Description ATI Mobility Radeon HD 4200 Series Parameters ClearTypeGamma: 2200 Pixel Structure: RGB ClearType Level: 100 Enhanced Contrast: 50 AzureCanvasBackend direct2d AzureContentBackend direct2d AzureFallbackCanvasBackend cairo Benjamin! As I've wrote in my first letter (quoted by Curtis), I've informed Adobe already in January. As Jeromie Clark confirmed above. My main point was and the reason why Curtis added it to your Bugzilla was, that there was regression in Firefox. Earlier versions of the browser (such as 3.0.x, 3.5.x and 3.6.x and 10.0.7 ESR) are not affected to this crash and BSOD, but newer versions (such as 15.0.1 and 18.0.1) are affected. Old 3.x version have no plugin-container.exe (and 10.0.7 ESR has it), but they are stable and not crashing, unlike last versions of Firefox.
When running current versions of the available drivers for your graphics card(s), do you continue to encounter this crash?
Jeromie! Last week Pieter already have asked me about this. And at 28th of February I've answered Adobe concerning it. I'll resend you that letter.
Firstly, in March 2013 I put that video demonstration to YouTube: Adobe Flash DoS BSOD http://www.youtube.com/watch?v=xi29KZ3LD80 Secondly, I've wrote to Mozilla the information about new Dos hole in Adobe Flash related to this case.
You need to log in before you can comment on or make changes to this bug.