Closed Bug 845649 Opened 11 years ago Closed 11 years ago

DoS in Adobe Flash (BSOD) in Mozilla Firefox

Categories

(External Software Affecting Firefox Graveyard :: Flash (Adobe), defect)

Product:
External Software Affecting Firefox Graveyard
Component:
Flash (Adobe)
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: curtisk, Unassigned)

Details

(4 keywords)

Attachments

(1 file)

PoC/exploit for DoS (BSOD)
109.45 KB, application/octet-stream
Details 
From: "MustLive" <mustlive@websecurity.com.ua>
To: <security@mozilla.org>
Subject: DoS in Adobe Flash (BSOD) in Mozilla Firefox
Date: Sun, 24 Feb 2013 23:50:33 +0200
-----//-----
Hello Mozilla!
 
Here is information about vulnerability in Adobe Flash. This is Denial of Service (memory corruption) leaded to BSOD. This hole is related to Adobe Flash, but it can be interesting for you too (as it BSOD in Firefox).
 
I've found it at 27.01.2013 and after that recorded video which demonstrated this DoS and informed Adobe. They have fixed this hole in February. Because BSOD only works in Firefox (including 18.0.1 the last at that time), so it must be interesting for you.
 
Here is video file, which I've made to demonstrate this issue:
 
http://websecurity.com.ua/uploads/Adobe%20Flash%20DoS%20BSOD.avi
 
Attack is going on a browser with Adobe Flash 11.5.502.146 plugin and VideoJS Flash Component v3.0 is used in the PoC. In February I've also informed developers of VideoJS.
 
In Mozilla Firefox 15.0.1 and 18.0.1 - freezing of the browser (which can't even be closed) and BSOD of the OS.
In Mozilla Firefox 3.0.19 - nothing (everything works fine).
In Opera 10.62 - freezing of the browser (interface doesn't react, video is playing, but browser still can be closed).
 
Adobe has fixed this hole in version 11.6.602.168 at 12.02.2013. So I'm planning to disclose this video PoC and information about vulnerability soon. Meanwhile you can watch this video.
 
Best wishes & regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

>>>>>>>>>>>>>>

From: Mozilla Security <security@mozilla.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8;
	rv:17.0) Gecko/20130216 Thunderbird/17.0.3
MIME-Version: 1.0
To: MustLive <mustlive@websecurity.com.ua>
Subject: Re: DoS in Adobe Flash (BSOD) in Mozilla Firefox
-----//-----
Thanks for the information Eugene. We obviously can't fix this but we
can use this information when considering options with Click To Play.

--
Curtis Koenig
Mozilla Corp.
Security Program Manager

>>>>>>>>>>>>>>
From: "MustLive" <mustlive@websecurity.com.ua>
To: <security@mozilla.org>
Subject: Re: DoS in Adobe Flash (BSOD) in Mozilla Firefox
Date: Tue, 26 Feb 2013 23:50:13 +0200
-----//-----
Hi Curtis!

Yes, of course use this information for improving your Click To Play
feature.

But I see that this crash of Firefox (and my video PoC) can be useful for
Mozilla also from another point of view.

Earlier you have made such feature in Firefox (since Firefox 4) as playing
flash in separate process. It should make your browser more stable in
crashes of flash player plugin. But in result, as you can see from this
case, it leaded to not just to crashing of the browser, but to crashing of
OS (to BSOD).

Old versions of the browser (such as 3.0.x, 3.5.x and 3.6.x and even 10.0.7
ESR) are not affected to this hole, as I've wrote in my description. Only
affected are newer versions - 15.0.1 and 18.0.1 (which I've tested). So this
separation feature (to run plugins such as flash via separate application
plugin-container.exe in separate process) will lead to this problem. Not
earlier versions of Firefox, nor Chrome and Opera are creating BSOD (in
Opera the browsers just freezes). So you need to improve separation feature.

Best wishes & regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
Can we get the about:support information from the affected computer? In particular I'm interested in the OS version and graphics card information, because if this is only with AMD Radeon cards I suspect it is related to a recent ATI driver problem we are debugging.
Component: Security → Plug-ins
Flags: needinfo?(mustlive)
Curtis.

It's exactly what I've meant (made a hint in my letter). That you need to open entry in bugzilla. And investigate it more thoroughly.

I Mozilla need, I can send you working PoC/exploit for this crash (BSOD). Which leads to BSOD as showed in my video PoC.
Flags: needinfo?(mustlive)
Benjamin!

I've tested this DoS hole in multiple computers. Works only on ATI/AMD cards and doesn't work on nVidia cards. On affected computers with Radeon cards were used Windows XP (with Firefox 15.0.1) and Windows 7 (with Firefox 18.0.1).

I'm using Radeon HD6770 and I don't know which Radeon is using my friend on his computer with Windows 7 (only know that it's exactly Radeon).

> if this is only with AMD Radeon cards I suspect it is related to a recent ATI driver problem we are debugging.

Yes, only Radeon as I see from all computers on which I've tested. But I see the root is in Flash 11.5.502.146, because in Flash 11.4 and all previous versions which I've used there were no problems. Just after updating from 11.4 to 11.5.502.146 I've see such instability (one non-repeatable crash on YouTube and this constant crash with BDOS on VideoJS player) with video playback.

> Can we get the about:support information

Here is information from my PC (about browser and graphics card):

Application Basics

Name         Firefox
Version        15.0.1
User Agent        Mozilla/5.0 (Windows NT 5.1; rv:15.0) Gecko/20100101 Firefox/15.0.1

Graphics

Adapter Description        ASUS EAH6770 Series
Vendor ID        0x1002
Device ID        0x68ba
Adapter RAM        Unknown
Adapter Drivers        ati2dvag
Driver Version        8.841.0.0
Driver Date        4-5-2011
WebGL Renderer        Google Inc. -- ANGLE (ASUS EAH6770 Series) -- OpenGL ES 2.0 (ANGLE 1.0.0.1041)
GPU Accelerated Windows        0
(In reply to MustLive from comment #2)
> Curtis.
> 
> It's exactly what I've meant (made a hint in my letter). That you need to
> open entry in bugzilla. And investigate it more thoroughly.
> 
> I Mozilla need, I can send you working PoC/exploit for this crash (BSOD).
> Which leads to BSOD as showed in my video PoC.
If you can attach the PoC to this bug that would be helpful. Also as :bsmedberg asked if you have a crash ID (about:crashes) or can attach the output from about:support to the comments here in the bug that would also be very helpful for our investigation.
The exploit for crash in Adobe Flash. The exploit (BSOD) works at turning on/off sound (via "sound icon") or at mouse clicking in flash player area. But in the last case the crash occurs slowly, so clicking on "sound icon" is faster way to BSOD.
Curtis!

The output from about:support I've posted earlier, and now I've added rar-archive with poc/exploit.

For testing locally you can use my DoS exploit. In this case you will need to have web server and start it at localhost, i.e. http://localhost/poc.htm - because swf-file is working in network mode only.

For my exploit you need to have mp4 file (any video) near the exploit - put it near poc.htm. I've not placed poc.mp4 into archive to decrease its size - you can put any video file (it should work), or if you want the same atmosphere as in my video PoC, then you can download that video with dog and place it as poc.mp4 to the folder with exploit.
(In reply to MustLive from comment #6)
> Curtis!
> 
> The output from about:support I've posted earlier, and now I've added
> rar-archive with poc/exploit.
> 
> For testing locally you can use my DoS exploit. In this case you will need
> to have web server and start it at localhost, i.e. http://localhost/poc.htm
> - because swf-file is working in network mode only.
> 
> For my exploit you need to have mp4 file (any video) near the exploit - put
> it near poc.htm. I've not placed poc.mp4 into archive to decrease its size -
> you can put any video file (it should work), or if you want the same
> atmosphere as in my video PoC, then you can download that video with dog and
> place it as poc.mp4 to the folder with exploit.

Thanks for all the info, we'll look into this as soon as we can.
Can I also have the source of the .swf?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash, csec-dos, sec-vector, testcase
Whiteboard: Radeon/ati2dvag driver issue?
So far, I can't reproduce this on an AMD machine which has experienced our other crashes. At this point, I don't think we really want to track this in the Mozilla butracker. You should file it either with Adobe or with AMD (or both). I'm cc'ing a couple of our Adobe contacts in case they would like to file it directly.
Status: NEW → RESOLVED
Closed: 11 years ago
Component: Plug-ins → Flash (Adobe)
Keywords: crash, csec-dos, sec-vector, testcase
Product: Core → Plugins
Resolution: --- → INVALID
Whiteboard: Radeon/ati2dvag driver issue?
Version: 18 Branch → unspecified
(In reply to Benjamin Smedberg  [:bsmedberg] from comment #9)
> So far, I can't reproduce this on an AMD machine which has experienced our
> other crashes. At this point, I don't think we really want to track this in
> the Mozilla butracker. You should file it either with Adobe or with AMD (or
> both). I'm cc'ing a couple of our Adobe contacts in case they would like to
> file it directly.

I think part of the point here is that the current version of firefox is preforming worse than previous versions, so we might have a performance regression here at the least.
Adobe PSIRT is working with the researcher and has been in direct communication. 

This is *not* reproducible in current Flash Player versions (as confirmed by researcher), and we're unable to reproduce this on the dozen or so AMD machines that we looked at using the reported version.
Guys!

This is additional information for you. This is from browser's about:support about graphics card of my friend, where BSOD also occurred (in Firefox 18.0.1).

Graphics

Direct2D enabled true
DirectWrite enabled true (6.1.7601.17514)
GPU #2 active false
GPU Accelerated Windows 1/1 Direct3D 10
Driver Version 8.761.0.0
WebGL Renderer Google Inc. -- ANGLE (ATI Mobility Radeon HD 4200 Series)
Driver Date 7-27-2010
Adapter Drivers aticfx32 aticfx32 atiumdag atidxx32 atiumdva
Vendor ID 0x1002
Device ID 0x9712
Adapter RAM 256
Adapter Description ATI Mobility Radeon HD 4200 Series 
Parameters ClearTypeGamma: 2200 Pixel Structure: RGB ClearType Level: 100 Enhanced Contrast: 50
AzureCanvasBackend direct2d
AzureContentBackend direct2d
AzureFallbackCanvasBackend cairo

Benjamin!

As I've wrote in my first letter (quoted by Curtis), I've informed Adobe already in January. As Jeromie Clark confirmed above.

My main point was and the reason why Curtis added it to your Bugzilla was, that there was regression in Firefox. Earlier versions of the browser (such as 3.0.x, 3.5.x and 3.6.x and 10.0.7 ESR) are not affected to this crash and BSOD, but newer versions (such as 15.0.1 and 18.0.1) are affected. Old 3.x version have no plugin-container.exe (and 10.0.7 ESR has it), but they are stable and not crashing, unlike last versions of Firefox.
When running current versions of the available drivers for your graphics card(s), do you continue to encounter this crash?
Jeromie!

Last week Pieter already have asked me about this. And at 28th of February I've answered Adobe concerning it. I'll resend you that letter.
Firstly, in March 2013 I put that video demonstration to YouTube:

Adobe Flash DoS BSOD
http://www.youtube.com/watch?v=xi29KZ3LD80

Secondly, I've wrote to Mozilla the information about new Dos hole in Adobe Flash related to this case.
Group: core-security
Product: External Software Affecting Firefox → External Software Affecting Firefox Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: