[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[CVE-2016-1014, CVE-2016-4247] Executable installers are vulnerable^WEVIL (case 35): Adobe's Flash Player (un)installers
- To: <bugtraq@xxxxxxxxxxxxxxxxx>
- Subject: [CVE-2016-1014, CVE-2016-4247] Executable installers are vulnerable^WEVIL (case 35): Adobe's Flash Player (un)installers
- From: "Stefan Kanthak" <stefan.kanthak@xxxxxxxx>
- Date: Wed, 13 Jul 2016 00:54:46 +0200
Hi @ll,
the executable installers of Flash Player released 2016-06-15
fixed CVE-2016-1014 in the second attempt, but another vulnerability
remained: they create(d) and use(d) UNSAFE temporary subdirectories
into which they copy/ied themselves and extract(ed) a file "fpb.tmp"
which they load(ed) and execute(d) later with elevated privileges.
An unprivileged user can/could overwrite both files between creation
and execution and gain elevation of privilege.
See <https://cwe.mitre.org/data/definitions/379.html> for this type
of well-known and well-documented vulnerability!
stay tuned
Stefan Kanthak
Timeline:
~~~~~~~~~
2016-03-12 initial report sent to Adobe PSIRT
2016-03-13 Adobe PSIRT acknowledges vulnerability and assigns
PSIRT-4904
2016-04-06 Adobe PSIRT informs about CVE assigned and upcoming
fix scheduled for release later that week
2016-04-17 notification sent to Adobe PSIRT: fix is incomplete,
vulnerability persists
2016-04-17 Adobe PSIRT acknowledges receipt of second report
2016-04-17 Adobe PSIRT acknowledges vulnerability ... again
2016-06-17 Adobe released fixed Flash Player (un)installers,
report for CVE-2016-1014 published
2016-06-17 new report sent to Adobe PSIRT: unsafe TEMP
directory allows escalation of privilege
2016-06-17 Adobe PSIRT acknowledges receipt
2016-06-17 Adobe PSIRT acknowledges vulnerability and assigns
PSIRT-5480
2016-07-10 Adobe PSIRT informs about CVE assigned and upcoming
fix scheduled for release later this week
2016-07-12 Adobe released fixed Flash Player (un)installers,
report for CVE-2016-4247 published