lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <DD867751442E42BC9001D50B6DAC4222@W340>
Date: Wed, 13 Jul 2016 00:54:46 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: fulldisclosure@...lists.org
Subject: [FD] [CVE-2016-1014,
	CVE-2016-4247] Executable installers are vulnerable^WEVIL (case
	35): Adobe's Flash Player (un)installers

Hi @ll,

the executable installers of Flash Player released 2016-06-15
fixed CVE-2016-1014 in the second attempt, but another vulnerability
remained: they create(d) and use(d) UNSAFE temporary subdirectories
into which they copy/ied themselves and extract(ed) a file "fpb.tmp"
which they load(ed) and execute(d) later with elevated privileges.

An unprivileged user can/could overwrite both files between creation
and execution and gain elevation of privilege.

See <https://cwe.mitre.org/data/definitions/379.html> for this type
of well-known and well-documented vulnerability!


stay tuned
Stefan Kanthak


Timeline:
~~~~~~~~~

2016-03-12    initial report sent to Adobe PSIRT

2016-03-13    Adobe PSIRT acknowledges vulnerability and assigns
              PSIRT-4904

2016-04-06    Adobe PSIRT informs about CVE assigned and upcoming
              fix scheduled for release later that week

2016-04-17    notification sent to Adobe PSIRT: fix is incomplete,
              vulnerability persists

2016-04-17    Adobe PSIRT acknowledges receipt of second report

2016-04-17    Adobe PSIRT acknowledges vulnerability ... again

2016-06-17    Adobe released fixed Flash Player (un)installers,
              report for CVE-2016-1014 published

2016-06-17    new report sent to Adobe PSIRT: unsafe TEMP
              directory allows escalation of privilege

2016-06-17    Adobe PSIRT acknowledges receipt

2016-06-17    Adobe PSIRT acknowledges vulnerability and assigns
              PSIRT-5480

2016-07-10    Adobe PSIRT informs about CVE assigned and upcoming
              fix scheduled for release later this week

2016-07-12    Adobe released fixed Flash Player (un)installers,
              report for CVE-2016-4247 published

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists