Adobe Flash Player fpb.tmp Privilege Escalation
Posted on 30 November -0001
<HTML><HEAD><TITLE>Adobe Flash Player fpb.tmp Privilege Escalation</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>Hi @ll, the executable installers of Flash Player released 2016-06-15 fixed CVE-2016-1014 in the second attempt, but another vulnerability remained: they create(d) and use(d) UNSAFE temporary subdirectories into which they copy/ied themselves and extract(ed) a file "fpb.tmp" which they load(ed) and execute(d) later with elevated privileges. An unprivileged user can/could overwrite both files between creation and execution and gain elevation of privilege. See <https://cwe.mitre.org/data/definitions/379.html> for this type of well-known and well-documented vulnerability! stay tuned Stefan Kanthak Timeline: ~~~~~~~~~ 2016-03-12 initial report sent to Adobe PSIRT 2016-03-13 Adobe PSIRT acknowledges vulnerability and assigns PSIRT-4904 2016-04-06 Adobe PSIRT informs about CVE assigned and upcoming fix scheduled for release later that week 2016-04-17 notification sent to Adobe PSIRT: fix is incomplete, vulnerability persists 2016-04-17 Adobe PSIRT acknowledges receipt of second report 2016-04-17 Adobe PSIRT acknowledges vulnerability ... again 2016-06-17 Adobe released fixed Flash Player (un)installers, report for CVE-2016-1014 published 2016-06-17 new report sent to Adobe PSIRT: unsafe TEMP directory allows escalation of privilege 2016-06-17 Adobe PSIRT acknowledges receipt 2016-06-17 Adobe PSIRT acknowledges vulnerability and assigns PSIRT-5480 2016-07-10 Adobe PSIRT informs about CVE assigned and upcoming fix scheduled for release later this week 2016-07-12 Adobe released fixed Flash Player (un)installers, report for CVE-2016-4247 published </BODY></HTML>
