Title:
[Kil13r-SA-20100513] Adobe Flash Player 10.0 Denial Of Service Vulnerability

Author:
Kil13r - http://www.kil13r.info/

Local / Remote:
Local

Timeline:
2008/10/22 - Discover
2009/07/19 - Vendor notification
2009/07/21 - Vendor response
2009/07/25 - Contact vendor
2009/07/28 - Vendor response (Unable to reproduce)
2009/07/28 - Contact vendor
2009/11/18 - Contact vendor (Vendor prerelease 10.1, PoC doesn't work anymore)
2009/11/19 - Vendor response (Still unable to reproduce the issue in 10.0)
2009/11/19 - Contact vendor (Send video demo)
2009/11/26 - Vendor response
2010/05/13 - Release
2010/05/18 - Resend to bugtraq
2010/05/18 - Bugtraq response (Send some more technical information)
2010/05/19 - Resend to bugtraq (Add more technical information)

Affected version:
Adobe Flash Player 10.0

Not affected version:
Adobe Flash Player 10.1+

Description:
Adobe Flash Player 10.0 allows local users to cause a denial of
service (memory consumption and system crash).

Technical information:
1) Log data, item 0
  Address = 6B427D3A
  Message = Break on guarded memory page set by application while
writing to [07ED0000] - Shift+Run/Step to pass exception to the
program

2) CPU Disasm
Address   Hex dump          Command                                  Comments
6B427D3A    881E            MOV BYTE PTR DS:[ESI],BL

3) CPU

EAX 06F4B000
ECX 0243CC14
EDX 07ED0000
EBX 00000010
ESP 0243C9EC
EBP 00000003
ESI 07ED0000
EDI 0243CC14
EIP 6B427D3A Flash10e_ocx.6B427D3A

C 0  ES 0023 32bit 0(FFFFFFFF)
P 0  CS 001B 32bit 0(FFFFFFFF)
A 0  SS 0023 32bit 0(FFFFFFFF)
Z 0  DS 0023 32bit 0(FFFFFFFF)
S 0  FS 003B 32bit 7FFD9000(FFF)
T 0  GS 0000 NULL
D 0
O 0  LastErr 00000000 ERROR_SUCCESS
EFL 00250202 (NO,NB,NE,A,NS,PO,GE,G)
...

The rest is omitted.
For more information see Proof of Concept screen shot.

Proof of Concept code:
http://www.kil13r.info/data/aaa.zip

Proof of Concept screen shot:
http://www.kil13r.info/sa/aaa/ollydbg.jpg

Proof of Concept video:
http://www.youtube.com/watch?v=Z_YT_m7aBWk