19 lines
No EOL
1.1 KiB
Text
19 lines
No EOL
1.1 KiB
Text
Source: https://code.google.com/p/google-security-research/issues/detail?id=545
|
|
|
|
There is a type confusion issue during serialization if ObjectEncoder.dynamicPropertyWriter is overridden with a value that is not a function.
|
|
|
|
In the following ActionScript:
|
|
|
|
flash.net.ObjectEncoding.dynamicPropertyWriter = new subdpw();
|
|
var b = new ByteArray();
|
|
var a = {};
|
|
a.test = 1;
|
|
b.writeObject(a);
|
|
|
|
The object 'a' with a dynamic property 'test' is serialized using a custom dynamicPropertyWriter of class subpwd. However this class overrides writeDynamicProperties with a property that is not a function leading to type confusion (note that this is not possible in the compiler, the bytecode needs to be modified manually).
|
|
|
|
To reproduce the issue, load objectencoding.swf. PoC code is also attached. To use this code, compile the swf, and decompress it (for example, using flasm -x), and then search for the string "triteDocumentProperties" in the SWF and change it to "writeDocumentProperties".
|
|
|
|
|
|
Proof of Concept:
|
|
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38970.zip |