Adobe Flash: Type Confusion in TextField Constructor

[GoogleCodeExporter]

There is a type confusion vulnerability in the TextField constructor in AS3. 
When a TextField is constructed, a generic backing object is created and reused 
when subsequent TextField objects are created. However, if an object with the 
same ID has already been created in the SWF, it can be of the wrong type. The 
constructor contains a check for this situation, though, and throws an 
exception and sets a flag to shut down the player if this occurs. The backing 
object is then set to be of type TextField to avoid any modifications that have 
been made on it by the constructor from causing problems if it is used as an 
object of its original type elsewhere in the player.

However, if the exception thrown by the constructor is caught, the exception 
handler can create another TextField object, and since the type of the generic 
backing object has been changed, an object of the wrong type is now backing the 
TextField, which makes it possible to set the pointers in the object to integer 
values selected by the attacker.

The PoC swf for this issue needs to be created by hand. The original swf code 
is:

try{

     var t = new TextField();

} catch(e:Error){

     var t2 = new TextField();
     t2.gridFitType;

}

Then in the swf, a backing object of a different type with ID 0xfff9 is 
created, which causes the first constructor call to fail, and the second to 
cause type confusion.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by natashe...@google.com on 14 Jan 2016 at 11:54

Attachments:

• textfield3.swf

[GoogleCodeExporter]

Fixed in Feb update

Original comment by natashe...@google.com on 17 Feb 2016 at 2:21

• Changed state: Fixed
• Added labels: CVE-2016-0985
• Removed labels: Restrict-View-Commit