Type Confusion in Setting Microphone Codec

secretsquirrel / google-security-research

Automatically exported from code.google.com/p/google-security-research

3 stars 0 forks source link

Type Confusion in Setting Microphone Codec #120

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago

There is a type confusion bug when setting the codec of a Microphone object. 
The AVM1 call assumes the first parameter is a string, but does not verify that 
this is the case. If the parameter is a numeric type instead of a string, 
String native methods will be called on a pointer that is set by the attacker.

The issue can be reproduce by executing the following ActionScript:

flash.Lib._root._global.ASnative(2104,4).call(flash.Microphone.get(), 
7777777777777777);

The method call above is equivalent to Microphone.codec = value.

A sample swf is attached.

Original issue reported on code.google.com by natashe...@google.com on 3 Oct 2014 at 11:42

Attachments:

m.swf

GoogleCodeExporter commented 9 years ago

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original comment by cev...@google.com on 4 Oct 2014 at 12:00

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 6 Oct 2014 at 6:16

Added labels: Id-3070

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 8 Nov 2014 at 2:36

Added labels: CVE-2014-0577

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 20 Nov 2014 at 12:53

Changed state: Fixed
Removed labels: Restrict-View-Commit

GoogleCodeExporter commented 9 years ago

http://helpx.adobe.com/security/products/flash-player/apsb14-24.html

Original comment by cev...@google.com on 20 Nov 2014 at 1:25

Added labels: Fixed-2014-Nov-11