v4ng3l1s / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Adobe Flash Calling Superconstructor More Than Once Can Lead to Inconsistent User Data and Destroy Func #205

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
The user data and destroy func of an object can be made inconsistent by calling 
the superconstructor (method super) more than once. For example if a class 
extends BitmapData and its constructor contains the following code:

    super();
    this.__proto__= {};
    this.__proto__.__constructor__ = String;
    super("test");

The object's user data and destroy function will be set for type BitmapData 
when super is first called, and then its user data will be set for type String 
when the superconstructor is called the second time. This will leave the object 
with String user data, but the BitmapData destroy func, which will lead to type 
confusion when the object is freed. 

A sample swf and code is attached. To reproduce, click the purple button (this 
is for ease of analysis, the bug does not require user interaction). POC was 
tested on Chrome and Firefox.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by natashe...@google.com on 1 Dec 2014 at 4:41

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by natashe...@google.com on 1 Dec 2014 at 7:01

GoogleCodeExporter commented 9 years ago
I ran the PoC on my Linux x64 and it crashed immediately, very nice.

Original comment by cev...@google.com on 1 Dec 2014 at 8:40

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 2 Dec 2014 at 12:30

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 4 Feb 2015 at 7:06

GoogleCodeExporter commented 9 years ago
https://helpx.adobe.com/security/products/flash-player/apsb15-04.html

Original comment by cev...@google.com on 6 Feb 2015 at 3:14

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 12 Feb 2015 at 8:11