Lucene search

K
attackerkbAttackerKBAKB:BDC2BC7E-5904-4C44-80ED-E26E3BD1A1A6
HistoryJul 08, 2015 - 12:00 a.m.

Adobe Flash ByteArray Use-After-Free

2015-07-0800:00:00
attackerkb.com
86

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

Use-after-free vulnerability in the ByteArray class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.296 and 14.x through 18.0.0.194 on Windows and OS X and 11.x through 11.2.202.468 on Linux allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that overrides a valueOf function, as exploited in the wild in July 2015.

Recent assessments:

wchen-r7 at September 12, 2019 6:07pm UTC reported:

<http://en.wikipedia.org/wiki/Adobe_Flash_Player&gt;

Congrats! You are reading about the most beautiful Flash bug for the last four
years since CVE-2010-2161.

The use-after-free vulnerability exists inside the built-in ByteArray class
<http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/utils/ByteArray.html&gt;

Letโ€™s create a simple ByteArray object:

var ba:ByteArray = new ByteArray();
ba.length = 8;
ba[1] = 1;

Now we can access ba[] items and write numeric byte values into ba[].
Also we are allowed to write objects into ByteArray. For example:

var obj = new MyClass();
ba[0] = obj;

AS3 will try to implicitly convert the MyClass object into numeric value by
calling the MyClass.valueOf() method. This method can be easily redefined
within the userโ€™s code:

class MyClass
{
    prototype.valueOf = function()
    {
        ba.length = 88; // reallocate ba[] storage
        return 0;       // return byte for ba[offset]
    }
}

Letโ€™s see how that implicit conversion occurs inside the native code:

push esi
mov  eax, [esp+8]                // the offset value from "ba[offset] = obj"
push eax
add  ecx, 0x18                   // ecx = this = "ba" object pointer
call ByteArray.getStorage()      // gets ba[offset] storage pointer and
mov  esi, eax                    // saves it in esi

mov  ecx, [esp+0xC]              // "obj" pointer
push ecx
call AvmCore.toInteger()         // call MyClass.valueOf()
add  esp,4
mov  [esi], al                   // writes returned byte into array

pop  esi
ret  8

On high-level language this will look like:

void ByteArray.setObjInternal(int offset, obj)
{
    byte* dest = this.getStorage(offset);
    dest* = toInteger(obj);
}

So the array storage pointer is saved in local variable, then AS3 valueOf() is
invoked from the native code and returned byte is written into destination
pointer at the end. If valueOf() changes the length of byte array (see above)
and reallocates its internal storage, then local destination pointer becomes
obsolete and further usage of that pointer can lead to UaF memory corruption.

Using this vulnerability, itโ€™s very easy to control what byte will be written
and at which offset this corruption will occur.

  1. AFFECTED SOFTWARE
    Adobe Flash Player 9 and higher

  2. TESTING
    Open the test โ€œcalc.htmโ€ file in your browser and press the button.

on Windows:
Calc.exe should be popped on desktop IE.
Calc.exe should be run as a non-GUI child process in metro IE.
Payload returns 0 from CreateProcessA(โ€œcalc.exeโ€) inside Chrome/FF sandbox.

on OS X:
Calculator is launched in FF or standalone Flash Player projector.
Payload returns 1 from vfork() in Safari sandbox.

Assessed Attacker Value: 0
Assessed Attacker Value: 0Assessed Attacker Value: 0

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C