Adobe Flash Bad Write in XML When Callback Modifies XML Tree During Property Delete

2015-08-19T00:00:00
ID EDB-ID:37872
Type exploitdb
Reporter Google Security Research
Modified 2015-08-19T00:00:00

Description

Adobe Flash Bad Write in XML When Callback Modifies XML Tree During Property Delete. CVE-2015-5549. Dos exploits for multiple platform

                                        
                                            Source: https://code.google.com/p/google-security-research/issues/detail?id=404&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id

Source file and compiled PoC attached.

Looking at https://github.com/adobe-flash/avmplus/blob/master/core/XMLListObject.cpp:

bool XMLListObject::delUintProperty(uint32_t index)
...
if (index >= _length())      [1]
        {
            return true;
        }
...
    px->childChanges(core->knodeRemoved, r->atom());  [2]
...
    m_children.removeAt(index);   [3]

In [1], the passed in index is validated. In [2], the callback can run actionscript, which might shrink the size of the current XMLList. In [3], the pre-validated index is used but it might now be invalid due to shrinking at [2]. Unfortunately, removeAt() does not behave well in the presence of an out-of-bounds index.

The PoC works by triggering a wild copy in order to demonstrate the crash. But other side-effects are possible such as decrementing the refcount of an out-of-bounds index.

Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37872.zip