Adobe Flash - Type Confusion in Serialization with ObjectEncoder.dynamicPropertyWriter

Source: https://code.google.com/p/google-security-research/issues/detail?id=545

There is a type confusion issue during serialization if ObjectEncoder.dynamicPropertyWriter is overridden with a value that is not a function.

In the following ActionScript:

		flash.net.ObjectEncoding.dynamicPropertyWriter = new subdpw();
		var b = new ByteArray();
		var a = {};
		a.test = 1;
		b.writeObject(a);

The object 'a' with a dynamic property 'test' is serialized using a custom dynamicPropertyWriter of class subpwd. However this class overrides writeDynamicProperties with a property that is not a function leading to type confusion (note that this is not possible in the compiler, the bytecode needs to be modified manually).

To reproduce the issue, load objectencoding.swf. PoC code is also attached. To use this code, compile the swf, and decompress it (for example, using flasm -x), and then search for the string "triteDocumentProperties" in the SWF and change it to "writeDocumentProperties".


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38970.zip