Adobe Flash Type Confusion in Serialization with ObjectEncoder.dynamicPropertyWriter

2015-12-14T00:00:00
ID EDB-ID:38970
Type exploitdb
Reporter Google Security Research
Modified 2015-12-14T00:00:00

Description

Adobe Flash Type Confusion in Serialization with ObjectEncoder.dynamicPropertyWriter. CVE-2015-7648. Dos exploits for multiple platform

                                        
                                            Source: https://code.google.com/p/google-security-research/issues/detail?id=545

There is a type confusion issue during serialization if ObjectEncoder.dynamicPropertyWriter is overridden with a value that is not a function.

In the following ActionScript:

		flash.net.ObjectEncoding.dynamicPropertyWriter = new subdpw();
		var b = new ByteArray();
		var a = {};
		a.test = 1;
		b.writeObject(a);

The object 'a' with a dynamic property 'test' is serialized using a custom dynamicPropertyWriter of class subpwd. However this class overrides writeDynamicProperties with a property that is not a function leading to type confusion (note that this is not possible in the compiler, the bytecode needs to be modified manually).

To reproduce the issue, load objectencoding.swf. PoC code is also attached. To use this code, compile the swf, and decompress it (for example, using flasm -x), and then search for the string "triteDocumentProperties" in the SWF and change it to "writeDocumentProperties".


Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38970.zip