Adobe Flash - Object.unwatch Use-After-Free Exploit

2016-03-29T00:00:00
ID EDB-ID:39631
Type exploitdb
Reporter Google Security Research
Modified 2016-03-29T00:00:00

Description

Adobe Flash - Object.unwatch Use-After-Free Exploit. CVE-2016-0998. Remote exploits for multiple platform

                                        
                                            Sources: 
https://bugs.chromium.org/p/project-zero/issues/detail?id=716
https://googleprojectzero.blogspot.ca/2016/03/life-after-isolated-heap.html

The bug is an uninitialized variable in the fix to an ActionScript 2 use-after-free bug. Roughly 80 of these types of issues have been fixed by Adobe in the past year, and two uninitialized variable issues were introduced in the fixes. 

 This issue is fairly easy to reproduce, a proof-of-concept for this issue in its entirety is:

  var o = {};
 o.unwatch();

 The bug occurs because the use-after-free check in the unwatch method attempts to convert its first parameter to a string by calling toString on it before continuing with the part of the method where toString  could cause problems by freeing an object. However, Flash does not check that this parameter exists before calling toString on it. In pseudo-code, the rough behaviour of this method is:

  void* args = alloca( args_size );
 for( int i = 0; i < args_size; i++){
  // Init args
 }

 if ( ((int) args[0]) & 6 == 6 )
  args[0] = call_toString( args[0] );

 if ( args_size < 1)
  exit();


Exploit:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39631.zip