Adobe Flash - Object.unwatch Use-After-Free Exploit

ID EDB-ID:39631
Type exploitdb
Reporter Google Security Research
Modified 2016-03-29T00:00:00


Adobe Flash - Object.unwatch Use-After-Free Exploit. CVE-2016-0998. Remote exploits for multiple platform


The bug is an uninitialized variable in the fix to an ActionScript 2 use-after-free bug. Roughly 80 of these types of issues have been fixed by Adobe in the past year, and two uninitialized variable issues were introduced in the fixes. 

 This issue is fairly easy to reproduce, a proof-of-concept for this issue in its entirety is:

  var o = {};

 The bug occurs because the use-after-free check in the unwatch method attempts to convert its first parameter to a string by calling toString on it before continuing with the part of the method where toString  could cause problems by freeing an object. However, Flash does not check that this parameter exists before calling toString on it. In pseudo-code, the rough behaviour of this method is:

  void* args = alloca( args_size );
 for( int i = 0; i < args_size; i++){
  // Init args

 if ( ((int) args[0]) & 6 == 6 )
  args[0] = call_toString( args[0] );

 if ( args_size < 1)