Flash (IBB): Adobe Flash Player ASnative(900,1).call(TextField) Use-After-Free Vulnerability

2016-03-01T08:03:36
ID H1:119655
Type hackerone
Reporter hhj4ck
Modified 2019-11-12T09:43:04

Description

I. Summary Adobe Flash Player is prone to a vulnerability which leads to Use-After-Free.


II. Description If the ASnative(900,1) is invoked with TextField instance and getter properties associated with swfRoot where the getter method includes a call to removeTextField(), the TextField instance is used after it is freed.

The zip attachment contains the crash.swf and its source code. Latest version of Adobe Flash Player 20.0.0.267 has been tested under Windows 7.


III. Impact Use-After-Free


IV. Credit Wen Guanxing from Venustech ADLAB is credited for this vulnerability.

It has been assigned by Adobe as CVE-2016-0983 https://helpx.adobe.com/security/products/flash-player/apsb16-04.html