II. Description
Adobe Flash is a multimedia and software platform used for authoring of vector graphics, animation, games and rich Internet applications (RIAs) that can be viewed, played and executed in Adobe Flash Player. The FileReference Class provides a means to upload and download files between a user’s computer and a server. An operating-system dialog box prompts the user to select a file to upload or a location for download.
To trigger the Use-after-Free vulnerability, we start by building a wrapper Class, within which, we create and call member functions of FileReference. For our POC code snippet, the wrapper Class “Crash” is defined in Crash.as.
If we go through the normal process of loading a local image (browse(), load()… sequence) via FileReference several times, memory corruption caused by read/write to freed memory will occur. In order to simplified the triggering process, we use the FileReferenceList Object instead, which allows us to load several images at the same time.
To reproduce the problem via our poc code snippets, we should start by executing the poc.swf in the Internet Explorer. Then Click the “Click Me” button, choose all the images inside the “pics” folder. Normally, the memory crash caused by Use-after-Free will occur. If nothing happens after a few seconds, we could Click the button and do the same operations again. Orelse, copy and paste the images inside the “pics” folder so that we could load more images at the same time.
In order to exploit this Use-after-Free Vulnerability to execute shellcode, an attacker may use multithread feature of Flash to HeapSpray the memory between the “Free” and “Use”.
VI. Credit
Wen Guanxing from Venustech is credited for this vulnerability.