Flash (IBB): Adobe Flash Player ShimContentResolver(resolverType=1) class Memory Corruption Vulnerability

2016-06-17T01:03:20
ID H1:145272
Type hackerone
Reporter hhj4ck
Modified 2019-11-12T09:42:11

Description

I. Summary Adobe Flash Player is prone to a vulnerability which leads to memory corruption because of improper validation of ShimContentResolver.resolve().


II. Description Normally, resolve() should validate its parameter with canResolve() and returns error in AS3 level if anything goes wrong. However, if ShimContentResolver is constructed with resolverType=1, then invoking resolve() with invalid Opportunity instance, some inner fields of ShimContentResolver will be absent, which will cause a memory crash.


III. Credit Wen Guanxing from Pangu LAB is credited for this vulnerability.

It has been assigned by Adobe as CVE-2016-4155. https://helpx.adobe.com/security/products/flash-player/apsb16-18.html