Internet Bug Bounty: Adobe Flash Player MP4 Use-After-Free Vulnerability

2014-11-1706:20:07

hhj4ck

hackerone.com

0.015 Low

EPSS

Percentile

86.8%

JSON

I. Summary
Adobe Flash Player is prone to a vulnerability which leads to Use-After-Free. After parsing a malformed mp4 file, Flash will not free the NetStream object properly. Such memory block is still accessed even the page containing Flash is closed, which leads to a memory crash.

II. Description
Adobe Flash is a multimedia and software platform used for authoring of vector graphics, animation, games and rich Internet applications (RIAs) that can be viewed, played and executed in Adobe Flash Player. NetStream object can load and play an external mp4 file.
After playing a mp4 file, Flash will keep on accessing the memory saving the media object. A malformed mp4 file will trick the Flash to believe that this film never ends. The accessing continues even the web page containing Flash is closing. Closing the page release Flash from the memory space, while the accessing is still going on via a standalone thread.
There are two possible types of crash depending on the order of different blocks’ release:

If the media object memory is freed first, then the memory crash is caused by accessing freed memory.
If the meida object is freed later, the crash is caused by executing freed memory.
Each of the two possible types of crash may by exploited by carefully crafted mp4 file which could lead to code execution.