FLASH, CVE-2 0 1 5-0 3 1 3 분석(analysis)-vulnerability warning-the black bar safety net

ID MYHACK58:62201559504
Type myhack58
Reporter 佚名
Modified 2015-02-28T00:00:00


This year 2 Month 2 day,Trend Micro found the Flash 1day(CVE-2 0 1 5-0 3 1 3 A). This with the earlier analysis of the cve - 2 0 1 5 – 0 3 1 1 vulnerability are equally UAF types. By domainMemory referenced memory will be freed,so that by the Read-Write memory to execute arbitrary instructions. The vulnerability being used by hackers, for Windows 8.1 and following versions of Firefox, IE browser attack.

Vulnerability analysis the environment is: windows 7 & activex flash on.

  1. POC 분석

In setting the attribute value is set to the shared memory as the main thread of the ByteArray and working the thread to True, and specify the corresponding ByteArray object domainMemory it. And with the setSharedProperty method, passing a ByteArray object to a worker thread from the main thread. Work thread get passed to the Initialize method of the ByteArray object, and use the clear method getSharedProperty position, the length value is zero, the release of the ByteArray object in the data buffer. In this case, the domainMemory the ByteArray Holding has been used for UAF occurrence of the vulnerability of the deallocation of the data buffer address.

! t01fa83f53a59fac15f. png

Memory layout in the decompression process is changing the results.

! t01837e007cde5899e8. png

Patch analysis

! t01ce6951497853ca6b. png

The vulnerability is in the FLASH of the valid version of 1 6. 0. 0. 2 9 6 and 1 6. 0. 0. 3 0 5 patch version for comparison.

domainMemoryy use the extended buffer ApplicationDomain. currentDomain. domainMemory property to True in the function ByteArray objects can share the property values of the function proposed 3 7 3 5 this API does not accept a shared ByteArray)abnormalities.

! t01a6b22bed1758f3ff. png

A byte offset of the ByteArray object 0x44 represents the shared attribute values.

  1. windows x86 Exploit – tested on windows 7 SP1 & Flash

! t013c2ca007778c2c9e. png

[1] [2] next