This year in May, the foreign security experts discovered an unknown Adobe vulnerabilities being exploited. In the vulnerability was disclosed after, Adobe released an upgrade patch for fix this vulnerability, APSB16-1 5, The number for the CVE-2 0 1 6-4 1 1 7 The. At the same time, the CVE-2 0 1 6-4 1 1 7 vulnerability is classified as high-risk vulnerabilities in the CVSS Score is rated as 1 0. 0, It also affects Windows, Mac OS X, Linux and Chrome OS. Adobe on the release of vulnerability information mentioned in“Windows, mac, Linux and Chrome OS Adobe Flash Player 188.8.131.52 and earlier versions, there is a high risk vulnerability, successful exploitation of the vulnerability may cause the system to crash, or even the attacker can control the affected system.” 0×0 vulnerability profile CVE-2 0 1 6-4 1 1 7 is appear in the ActionScript of com. adobe. tvsdk. mediacore. timeline. operations. DeleteRangeTimelineOperation class in a type confusion vulnerability,which eventually could lead to remote code execution,in May this year when the first occurrence of field samples. In this class, there are the following two get, set Interface Figure 0-0, The name of the placement, if we use this class as a base class in sub-classes create a the same name of the object, figure 0-1, The avm of the virtual machine in the explanation of the process an error occurs, causing the type of Confusion.
! Figure 0-1） 0×1 vulnerability related knowledge To learn more about this vulnerability in-depth principle, first of all we want to know about the avm of the virtual machine interpreter bytecode getproperty（0×6 6 the logic of the process. adobe on github published through the avm of the virtual machine source code, and there is some reference documentation, although this is 3 years ago the code, but still can be used as a reference. First, we can view getproperty this instruction Description 1-0: the
! Figure 1-1） getBinding is based on our attribute name, and finally return to a bind ID value, and then according to this value to remove the different function or field value. This ID value consists of two parts, respectively is the lower three bits of the bit and the rest of the bit, low three bits of the bit saved is this property type, the rest of the bit to save this ID the real value of the enumeration value as shown:
! Figure（1-2） Subsequent bindingKind is Will this ID value with the 7 phase, that is, remove the low three bits of the bit, then switch table according to this value for different operations, here with the vulnerability associated with the two, one is BKING_VAR（2）, The General is the object, uint, etc. variables, one is BKING_GET（5）, the corresponding get interface, first we see BKING_VAR: the
! Figure（1-3） BindingToSlotId is right-shifted three bits, to get the Real ID value, then according to the ID value of the removed real value, getSlotAtom logic is also very simple, such as ID value is 0×5, will remove the object offset 0×5*4 of value, of course, also be carried out to determine the type, as this type is a double type then remove the 8 bytes, if it is int type, then remove the 4 bytes. Comparison of the compilation instructions are as follows:
! Figure（1-6） This code is more complex, first explain a few terms: Vtable: the A save the as level than the native level virtual function list the objects inside the methods array to save to a different virtual function of the object corresponding to the MethodEnv, generally stored in the object+0×8 offset position. MethodEnv: in its+0×8 to save the MethodInfo object. MethodInfo: in its 0×8 to save a virtual function will call the function pointer. The final will call this function pointer to invoke a get or set interface. This code is first shifted to the right three bits, to get the Real ID value, then this ID value as the index from the methods in the array remove the corresponding virtual function of the MethodEnv object, and then call the corresponding get or set interface. The corresponding assembler instruction is as follows:
! Figure（1-7） Another need to know is the byteArray data structure, according to different versions,the byteArray object+0×4 0 or +0×4 4 or +0×4 8 There will be a m_buffer,m_buffer+0×8 save true to save data to the array,+0×1 0 is the length. Specifically as shown: