Adobe Flash - Object.unwatch Use-After-Free Exploit

Sources: 
https://bugs.chromium.org/p/project-zero/issues/detail?id=716
https://googleprojectzero.blogspot.ca/2016/03/life-after-isolated-heap.html
 
The bug is an uninitialized variable in the fix to an ActionScript 2 use-after-free bug. Roughly 80 of these types of issues have been fixed by Adobe in the past year, and two uninitialized variable issues were introduced in the fixes. 
 
 This issue is fairly easy to reproduce, a proof-of-concept for this issue in its entirety is:
 
  var o = {};
 o.unwatch();
 
 The bug occurs because the use-after-free check in the unwatch method attempts to convert its first parameter to a string by calling toString on it before continuing with the part of the method where toString  could cause problems by freeing an object. However, Flash does not check that this parameter exists before calling toString on it. In pseudo-code, the rough behaviour of this method is:
 
  void* args = alloca( args_size );
 for( int i = 0; i < args_size; i++){
  // Init args
 }
 
 if ( ((int) args[0]) & 6 == 6 )
  args[0] = call_toString( args[0] );
 
 if ( args_size < 1)
  exit();
 
 
Exploit:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39631.zip

#  0day.today [2018-02-09]  #