header-logo
Suggest Exploit
vendor:
Flash Player
by:
Yuki Chen
7,8
CVSS
HIGH
UaF (Use-After-Free)
416
CWE
Product Name: Flash Player
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows, Linux, Mac
2015

ActionScript parameter conversion in the fix for an issue in the December Flash bulletin

The ActionScript parameter conversion in the fix for an issue in the December Flash bulletin can sometimes access a parameter on the native stack that is uninitialized. If a parameter array is allocated using alloca(0), which leads to a 16-byte (the minimum size length for alloca in the implementation) that does not get initialized, the conversion function in the UaF check then assumes that at least one parameter has been allocated, and attempts to convert the stack parameter to a string, even though it is a previous value (a UTF string “fffff ... ” in the PoC).

Mitigation:

Adobe has released a patch to address this vulnerability.
Source

Exploit-DB raw data:

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=716

The ActionScript parameter conversion in the fix for an issue in the December Flash bulletin (https://helpx.adobe.com/security/products/flash-player/apsb15-32.html, most likely one of the UaFs reported by Yuki Chen) can sometimes access a parameter on the native stack that is uninitialized.

If:

var o = {};
o.unwatch();

is called in ActionScript, a parameter array is allocated using alloca(0), which leads to a 16-byte (the minimum size length for alloca in the implementation) that does not get initialized. The conversion function in the UaF check then assumes that at least one parameter has been allocated, and attempts to convert the stack parameter to a string, even though it is a previous value (a UTF string "fffff ... " in the PoC).

A PoC is attached, it is a bit finicky but crashes in the most recent Chrome Flash update. To reproduce, load crasher2.swf?num=15, and then immediately loading crasher2.swf?num=4. The num parameter shifts the stack (for nums between 0 and 31), so changing it around should lead to crashes in different browsers.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39612.zip

Navigation

Suggest Exploit

Services By CQR