header-logo
Suggest Exploit
vendor:
Flash Player
by:
Project Zero
6,5
CVSS
MEDIUM
Uninitialized Variable
457
CWE
Product Name: Flash Player
Affected Version From: Flash Player 16.0.0.287
Affected Version To: Flash Player 18.0.0.194
Patch Exists: YES
Related CWE: CVE-2016-4271
CPE: o:adobe:flash_player
Metasploit: https://www.rapid7.com/db/vulnerabilities/redhat_linux-cve-2016-4277/https://www.rapid7.com/db/vulnerabilities/redhat_linux-cve-2016-4271/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2016-4271/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2016-4278/https://www.rapid7.com/db/vulnerabilities/suse-cve-2016-4271/https://www.rapid7.com/db/vulnerabilities/suse-cve-2016-4277/https://www.rapid7.com/db/vulnerabilities/suse-cve-2016-4278/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2016-4277/https://www.rapid7.com/db/vulnerabilities/redhat_linux-cve-2016-4278/https://www.rapid7.com/db/vulnerabilities/flash_player-cve-2016-4278/https://www.rapid7.com/db/vulnerabilities/flash_player-cve-2016-4271/https://www.rapid7.com/db/vulnerabilities/flash_player-cve-2016-4277/
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows, Linux, Mac
2016

Uninitialized Variable

This vulnerability is an uninitialized variable in the fix to an ActionScript 2 use-after-free bug. The bug occurs because the use-after-free check in the unwatch method attempts to convert its first parameter to a string by calling toString on it before continuing with the part of the method where toString could cause problems by freeing an object. However, Flash does not check that this parameter exists before calling toString on it.

Mitigation:

Adobe has released a patch to address this vulnerability.
Source

Exploit-DB raw data:

Sources: 
https://bugs.chromium.org/p/project-zero/issues/detail?id=716
https://googleprojectzero.blogspot.ca/2016/03/life-after-isolated-heap.html

The bug is an uninitialized variable in the fix to an ActionScript 2 use-after-free bug. Roughly 80 of these types of issues have been fixed by Adobe in the past year, and two uninitialized variable issues were introduced in the fixes. 

 This issue is fairly easy to reproduce, a proof-of-concept for this issue in its entirety is:

  var o = {};
 o.unwatch();

 The bug occurs because the use-after-free check in the unwatch method attempts to convert its first parameter to a string by calling toString on it before continuing with the part of the method where toString  could cause problems by freeing an object. However, Flash does not check that this parameter exists before calling toString on it. In pseudo-code, the rough behaviour of this method is:

  void* args = alloca( args_size );
 for( int i = 0; i < args_size; i++){
  // Init args
 }

 if ( ((int) args[0]) & 6 == 6 )
  args[0] = call_toString( args[0] );

 if ( args_size < 1)
  exit();


Exploit:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39631.zip

Navigation

Suggest Exploit

Services By CQR