In certain cases where a native AS2 class sets an internal atom to a value, it can lead to a use-after-free if the variable is a SharedObject. A proof of concept is provided which shows setting NetConnection.uri, this issue occurs in several other cases. A fla, an AS file and two swfs are attached. slot.fla compiles to setnum.swf and contains the code that causes the use-after-free. loadswf.as compiles to loadswf.swf, and sets up the heap to cause a crash. To make the issue occur, put loadswf.swf and slot.swf in the same folder on a webserver (the PoCs don't always work locally due to flash network sandboxing), and load loadswf.swf. This PoC only works on 64-bit systems, but the issue would work on a 32-bit system with proper heap set-up.
An instance of ActionScript's Sound class allows for loading and extracting for further processing any kind of external data, not only sound files. Same-origin policy doesn't apply here. Each input byte of raw data, loaded previously from given URL, is encoded by an unspecified function to the same 8 successive sample blocks of output. The sample block consists of 8 bytes (first 4 bytes for left channel and next 4 bytes for right channel). Only 2 bytes from 8 sound blocks (64 bytes) are crucial, the rest 52 bytes are useless. Each byte of input from range 0-255 has corresponding constant unsigned integer value (a result of encoding), so for decoding purposes you can use simply lookup table (cf. source code from BoundlessTunes.as). Put attached file BoundlessTunes.swf on the HTTP server. Open http://<SERVER_HOSTNAME>/BoundlessTunes.swf?url=<URL> where <URL> is an URL address (e.g. leading to cross-origin resource). A received response will be displayed in alert window.
A use-after-free vulnerability exists in Adobe Flash Player versions prior to 28.0.0.137. The vulnerability is due to a flaw in the handling of the 'createTextField' ActionScript function. An attacker can exploit this vulnerability to execute arbitrary code in the context of the current user.
A bug exists while setting the TextFilter.filters array. Providing an object allows an attacker to execute AS2 code in the following loop. If the code frees the object pointed by ebx, it can lead to arbitrary code execution.
When the TextField.filters array is set, Flash creates an internal array holding the filters. When the property is read, Flash iterates over this array and clones each filter. During this loop, it is possible to execute some AS2 by overriding a filter's constructor. At that moment, if the AS2 code alters the filters array, Flash frees the internal array leaving a reference to freed memory in the stack. When the execution flow resumes to the loop, a use-after-free occurs.
Issues in DefineBitsLossless and DefineBitsLossless2 leads to using uninitialized memory while rendering a picture. This is caused by the returned value of a zlib function not properly checked.
Loading a weird MPD file can corrupt flash player's memory. On Win7 x64 sp1 with Chrome 32 bit, crash like this: 6AA8B67C | 8B C3 | mov eax,ebx | 6AA8B67E | E8 A1 05 00 00 | call pepflashplayer.6AA8BC24 | 6AA8B683 | EB A8 | jmp pepflashplayer.6AA8B62D | 6AA8B685 | 89 88 D0 00 00 00 | mov dword ptr ds:[eax+D0],ecx | // crash here, eax points somewhere in pepflashplayer.dll 6AA8B68B | 8B 88 88 00 00 00 | mov ecx,dword ptr ds:[eax+88] | 6AA8B691 | 33 D2 | xor edx,edx | 6AA8B693 | 3B CA | cmp ecx,edx | 6AA8B695 | 74 07 | je pepflashplayer.6AA8B69E | 6AA8B697 | 39 11 | cmp dword ptr ds:[ecx],edx | 6AA8B699 | 0F 95 C1 | setne cl | At first sight this looks to be an uninitialized stack variable.
Use After Free vulnerability in AVSS.setSubscribedTags can cause arbitrary code execution.pepflashplayer.dll 17.0.0.134, based at 0x10000000.
An integer overflow while calling Function.apply can lead to enter an ActionScript function without correctly validating the supplied arguments.
FlashBroker is vulnerable to NTFS junction attack to write an arbitrary file to the filesystem under user permissions. There is a race condition in FlashBroker BrokerMoveFileEx method. This race can be won by using an oplock to wait for the point where the BrokerMoveFileEx method opens the original file and then making destination to be a junction. The PoC writes calc.bat to startup folder. It has been tested by injecting the dll into 32-bit low integrity level IE process with Adobe Flash Player 16.0.0.305 (KB3021953) installed. It does not work in IE11 EPM as it needs to write normally to the temporary folder to setup the junction.
Services By CQR