vendor:
N/A
by:
Google Security Research
7,8
CVSS
HIGH
Type Confusion
843
CWE
Product Name: N/A
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2015
Type Confusion Vulnerability in SimpleButton Constructor
There is a type confusion vulnerability in the SimpleButton constructor. Flash stores an empty button to use to create buttons for optimization reasons. If this object is created using a SWF tag before it is created in the Button class, and it not of type Button, type confusion can occur. A SWF needs to be altered in a hex editor to reproduce this issue. To start, build button.fla. This is a swf with the code: var sb = new SimpleButton(); and a font attached. Decompress the swf using flasm -x button.swf, and then replace all occurrences of the font ID (0x0001) in the three tags that use it with the ID of the empty button object (0xfff6). When the button is created, the font will be type confused with a button.
Mitigation:
The best way to mitigate this vulnerability is to ensure that all objects created in the SWF are of the correct type.
