120 - Type Confusion in Setting Microphone Codec - project-zero

Monorail	Project: project-zero ▼ Issues People Development process History	Sign in

Starred by 4 users

Status:	Fixed
Owner:	█ cevans@google.com Email to this user bounced
Closed:	Nov 2014
Cc:	project-...@google.com
CVE-2014-0577 Finder-natashenka Deadline-90 CCProjectZeroMembers Product-Flash Severity-High Vendor-Adobe Reported-2014-Oct-3 Id-3070 Fixed-2014-Nov-11

Type Confusion in Setting Microphone Codec

Project Member Reported by natashenka@google.com, Oct 3 2014

Back to list

There is a type confusion bug when setting the codec of a Microphone object. The AVM1 call assumes the first parameter is a string, but does not verify that this is the case. If the parameter is a numeric type instead of a string, String native methods will be called on a pointer that is set by the attacker.

The issue can be reproduce by executing the following ActionScript:

flash.Lib._root._global.ASnative(2104,4).call(flash.Microphone.get(), 7777777777777777);

The method call above is equivalent to Microphone.codec = value.

A sample swf is attached.

m.swf
3.2 KB Download

Comment 1 by cevans@google.com, Oct 4 2014

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Comment 2 by cevans@google.com, Oct 6 2014

Labels: Id-3070

Comment 3 by cevans@google.com, Nov 8 2014

Labels: CVE-2014-0577

Comment 4 by cevans@google.com, Nov 20 2014

Labels: -Restrict-View-Commit
Status: Fixed

Comment 5 by cevans@google.com, Nov 20 2014

Labels: Fixed-2014-Nov-11

http://helpx.adobe.com/security/products/flash-player/apsb14-24.html

► Sign in to add a comment