229 - Type Confusion in NetConnection ASnative - project-zero

Starred by 2 users

Status:	Fixed
Owner:	█ cevans@google.com Email to this user bounced
Closed:	Mar 2015
Cc:	project-...@google.com
Reported-2015-Jan-18 Finder-natashenka Deadline-90 CVE-2015-0336 Id-3227 CCProjectZeroMembers Product-Flash Severity-High Vendor-Adobe

Type Confusion in NetConnection ASnative

Project Member Reported by natashenka@google.com, Jan 15 2015

Back to list

When a NetConnection AS2 native function is called, the this object is verified to either have a type of NetConnection, or to be an untyped object that has a __proto__ descendant with type NetConnection. The this object's user data is then cast to type NetConnection. The userdata is not verified to be NULL if the object is not of type NetConnection. This means that type confusion can occur if the __proto__ of an untyped object with a non-null userdata (such as a native function object) is set to and object of type NetConnection.

var b = ASnative(2100, 0x77777777);
var n = new NetConnection()
b.__proto__ = n;
var f = ASnative(2100, 0); //NetConnection.connect
f.call(b, 1);

A sample swf and .fla file are attached. To trigger the issue, press the purple button.

NC3.swf
748 bytes Download

NC.fla
5.4 KB Download

Comment 1 by cevans@google.com, Jan 18 2015

Labels: -Reported-2015-Jan-15 Reported-2015-Jan-18

Comment 2 by cevans@google.com, Jan 19 2015

Labels: Id-3227

Comment 3 by cevans@google.com, Mar 6 2015

Labels: CVE-2015-0336

Comment 4 by cevans@google.com, Mar 12 2015

Status: Fixed

https://helpx.adobe.com/security/products/flash-player/apsb15-05.html

Comment 5 by cevans@google.com, Mar 19 2015

Labels: -Restrict-View-Commit

Project Member Comment 6 by natashenka@google.com, Apr 13 2015

Adding exploit code

Offs.hx
2.2 KB Download

Strs.hx
16.0 KB Download

Test.hx
6.0 KB Download

► Sign in to add a comment