Monorail Project: project-zero Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Issue 229
Starred by 2 users
Status: Fixed
Owner:
cevans@google.com
Email to this user bounced
Closed: Mar 2015
Cc:
project-...@google.com



Sign in to add a comment
 Type Confusion in NetConnection ASnative
Project Member Reported by natashenka@google.com, Jan 15 2015 Back to list 
When a NetConnection AS2 native function is called, the this object is verified to either have a type of NetConnection, or to be an untyped object that has a __proto__ descendant with type NetConnection. The this object's user data is then cast to type NetConnection. The userdata is not verified to be NULL if the object is not of type NetConnection. This means that type confusion can occur if the __proto__ of an untyped object with a non-null userdata (such as a native function object) is set to and object of type NetConnection.

var b = ASnative(2100, 0x77777777);
var n = new NetConnection()
b.__proto__ = n;
var f = ASnative(2100, 0); //NetConnection.connect
f.call(b, 1);

A sample swf and .fla file are attached. To trigger the issue, press the purple button.
NC3.swf
748 bytes Download
NC.fla
5.4 KB Download
Comment 1 by cevans@google.com, Jan 18 2015
Labels: -Reported-2015-Jan-15 Reported-2015-Jan-18
Comment 2 by cevans@google.com, Jan 19 2015
Labels: Id-3227
Comment 3 by cevans@google.com, Mar 6 2015
Labels: CVE-2015-0336
Comment 5 by cevans@google.com, Mar 19 2015
Labels: -Restrict-View-Commit
Project Member Comment 6 by natashenka@google.com, Apr 13 2015 
Adding exploit code
Offs.hx
2.2 KB Download
Strs.hx
16.0 KB Download
Test.hx
6.0 KB Download
Sign in to add a comment