548 - Adobe Flash: Type Confusion in IExternalizable.readExternal When Performing Local Serialization - project-zero

Starred by 2 users

Status:	Fixed
Owner:	natashenka@google.com
Closed:	Dec 2015
Cc:	project-...@google.com
Finder-natashenka CVE-2015-7647 Deadline-90 Reported-2015-Sep-29 CCProjectZeroMembers Product-Flash Severity-High Vendor-Adobe

Adobe Flash: Type Confusion in IExternalizable.readExternal When Performing Local Serialization

Project Member Reported by natashenka@google.com, Sep 30 2015

Back to list

If IExternalizable.readExternal is overridden with a value that is not a function, Flash assumes it is a function even though it is not one. This leads to execution of a 'method' outside of the ActionScript object's ActionScript vtable, leading to memory corruption.

A sample swf is attached. ActionScript code is also attached, but it does not compile to the needed to swf. To get the PoC, decompress the swf using flasm -x myswf, and then search for "teadExternal" and change it to "readExternal".

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

subexternalizable.as
473 bytes Download

externalizable.swf
4.0 KB Download

superexternalizable.as
481 bytes Download

externalizable.as
411 bytes Download

Project Member Comment 1 by natashenka@google.com, Oct 15 2015

Labels: CVE-2015-7647

Project Member Comment 2 by natashenka@google.com, Dec 10 2015

Labels: -Restrict-View-Commit
Status: Fixed

► Sign in to add a comment