Exploit Adobe Flash - Type Confusion in Serialization with ObjectEncoder.dynamicPropertyWriter

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
38970
Проверка EDB
  1. Пройдено
Автор
GOOGLE SECURITY RESEARCH
Тип уязвимости
DOS
Платформа
MULTIPLE
CVE
cve-2015-7648
Дата публикации
2015-12-14
Adobe Flash - Type Confusion in Serialization with ObjectEncoder.dynamicPropertyWriter
Код:
Source: https://code.google.com/p/google-security-research/issues/detail?id=545

There is a type confusion issue during serialization if ObjectEncoder.dynamicPropertyWriter is overridden with a value that is not a function.

In the following ActionScript:

		flash.net.ObjectEncoding.dynamicPropertyWriter = new subdpw();
		var b = new ByteArray();
		var a = {};
		a.test = 1;
		b.writeObject(a);

The object 'a' with a dynamic property 'test' is serialized using a custom dynamicPropertyWriter of class subpwd. However this class overrides writeDynamicProperties with a property that is not a function leading to type confusion (note that this is not possible in the compiler, the bytecode needs to be modified manually).

To reproduce the issue, load objectencoding.swf. PoC code is also attached. To use this code, compile the swf, and decompress it (for example, using flasm -x), and then search for the string "triteDocumentProperties" in the SWF and change it to "writeDocumentProperties".


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38970.zip
 
Источник
www.exploit-db.com

Похожие темы