Exploit Adobe Flash - JXR Processing Double-Free

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
40088
Проверка EDB
  1. Пройдено
Автор
GOOGLE SECURITY RESEARCH
Тип уязвимости
DOS
Платформа
MULTIPLE
CVE
cve-2016-4136
Дата публикации
2016-07-11
Adobe Flash - JXR Processing Double-Free
Код:
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=788

There is a heap overflow when loading the attacked JXR file in Adobe Flash. To reproduce, load the attached file using LoadImage.swf?img=12.atf.

This issue can be a bit difficult to reproduce, as the crash occurs when the player is destroyed, so the crash screen doesn't always show up on the Player. The easiest way to detect the issue is to attach a debugger to the Player and refresh a few times.

Took a closer look at this, it is a UaF of plane->model_hp_buffer in the open-source JXR component.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40088.zip
 
Источник
www.exploit-db.com

Похожие темы