Adobe Flash - URL Resource Use-After-Free

EDB-ID:

37875




Platform:

Windows

Date:

2015-08-19


Source: https://code.google.com/p/google-security-research/issues/detail?id=410&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id

The following crash was observed in Flash Player 17.0.0.188 on Windows:

(81c.854): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=37397006 ebx=00000000 ecx=008c0493 edx=09f390d0 esi=08c24d98 edi=09dc2000
eip=07a218cb esp=015eda80 ebp=015edb24 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00050216
Flash32_17_0_0_188+0x18cb:
07a218cb ff6004           jmp   dword ptr [eax+0x4] ds:0023:3739700a=????????

- The test case reproduces on Windows 7 using IE11. It does not appear to immediately reproduce on Windows+Chrome or Linux+Chrome.

- The crash can also reproduce on one of the two mov instructions prior to the jmp shown here.

- The crash appears to occur due to a use-after-free related to loading a sub-resource from a URL.

- The test case minimizes to an 11-bit difference from the original sample file.

- The following test cases are attached: 2038518113_crash.swf (crashing file), 2038518113_min.swf (minimized file), 2038518113_orig.swf (original non-crashing file).

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37875.zip