Adobe Flash - Uninitialized Stack Parameter Access in MovieClip.swapDepths UaF Fix

EDB-ID:

39613




Platform:

Windows

Date:

2016-03-23


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux , the course required to become an Offensive Security Certified Professional (OSCP)

GET CERTIFIED

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=715

The ActionScript parameter conversion in the fix for issue 403 (https://code.google.com/p/google-security-research/issues/detail?id=403) can sometimes access a parameter on the native stack that is uninitialized.

If:

mc.swapDepths();

is called in ActionScript, a parameter array is allocated using alloca(0), which leads to a 16-byte (the minimum size length for alloca in the implementation) that does not get initialized. The conversion function in the UaF check then assumes that at least one parameter has been allocated, and attempts to convert the stack parameter to a string, even though it is a previous value (a UTF string "fffff ... " in the PoC).

A PoC is attached, it is a bit finicky and depends a lot on the specific Flash version. It crashes currently in chrome-unstable, by loading crasher2.swf?num=15, and then immediately loading crasher2.swf?num=4. The num parameter shifts the stack (for nums between 0 and 31), so changing it around should lead to crashes in different browsers.


Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39613.zip