Adobe Flash - Object.unwatch Use-After-Free

EDB-ID:

39631




Platform:

Multiple

Date:

2016-03-29


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux , the course required to become an Offensive Security Certified Professional (OSCP)

GET CERTIFIED

Sources: 
https://bugs.chromium.org/p/project-zero/issues/detail?id=716
https://googleprojectzero.blogspot.ca/2016/03/life-after-isolated-heap.html

The bug is an uninitialized variable in the fix to an ActionScript 2 use-after-free bug. Roughly 80 of these types of issues have been fixed by Adobe in the past year, and two uninitialized variable issues were introduced in the fixes. 

 This issue is fairly easy to reproduce, a proof-of-concept for this issue in its entirety is:

  var o = {};
 o.unwatch();

 The bug occurs because the use-after-free check in the unwatch method attempts to convert its first parameter to a string by calling toString on it before continuing with the part of the method where toString  could cause problems by freeing an object. However, Flash does not check that this parameter exists before calling toString on it. In pseudo-code, the rough behaviour of this method is:

  void* args = alloca( args_size );
 for( int i = 0; i < args_size; i++){
  // Init args
 }

 if ( ((int) args[0]) & 6 == 6 )
  args[0] = call_toString( args[0] );

 if ( args_size < 1)
  exit();


Exploit:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39631.zip