Leaderboard

The use-after-free vulnerability exists inside the built-in ByteArray class ByteArray - Adobe ActionScript® 3 (AS3 ) API Reference Let's create a simple ByteArray object: var ba:ByteArray = new ByteArray(); ba.length = 8; ba[1] = 1; Now we can access ba[] items and write numeric byte values into ba[]. Also we are allowed to write objects into ByteArray. For example: var obj = new MyClass(); ba[0] = obj; AS3 will try to implicitly convert the MyClass object into numeric value by calling the MyClass.valueOf() method. This method can be easily redefined within the user's code: class MyClass { prototype.valueOf = function() { ba.length = 88; // reallocate ba[] storage return 0; // return byte for ba[offset] } } Let's see how that implicit conversion occurs inside the native code: push esi mov eax, [esp+8] // the offset value from "ba[offset] = obj" push eax add ecx, 0x18 // ecx = this = "ba" object pointer call ByteArray.getStorage() // gets ba[offset] storage pointer and mov esi, eax // saves it in esi mov ecx, [esp+0xC] // "obj" pointer push ecx call AvmCore.toInteger() // call MyClass.valueOf() add esp,4 mov [esi], al // writes returned byte into array pop esi ret 8 On high-level language this will look like: void ByteArray.setObjInternal(int offset, obj) { byte* dest = this.getStorage(offset); dest* = toInteger(obj); } So the array storage pointer is saved in local variable, then AS3 valueOf() is invoked from the native code and returned byte is written into destination pointer at the end. If valueOf() changes the length of byte array (see above) and reallocates its internal storage, then local destination pointer becomes obsolete and further usage of that pointer can lead to UaF memory corruption. Using this vulnerability, it's very easy to control what byte will be written and at which offset this corruption will occur. Affected: Adobe Flash Player 9 and higher Testing: Open the test "calc.htm" file in your browser and press the button. on Windows: Calc.exe should be popped on desktop IE. Calc.exe should be run as a non-GUI child process in metro IE. Payload returns 0 from CreateProcessA("calc.exe") inside Chrome/FF sandbox. on OS X: Calculator is launched in FF or standalone Flash Player projector. Payload returns 1 from vfork() in Safari sandbox. Download: Adobe exp 2.rar Pass: 123456789

The UaF memory coruption exists inside the AS3 "opaqueBackground" property setter of the flash.display.DisplayObject class. DisplayObject - Adobe ActionScript® 3 (AS3 ) API Reference The DisplayObject source code is not published like the core AS3 classes, so you have to view opaqueBackground setter in your disassembler. Affected: Adobe Flash Player 9+ 32/64-bit (since Jun 2006) Testing: Open the test "calc.htm" file in your browser and press the button. on Windows: Calc.exe should be popped on desktop IE. Calc.exe should be run as a non-GUI child process in metro IE. Payload returns 0 from CreateProcessA("calc.exe") inside Chrome/FF sandbox. You can run Chrome with the --no-sandbox switch to pop the calc. on OS X: Calculator is launched in FF or standalone Flash Player projector. Payload returns 1 from vfork() in Safari/Chrome sandbox (see console logs). Download: Adobe exp 1.rar Pass: 123456789

meriti felicitarile mele bravo! de oameni ca tine are nevoie un forum