Vulnerability on Adobe Flash Player, Exploit in the Wild

September 23, 2016

Adobe Flash Player is prone to a use-after-free vulnerability CVE-2016-4228. This vulnerability affects Adobe Flash Player before, 19.x through on Windows and OS X and before on Linux. An attacker could exploit this vulnerability remotely by a certain crafted swf file, such as embedded in a HTML file. A successful attack could cause arbitrary code execution with the privilege of the current running process.

A prove-of-concept exploit is already in the wild (see reference). Below is the detailed analysis:

The object class that caused this use-after-free is called MovieClip, which is used for manipulate movie clips in ActionScript. The PoC uses the createEmptyMovieClip() function to create such an object.

Figure 1: Documented createEmptyMovieClip() function and its usage.

Afterwards a Rectangle object was created from the flash.geom package. In both the getter/setter function, the previously created MovieClip object (mc) was freed using the removeMovieClip() method.

var g = flash.geom;
g.addProperty("Rectangle",func,func); //point both getter and setter to a same function

function func()
mc.removeMovieClip(); //... and in this function, the MovieClip object is freed
... //fix heap

At this point, the MovieClip object will not be freed until the getter/setter function is actually invoked. And by doing so, the object's reference count will be reduced by 1, causing the object to be freed, and all the reference will be destroyed as well - and the use-after-free would not happen.

However, there's an undocumented function that can be used to call the getter/setter, while still keeping the reference of the MovieClip object: the ASnative() method. The ASnative function is used for return the handler or property of an ActionScript function, depending on the parameters:

var f = ASnative(900,405);

Afterwards, the PoC tried to access the reference of MovieClip object, causing an use-after-free vulnerability.

The break-down of the PoC is shown in the figure below:

Figure 4: The PoC exploit

Dell SonicWALL Threat Research Team has researched this vulnerability and released following signatures to protect their customers:

  • SPY:1024
  • SPY:1371