Vulnerabilities > CVE-2015-0311 - Use After Free Memory Corruption vulnerability in Adobe Flash Player
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Unspecified vulnerability in Adobe Flash Player through 13.0.0.262 and 14.x, 15.x, and 16.x through 16.0.0.287 on Windows and OS X and through 11.2.202.438 on Linux allows remote attackers to execute arbitrary code via unknown vectors, as exploited in the wild in January 2015.
Vulnerable Configurations
Exploit-Db
| description | Adobe Flash Player ByteArray UncompressViaZlibVariant Use After Free. CVE-2015-0311. Remote exploit for windows platform |
| id | EDB-ID:36360 |
| last seen | 2016-02-04 |
| modified | 2015-03-12 |
| published | 2015-03-12 |
| reporter | metasploit |
| source | https://www.exploit-db.com/download/36360/ |
| title | Adobe Flash Player ByteArray UncompressViaZlibVariant Use After Free |
Metasploit
description This module exploits a use after free vulnerability in Adobe Flash Player. The vulnerability occurs in the ByteArray::UncompressViaZlibVariant method, when trying to uncompress() a malformed byte stream. This module has been tested successfully on: * Windows 7 SP1 (32 bits), IE 8 to IE 11 and Flash 16.0.0.287, 16.0.0.257 and 16.0.0.235. * Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 16.0.0.287. * Windows 8.1, Firefox 38.0.5 and Adobe Flash 16.0.0.305. * Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Flash 11.2.202.424. id MSF:EXPLOIT/MULTI/BROWSER/ADOBE_FLASH_PIXEL_BENDER_BOF last seen 2020-06-14 modified 2017-07-24 published 2015-05-20 references reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb title Adobe Flash Player ByteArray UncompressViaZlibVariant Use After Free description This module exploits a use after free vulnerability in Adobe Flash Player. The vulnerability occurs in the ByteArray::UncompressViaZlibVariant method, when trying to uncompress() a malformed byte stream. This module has been tested successfully on: * Windows 7 SP1 (32 bits), IE 8 to IE 11 and Flash 16.0.0.287, 16.0.0.257 and 16.0.0.235. * Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 16.0.0.287. * Windows 8.1, Firefox 38.0.5 and Adobe Flash 16.0.0.305. * Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Flash 11.2.202.424. id MSF:EXPLOIT/MULTI/BROWSER/ADOBE_FLASH_UNCOMPRESS_ZLIB_UAF last seen 2020-05-13 modified 2017-07-24 published 2015-05-20 references reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb title Adobe Flash Player ByteArray UncompressViaZlibVariant Use After Free
Nessus
NASL family MacOS X Local Security Checks NASL id MACOSX_FLASH_PLAYER_16_0_0_296.NASL description According to its version, the Adobe Flash Player installed on the remote Mac OS X host is equal or prior to 16.0.0.287. It is, therefore, affected by the following vulnerabilities : - A use-after-free error exists that allows an attacker to crash the application or execute arbitrary code. (CVE-2015-0311) - A double-free error exists that allows an attacker to crash the application or possibly execute arbitrary code. (CVE-2015-0312) last seen 2020-06-01 modified 2020-06-02 plugin id 80999 published 2015-01-26 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/80999 title Flash Player For Mac <= 16.0.0.287 Unspecified Code Execution (APSA15-01) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(80999); script_version("1.19"); script_cvs_date("Date: 2019/11/25"); script_cve_id("CVE-2015-0311", "CVE-2015-0312"); script_bugtraq_id(72283, 72343); script_name(english:"Flash Player For Mac <= 16.0.0.287 Unspecified Code Execution (APSA15-01)"); script_summary(english:"Checks the version of Flash Player."); script_set_attribute(attribute:"synopsis", value: "The remote Mac OS X host has a browser plugin that is affected by multiple code execution vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its version, the Adobe Flash Player installed on the remote Mac OS X host is equal or prior to 16.0.0.287. It is, therefore, affected by the following vulnerabilities : - A use-after-free error exists that allows an attacker to crash the application or execute arbitrary code. (CVE-2015-0311) - A double-free error exists that allows an attacker to crash the application or possibly execute arbitrary code. (CVE-2015-0312)"); script_set_attribute(attribute:"see_also", value:"https://helpx.adobe.com/security/products/flash-player/apsa15-01.html"); script_set_attribute(attribute:"see_also", value:"https://helpx.adobe.com/security/products/flash-player/apsb15-03.html"); # http://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0cb17c10"); script_set_attribute(attribute:"see_also", value:"https://www.adobe.com/products/flashplayer/distribution3.html"); script_set_attribute(attribute:"solution", value: "Upgrade to Adobe Flash Player version 16.0.0.296 or later. Alternatively, Adobe has made version 13.0.0.264 available for those installations that cannot be upgraded to 16.x."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-0312"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Adobe Flash Player ByteArray UncompressViaZlibVariant Use After Free'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/01/21"); script_set_attribute(attribute:"patch_publication_date", value:"2015/01/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/01/26"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:adobe:flash_player"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("macosx_flash_player_installed.nasl"); script_require_keys("MacOSX/Flash_Player/Version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); version = get_kb_item_or_exit("MacOSX/Flash_Player/Version"); path = get_kb_item_or_exit("MacOSX/Flash_Player/Path"); if (ver_compare(ver:version, fix:"14.0.0.0", strict:FALSE) >= 0) { cutoff_version = "16.0.0.287"; fix = "16.0.0.296"; } else { cutoff_version = "13.0.0.262"; fix = "13.0.0.264"; } # nb: we're checking for versions less than *or equal to* the cutoff! if (ver_compare(ver:version, fix:cutoff_version, strict:FALSE) <= 0) { if (report_verbosity > 0) { report = '\n Path : ' + path + '\n Installed version : ' + version + '\n Fixed version : ' + fix + '\n'; security_hole(port:0, extra:report); } else security_hole(0); exit(0); } else audit(AUDIT_INST_PATH_NOT_VULN, "Flash Player for Mac", version, path);NASL family Windows NASL id FLASH_PLAYER_APSA15-01.NASL description According to its version, the Adobe Flash Player installed on the remote Windows host is equal or prior to 16.0.0.287. It is, therefore, affected by the following vulnerabilities : - A use-after-free error exists that allows an attacker to crash the application or execute arbitrary code. (CVE-2015-0311) - A double-free error exists that allows an attacker to crash the application or possibly execute arbitrary code. (CVE-2015-0312) last seen 2020-06-01 modified 2020-06-02 plugin id 80998 published 2015-01-26 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/80998 title Flash Player <= 16.0.0.287 Unspecified Code Execution (APSA15-01 / APSB15-03) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(80998); script_version("1.21"); script_cvs_date("Date: 2019/11/25"); script_cve_id("CVE-2015-0311", "CVE-2015-0312"); script_bugtraq_id(72283, 72343); script_name(english:"Flash Player <= 16.0.0.287 Unspecified Code Execution (APSA15-01 / APSB15-03)"); script_summary(english:"Checks the version of Flash Player."); script_set_attribute(attribute:"synopsis", value: "The remote Windows host has a browser plugin that is affected by multiple code execution vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its version, the Adobe Flash Player installed on the remote Windows host is equal or prior to 16.0.0.287. It is, therefore, affected by the following vulnerabilities : - A use-after-free error exists that allows an attacker to crash the application or execute arbitrary code. (CVE-2015-0311) - A double-free error exists that allows an attacker to crash the application or possibly execute arbitrary code. (CVE-2015-0312)"); script_set_attribute(attribute:"see_also", value:"https://helpx.adobe.com/security/products/flash-player/apsa15-01.html"); script_set_attribute(attribute:"see_also", value:"https://helpx.adobe.com/security/products/flash-player/apsb15-03.html"); # http://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0cb17c10"); script_set_attribute(attribute:"see_also", value:"https://www.adobe.com/products/flashplayer/distribution3.html"); script_set_attribute(attribute:"solution", value: "Upgrade to Adobe Flash Player version 16.0.0.296 or later. Alternatively, Adobe has made version 13.0.0.264 available for those installations that cannot be upgraded to 16.x."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-0312"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Adobe Flash Player ByteArray UncompressViaZlibVariant Use After Free'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/01/21"); script_set_attribute(attribute:"patch_publication_date", value:"2015/01/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/01/26"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:adobe:flash_player"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("flash_player_installed.nasl"); script_require_keys("SMB/Flash_Player/installed"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/Flash_Player/installed"); # Identify vulnerable versions. info = ""; # we're checking for versions less than *or equal to* the cutoff! foreach variant (make_list("Plugin", "ActiveX", "Chrome", "Chrome_Pepper")) { vers = get_kb_list("SMB/Flash_Player/"+variant+"/Version/*"); files = get_kb_list("SMB/Flash_Player/"+variant+"/File/*"); if (!isnull(vers) && !isnull(files)) { foreach key (keys(vers)) { ver = vers[key]; if (ver) { iver = split(ver, sep:'.', keep:FALSE); for (i=0; i<max_index(iver); i++) iver[i] = int(iver[i]); if ( ( # Chrome Flash <= 16.0.0.287 variant == "Chrome_Pepper" && ( (iver[0] < 16) || (iver[0] == 16 && iver[1] == 0 && iver[2] == 0 && iver[3] <= 287) ) ) || (variant != "Chrome_Pepper" && ( ( # < 13 ( iver[0] < 13 || # 13.0.0.x <= 13.0.0.262 ( iver[0] == 13 && ( iver[1] == 0 && ( iver[2] == 0 && ( iver[3] <= 262 ) ) ) ) ) || # 14.0.0.x <= 16.0.0.287 ( iver[0] == 14 || ( iver[0] == 15 || ( iver[0] == 16 && ( iver[1] == 0 && ( iver[2] == 0 && ( iver[3] <= 287 ) ) ) ) ) ) ) ) ) ) { num = key - ("SMB/Flash_Player/"+variant+"/Version/"); file = files["SMB/Flash_Player/"+variant+"/File/"+num]; if (variant == "Plugin") { info += '\n Product : Browser Plugin (for Firefox / Netscape / Opera)'; fix = "16.0.0.296 / 13.0.0.264"; } else if (variant == "ActiveX") { info += '\n Product : ActiveX control (for Internet Explorer)'; fix = "16.0.0.296 / 13.0.0.264"; } else if ("Chrome" >< variant) { info += '\n Product : Browser Plugin (for Google Chrome)'; } info += '\n Path : ' + file + '\n Installed version : ' + ver; if (variant == "Chrome_Pepper") info += '\n Fixed version : 16.0.0.296 (Chrome PepperFlash)'; else info += '\n Fixed version : '+fix; info += '\n'; } } } } } if (info) { port = get_kb_item("SMB/transport"); if (!port) port = 445; if (report_verbosity > 0) security_hole(port:port, extra:info); else security_hole(port); } else { if (thorough_tests) exit(0, 'No vulnerable versions of Adobe Flash Player were found.'); else exit(1, 'Google Chrome\'s built-in Flash Player may not have been detected because the \'Perform thorough tests\' setting was not enabled.'); }NASL family Windows NASL id SMB_KB3035034.NASL description The remote host is missing KB3035034. It is, therefore, affected by the following vulnerabilities : - A use-after-free error exists that allows an attacker to crash the application or execute arbitrary code. (CVE-2015-0311) - A double-free error exists that allows an attacker to crash the application or execute arbitrary code. (CVE-2015-0312) last seen 2020-06-01 modified 2020-06-02 plugin id 81046 published 2015-01-28 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/81046 title MS KB3035034: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201502-02.NASL description The remote host is affected by the vulnerability described in GLSA-201502-02 (Adobe Flash Player: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Adobe Flash Player. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition, obtain sensitive information or bypass security restrictions. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 81225 published 2015-02-09 reporter This script is Copyright (C) 2015 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/81225 title GLSA-201502-02 : Adobe Flash Player: Multiple vulnerabilities NASL family SuSE Local Security Checks NASL id OPENSUSE-2015-78.NASL description Adobe Flash Player was updated to 11.2.202.440 (bsc#914463, APSA15-01, CVE-2015-0311). More information can be found on https://helpx.adobe.com/security/products/flash-player/apsa15-01.html An update of flashplayer (executable binary) for i386 is currently not available. Disabled! last seen 2020-06-05 modified 2015-01-28 plugin id 81030 published 2015-01-28 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/81030 title openSUSE Security Update : flash-player (openSUSE-SU-2015:0150-1) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2015-0094.NASL description An updated Adobe Flash Player package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. This update fixes multiple vulnerabilities in Adobe Flash Player. These vulnerabilities are detailed in the Adobe Security Bulletin APSB15-02, and APSB15-03, listed in the References section. Multiple flaws were found in the way flash-plugin displayed certain SWF content. An attacker could use these flaws to create a specially crafted SWF file that would cause flash-plugin to crash or, potentially, execute arbitrary code when the victim loaded a page containing the malicious SWF content. (CVE-2015-0310, CVE-2015-0311, CVE-2015-0312) All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 11.2.202.440. last seen 2020-06-01 modified 2020-06-02 plugin id 81036 published 2015-01-28 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/81036 title RHEL 5 / 6 : flash-plugin (RHSA-2015:0094) NASL family Windows NASL id GOOGLE_CHROME_40_0_2214_93.NASL description The version of Google Chrome installed on the remote Windows host is prior to 40.0.2214.93. It is, therefore, affected by the following vulnerabilities : - A use-after-free error exists that allows an attacker to crash the application or execute arbitrary code. (CVE-2015-0311) - A double-free error exists that allows an attacker to crash the application or possibly execute arbitrary code. (CVE-2015-0312) last seen 2020-06-01 modified 2020-06-02 plugin id 81020 published 2015-01-27 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/81020 title Google Chrome < 40.0.2214.93 Flash Player Multiple Remote Code Execution NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_37A87ADEA59F11E4958E0011D823EEBD.NASL description Adobe reports : Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below. last seen 2020-06-01 modified 2020-06-02 plugin id 81009 published 2015-01-27 reporter This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/81009 title FreeBSD : Adobe Flash Player -- critical vulnerability (37a87ade-a59f-11e4-958e-0011d823eebd) NASL family SuSE Local Security Checks NASL id SUSE_11_FLASH-PLAYER-150127.NASL description Adobe Flash Player was updated to version 11.2.202.440 (bsc#914463, APSA15-01, CVE-2015-0311). More information can be found at https://helpx.adobe.com/security/products/flash-player/apsa15-01.html . An update of flashplayer (executable binary) for i386 is currently not available and was thus disabled. last seen 2020-06-01 modified 2020-06-02 plugin id 81077 published 2015-01-29 reporter This script is Copyright (C) 2015 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/81077 title SuSE 11.3 Security Update : flash-player (SAT Patch Number 10226) NASL family SuSE Local Security Checks NASL id OPENSUSE-2015-81.NASL description Adobe Flash Player was updated to 11.2.202.440 (bsc#914463) : - APSA15-01, CVE-2015-0311 - Update of flashplayer (executable binary) for i386 is not available. This binary was disabled. - Security update to 11.2.202.438 (bsc#914333) : - APSB15-02, CVE-2015-0310 - Security update to 11.2.202.429 (bsc#913057) : - APSB15-01, CVE-2015-0301, CVE-2015-0302, CVE-2015-0303, CVE-2015-0304, CVE-2015-0305, CVE-2015-0306, CVE-2015-0307, CVE-2015-0308, CVE-2015-0309. - Disable flash player on machines without SSE2 (bnc#856386). - Remove outdated README and keep only up-to-date readme.txt. last seen 2020-06-05 modified 2015-01-30 plugin id 81098 published 2015-01-30 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/81098 title openSUSE Security Update : flash-player (openSUSE-SU-2015:0174-1) NASL family MacOS X Local Security Checks NASL id MACOSX_GOOGLE_CHROME_40_0_2214_93.NASL description The version of Google Chrome installed on the remote Mac OS X host is prior to 40.0.2214.93. It is, therefore, affected by the following vulnerabilities : - A use-after-free error exists that allows an attacker to crash the application or execute arbitrary code. (CVE-2015-0311) - A double-free error exists that allows an attacker to crash the application or possibly execute arbitrary code. (CVE-2015-0312) last seen 2020-06-01 modified 2020-06-02 plugin id 81021 published 2015-01-27 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/81021 title Google Chrome < 40.0.2214.93 Flash Player Multiple Remote Code Execution (Mac OS X)
Packetstorm
| data source | https://packetstormsecurity.com/files/download/130788/adobe_flash_uncompress_zlib_uaf.rb.txt |
| id | PACKETSTORM:130788 |
| last seen | 2016-12-05 |
| published | 2015-03-12 |
| reporter | juan vazquez |
| source | https://packetstormsecurity.com/files/130788/Adobe-Flash-Player-ByteArray-UncompressViaZlibVariant-Use-After-Free.html |
| title | Adobe Flash Player ByteArray UncompressViaZlibVariant Use After Free |
Redhat
| rpms |
|
Seebug
| bulletinFamily | exploit |
| description | <p>这个漏洞和 Flash 的 ByteArray 成因类似, 都是调用了 Clasz.valueOf() 参数引发的 uaf 命令执行</p><p>Vulcan 在第一时间进行了分析,基于该报告(1)进行说明:</p><pre class="lang-js" data-lang="js">// try to allocate two sequential pages of memory: [ matrix ][ MyClass2 ] for(i=20; i < alen; i+=6){ a[i] = new Class2(i); for(j=i+1; j < i+5; j++) a[j] = new ConvolutionFilter(14,15); // ConvolutionFilter 在这里创建 a[i+5] = new Class2(i+5); }</pre><pre class="lang-js" data-lang="js">var m:Array = new Array(bLen); m[0] = new Clasz; m[1] = m[0]; // 设置 matrix try { filter.matrix = m; } catch (e:Error){}<br></pre><p>这里有一个关键点,filter.matrix 被赋值为 m(类型是 Array),而 Array m 的第一个元素是一个 Clasz 类,而 Clasz 类定义了 valueOf 方法,这个 valueOf 是漏洞触发的关键点:<br></p><p>3. 在 Clasz 的 valueOf 函数中,设置 matrixX: </p><pre class="lang-js" data-lang="js">filter.matrixX = 15; // reallocate filter matrix, 执行完毕后 ConvolutionFilter 内部的 // 一个 float 数组 (matrixArray) 就会被释放, 而经过 valueOf() 之后 // 已释放的 matrixArray 还会继续使用, 并且往里面写入数据 // 从而造成了 use after free. </pre><p>可以看到 valueOf 函数中,在设置了filter.matrixX 之后,分配了一系列的 Vector<uint>,这些Vector就是用来占用释放后的 matrixArray 的内存的。</p><p>这样当程序继续往被释放后的 matrixArray 里写数据时,实际上是在往 Vector 对象里面写数据,从而达到修改 Vector 长度字段的目的。</p><p>参考链接: </p><p>(1) <a href="http://blogs.360.cn/blog/hacking-team-part2/" target="_blank">Hacking Team 攻击代码分析 Part 2</a></p><p>(2) <a href="http://drops.wooyun.org/papers/5446" target="_blank">Exploiting CVE-2015-0311(超详细)</a> </p><p>(3) <a href="http://drops.wooyun.org/papers/5460" target="_blank">Exploiting CVE-2015-0311, Part II: Bypassing Control Flow Guard(超详细)</a></p> |
| id | SSV:89240 |
| last seen | 2017-11-19 |
| modified | 2015-07-08 |
| published | 2015-07-08 |
| reporter | Root |
| title | Adobe Flash Player Convolution Filter UAF 命令执行 |
The Hacker News
id THN:40B2D007112A9624A902E319B3C1366B last seen 2018-01-27 modified 2015-02-05 published 2015-02-02 reporter Swati Khandelwal source https://thehackernews.com/2015/02/adobe-flash-zero-day-vulnerability_2.html title Another Unpatched Adobe Flash Zero-Day vulnerability Exploited in the Wild id THN:52D71A1567BF0E67D7740044EBED3202 last seen 2018-01-27 modified 2015-01-25 published 2015-01-25 reporter Mohit Kumar source https://thehackernews.com/2015/01/adobe-flash-player-update.html title Adobe patches 2nd Flash Player Zero-day Vulnerability
References
- http://helpx.adobe.com/security/products/flash-player/apsa15-01.html
- http://helpx.adobe.com/security/products/flash-player/apsb15-03.html
- http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00027.html
- http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00031.html
- http://malware.dontneedcoffee.com/2015/01/unpatched-vulnerability-0day-in-flash.html
- http://secunia.com/advisories/62432
- http://secunia.com/advisories/62543
- http://secunia.com/advisories/62650
- http://secunia.com/advisories/62660
- http://secunia.com/advisories/62740
- http://security.gentoo.org/glsa/glsa-201502-02.xml
- http://www.securityfocus.com/bid/72283
- http://www.securitytracker.com/id/1031597
- https://technet.microsoft.com/library/security/2755801