Vulnerabilities > CVE-2015-0312 - Double Free vulnerability in Adobe Flash Player

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
adobe
CWE-415
nessus
NVD
Published: 2015-01-28
Updated: 2024-11-21

Summary

Double free vulnerability in Adobe Flash Player before 13.0.0.264 and 14.x through 16.x before 16.0.0.296 on Windows and OS X and before 11.2.202.440 on Linux allows attackers to execute arbitrary code via unspecified vectors.

Vulnerable Configurations

Part Description Count
Application
Adobe
330
Application
Microsoft
2
OS
Linux
1
OS
Microsoft
3
OS
Apple
1

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_FLASH_PLAYER_16_0_0_296.NASL
    descriptionAccording to its version, the Adobe Flash Player installed on the remote Mac OS X host is equal or prior to 16.0.0.287. It is, therefore, affected by the following vulnerabilities : - A use-after-free error exists that allows an attacker to crash the application or execute arbitrary code. (CVE-2015-0311) - A double-free error exists that allows an attacker to crash the application or possibly execute arbitrary code. (CVE-2015-0312)
    last seen2020-06-01
    modified2020-06-02
    plugin id80999
    published2015-01-26
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/80999
    titleFlash Player For Mac <= 16.0.0.287 Unspecified Code Execution (APSA15-01)
    code
    #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(80999);
  script_version("1.19");
  script_cvs_date("Date: 2019/11/25");

  script_cve_id("CVE-2015-0311", "CVE-2015-0312");
  script_bugtraq_id(72283, 72343);

  script_name(english:"Flash Player For Mac <= 16.0.0.287 Unspecified Code Execution (APSA15-01)");
  script_summary(english:"Checks the version of Flash Player.");

  script_set_attribute(attribute:"synopsis", value:
"The remote Mac OS X host has a browser plugin that is affected by
multiple code execution vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"According to its version, the Adobe Flash Player installed on the
remote Mac OS X host is equal or prior to 16.0.0.287. It is,
therefore, affected by the following vulnerabilities :

  - A use-after-free error exists that allows an attacker to
    crash the application or execute arbitrary code.
    (CVE-2015-0311)

  - A double-free error exists that allows an attacker to
    crash the application or possibly execute arbitrary
    code. (CVE-2015-0312)");
  script_set_attribute(attribute:"see_also", value:"https://helpx.adobe.com/security/products/flash-player/apsa15-01.html");
  script_set_attribute(attribute:"see_also", value:"https://helpx.adobe.com/security/products/flash-player/apsb15-03.html");
  # http://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0cb17c10");
  script_set_attribute(attribute:"see_also", value:"https://www.adobe.com/products/flashplayer/distribution3.html");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Adobe Flash Player version 16.0.0.296 or later.

Alternatively, Adobe has made version 13.0.0.264 available for those
installations that cannot be upgraded to 16.x.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-0312");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Adobe Flash Player ByteArray UncompressViaZlibVariant Use After Free');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/01/21");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/01/22");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/01/26");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:adobe:flash_player");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"MacOS X Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("macosx_flash_player_installed.nasl");
  script_require_keys("MacOSX/Flash_Player/Version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");

version = get_kb_item_or_exit("MacOSX/Flash_Player/Version");
path = get_kb_item_or_exit("MacOSX/Flash_Player/Path");

if (ver_compare(ver:version, fix:"14.0.0.0", strict:FALSE) >= 0)
{
  cutoff_version = "16.0.0.287";
  fix = "16.0.0.296";
}
else
{
  cutoff_version = "13.0.0.262";
  fix = "13.0.0.264";
}

# nb: we're checking for versions less than *or equal to* the cutoff!
if (ver_compare(ver:version, fix:cutoff_version, strict:FALSE) <= 0)
{
  if (report_verbosity > 0)
  {
    report =
      '\n  Path              : ' + path +
      '\n  Installed version : ' + version +
      '\n  Fixed version     : ' + fix +
      '\n';
    security_hole(port:0, extra:report);
  }
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_INST_PATH_NOT_VULN, "Flash Player for Mac", version, path);
  • NASL familyWindows
    NASL idFLASH_PLAYER_APSA15-01.NASL
    descriptionAccording to its version, the Adobe Flash Player installed on the remote Windows host is equal or prior to 16.0.0.287. It is, therefore, affected by the following vulnerabilities : - A use-after-free error exists that allows an attacker to crash the application or execute arbitrary code. (CVE-2015-0311) - A double-free error exists that allows an attacker to crash the application or possibly execute arbitrary code. (CVE-2015-0312)
    last seen2020-06-01
    modified2020-06-02
    plugin id80998
    published2015-01-26
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/80998
    titleFlash Player <= 16.0.0.287 Unspecified Code Execution (APSA15-01 / APSB15-03)
    code
    #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(80998);
  script_version("1.21");
  script_cvs_date("Date: 2019/11/25");

  script_cve_id("CVE-2015-0311", "CVE-2015-0312");
  script_bugtraq_id(72283, 72343);

  script_name(english:"Flash Player <= 16.0.0.287 Unspecified Code Execution (APSA15-01 / APSB15-03)");
  script_summary(english:"Checks the version of Flash Player.");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host has a browser plugin that is affected by
multiple code execution vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"According to its version, the Adobe Flash Player installed on the
remote Windows host is equal or prior to 16.0.0.287. It is, therefore,
affected by the following vulnerabilities :

  - A use-after-free error exists that allows an attacker to
    crash the application or execute arbitrary code.
    (CVE-2015-0311)

  - A double-free error exists that allows an attacker to
    crash the application or possibly execute arbitrary
    code. (CVE-2015-0312)");
  script_set_attribute(attribute:"see_also", value:"https://helpx.adobe.com/security/products/flash-player/apsa15-01.html");
  script_set_attribute(attribute:"see_also", value:"https://helpx.adobe.com/security/products/flash-player/apsb15-03.html");
  # http://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0cb17c10");
  script_set_attribute(attribute:"see_also", value:"https://www.adobe.com/products/flashplayer/distribution3.html");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Adobe Flash Player version 16.0.0.296 or later.

Alternatively, Adobe has made version 13.0.0.264 available for those
installations that cannot be upgraded to 16.x.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-0312");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Adobe Flash Player ByteArray UncompressViaZlibVariant Use After Free');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/01/21");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/01/22");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/01/26");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:adobe:flash_player");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("flash_player_installed.nasl");
  script_require_keys("SMB/Flash_Player/installed");

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/Flash_Player/installed");

# Identify vulnerable versions.
info = "";

# we're checking for versions less than *or equal to* the cutoff!
foreach variant (make_list("Plugin", "ActiveX", "Chrome", "Chrome_Pepper"))
{
  vers = get_kb_list("SMB/Flash_Player/"+variant+"/Version/*");
  files = get_kb_list("SMB/Flash_Player/"+variant+"/File/*");
  if (!isnull(vers) && !isnull(files))
  {
    foreach key (keys(vers))
    {
      ver = vers[key];

      if (ver)
      {
        iver = split(ver, sep:'.', keep:FALSE);
        for (i=0; i<max_index(iver); i++)
          iver[i] = int(iver[i]);

        if (
          (
            # Chrome Flash <= 16.0.0.287
            variant == "Chrome_Pepper" &&
            (
              (iver[0] < 16) ||
              (iver[0] == 16 && iver[1] == 0 && iver[2] == 0 && iver[3] <= 287)
            )
          ) ||
          (variant != "Chrome_Pepper" &&
            (
             (
               # < 13
               (
                 iver[0] < 13 ||
                 # 13.0.0.x <= 13.0.0.262
                 (
                   iver[0] == 13 &&
                   (
                     iver[1] == 0 &&
                     (
                       iver[2] == 0 &&
                       (
                         iver[3] <= 262
                       )
                     )
                   )
                 )
               ) ||
               # 14.0.0.x <= 16.0.0.287
               (
                 iver[0] == 14 ||
                 (
                   iver[0] == 15 ||
                   (
                     iver[0] == 16 &&
                     (
                       iver[1] == 0 &&
                       (
                         iver[2] == 0 &&
                         (
                           iver[3] <= 287
                         )
                       )
                     )
                   )
                 )
               )
             )
           )
         )
        )
        {
          num = key - ("SMB/Flash_Player/"+variant+"/Version/");
          file = files["SMB/Flash_Player/"+variant+"/File/"+num];
          if (variant == "Plugin")
          {
            info += '\n Product : Browser Plugin (for Firefox / Netscape / Opera)';
            fix = "16.0.0.296 / 13.0.0.264";
          }
          else if (variant == "ActiveX")
          {
            info += '\n Product : ActiveX control (for Internet Explorer)';
            fix = "16.0.0.296 / 13.0.0.264";
          }
          else if ("Chrome" >< variant)
          {
            info += '\n Product : Browser Plugin (for Google Chrome)';
          }
          info += '\n  Path              : ' + file +
                  '\n  Installed version : ' + ver;
          if (variant == "Chrome_Pepper")
            info += '\n  Fixed version     : 16.0.0.296 (Chrome PepperFlash)';
          else
            info += '\n  Fixed version     : '+fix;
          info += '\n';
        }
      }
    }
  }
}

if (info)
{
  port = get_kb_item("SMB/transport");
  if (!port) port = 445;

  if (report_verbosity > 0) security_hole(port:port, extra:info);
  else security_hole(port);
}
else
{
  if (thorough_tests)
    exit(0, 'No vulnerable versions of Adobe Flash Player were found.');
  else
    exit(1, 'Google Chrome\'s built-in Flash Player may not have been detected because the \'Perform thorough tests\' setting was not enabled.');
}
  • NASL familyWindows
    NASL idSMB_KB3035034.NASL
    descriptionThe remote host is missing KB3035034. It is, therefore, affected by the following vulnerabilities : - A use-after-free error exists that allows an attacker to crash the application or execute arbitrary code. (CVE-2015-0311) - A double-free error exists that allows an attacker to crash the application or execute arbitrary code. (CVE-2015-0312)
    last seen2020-06-01
    modified2020-06-02
    plugin id81046
    published2015-01-28
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/81046
    titleMS KB3035034: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2015-0094.NASL
    descriptionAn updated Adobe Flash Player package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. This update fixes multiple vulnerabilities in Adobe Flash Player. These vulnerabilities are detailed in the Adobe Security Bulletin APSB15-02, and APSB15-03, listed in the References section. Multiple flaws were found in the way flash-plugin displayed certain SWF content. An attacker could use these flaws to create a specially crafted SWF file that would cause flash-plugin to crash or, potentially, execute arbitrary code when the victim loaded a page containing the malicious SWF content. (CVE-2015-0310, CVE-2015-0311, CVE-2015-0312) All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 11.2.202.440.
    last seen2020-06-01
    modified2020-06-02
    plugin id81036
    published2015-01-28
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/81036
    titleRHEL 5 / 6 : flash-plugin (RHSA-2015:0094)
  • NASL familyWindows
    NASL idGOOGLE_CHROME_40_0_2214_93.NASL
    descriptionThe version of Google Chrome installed on the remote Windows host is prior to 40.0.2214.93. It is, therefore, affected by the following vulnerabilities : - A use-after-free error exists that allows an attacker to crash the application or execute arbitrary code. (CVE-2015-0311) - A double-free error exists that allows an attacker to crash the application or possibly execute arbitrary code. (CVE-2015-0312)
    last seen2020-06-01
    modified2020-06-02
    plugin id81020
    published2015-01-27
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/81020
    titleGoogle Chrome < 40.0.2214.93 Flash Player Multiple Remote Code Execution
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_GOOGLE_CHROME_40_0_2214_93.NASL
    descriptionThe version of Google Chrome installed on the remote Mac OS X host is prior to 40.0.2214.93. It is, therefore, affected by the following vulnerabilities : - A use-after-free error exists that allows an attacker to crash the application or execute arbitrary code. (CVE-2015-0311) - A double-free error exists that allows an attacker to crash the application or possibly execute arbitrary code. (CVE-2015-0312)
    last seen2020-06-01
    modified2020-06-02
    plugin id81021
    published2015-01-27
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/81021
    titleGoogle Chrome < 40.0.2214.93 Flash Player Multiple Remote Code Execution (Mac OS X)

Redhat

rpms
  • flash-plugin-0:11.2.202.440-1.el5
  • flash-plugin-0:11.2.202.440-1.el6

References