CVE-2015-7648
Description
Adobe Flash Player before 18.0.0.255 and 19.x before 19.0.0.226 on Windows and OS X and before 11.2.202.540 on Linux allows attackers to execute arbitrary code by leveraging an unspecified "type confusion," a different vulnerability than CVE-2015-7647.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Adobe Flash - Type Confusion in Serialization with ObjectEncoder.dynamicPropertyWriter
Source: https://code.google.com/p/google-security-research/issues/detail?id=545
There is a type confusion issue during serialization if ObjectEncoder.dynamicPropertyWriter is overridden with a value that is not a function.
In the following ActionScript:
flash.net.ObjectEncoding.dynamicPropertyWriter = new subdpw();
var b = new ByteArray();
var a = {};
a.test = 1;
b.writeObject(a);
The object 'a' with a dynamic property 'test' is serialized using a custom dynamicPropertyWriter of class subpwd. However this class overrides writeDynamicProperties with a property that is not a function leading to type confusion (note that this is not possible in the compiler, the bytecode needs to be modified manually).
To reproduce the issue, load objectencoding.swf. PoC code is also attached. To use this code, compile the swf, and decompress it (for example, using flasm -x), and then search for the string "triteDocumentProperties" in the SWF and change it to "writeDocumentProperties".
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38970.zipOS impact
Linux kernel Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| - | Not affected | โ |
macOS Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| - | Not affected | โ |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| adobe | flash_player | {"endIncluding":"11.2.202.535"} | |
References
- http://rhn.redhat.com/errata/RHSA-2015-1913.html
- http://rhn.redhat.com/errata/RHSA-2015-2024.html
- http://www.securityfocus.com/bid/77116
- http://www.securitytracker.com/id/1033850
- https://helpx.adobe.com/security/products/flash-player/apsb15-27.html
- https://security.gentoo.org/glsa/201511-02
- https://www.exploit-db.com/exploits/38970/
- http://rhn.redhat.com/errata/RHSA-2015-1913.html
- http://rhn.redhat.com/errata/RHSA-2015-2024.html
- http://www.securityfocus.com/bid/77116
- http://www.securitytracker.com/id/1033850
- https://helpx.adobe.com/security/products/flash-player/apsb15-27.html
- https://security.gentoo.org/glsa/201511-02
- https://www.exploit-db.com/exploits/38970/
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.