<--

Adobe Flash Player and AIR AVM2 intf_count Integer Overflow

Aleph Research Advisory

Identifier

Severity

Critical

Product

Adobe Flash

Vulnerable Version

Verified on v10.0.22.87

Mitigation

Install Adobe Flash Player (10.0.32.18) / AIR (1.5.2) or later.

Technical Details

An integer overflow exists in the AVM2 abcFile parser code which handles the intrf_count value of the instance_info structure. When intrf_count is larger than 0x10000000, it is nullified due to an integer overflow. This results in an out of bounds pointer dereference. The out of bounds object contains arbitrary values (in the context of the code which handles the interfaces count element) which are manipulated in a way so that an arbitrary memory overwrite with an attacker supplied destination and value is possible.

A Proof-of-Concept exploit is demonstrated:

Timeline

Credit

External References