Flash suffers from a broker-based sandbox escape.
989036efd58bbccc9c007b2a7121bd6ba170455cc7d74bc71d5f4bbe336962f7Flash suffers from a broker-based sandbox escape.
ff44243af4b26853124e63a9869c6b81f401bc2ad222680958329a437559b8efFlash suffers from a broker-based sandbox escape.
32f8d2576cdd393f19c2a9cdbb6d3476d8fda0611004641c02e347365ebea2aeThere is an error in the PCRE engine version used in Flash that allows the execution of arbitrary PCRE bytecode, with potential for memory corruption and remote code execution.
f100f0c5cc96a2a407b46491520f1bce43ba7ca526f4e6c69f5887bf768c2ecaThe Type1/CFF CharString interpreter code in the Adobe Type Manager Font Driver (ATMFD.DLL) Windows kernel module does not perform nearly any verification that the operand stack is large enough to contain the required instruction operands, which can lead to up to "off-by-three" overreads and overwrites on the interpreter function stack.
51ba13f671a701f0476a89dfbec32f4088b01330862ec09c0a793c9e3d8643a0The system call NtPowerInformation performs a check that the caller is an administrator before performing some specific power functions. The check is done in the PopUserIsAdmin function. On Windows 7 this check is bypassable because the SeTokenIsAdmin function doesn't take into account the impersonation level of the token and the rest of the code also doesn't take it into account.
8e80a5edbfcfa8ce64460f4e9edf0e6164d6af2253e064cbdbd72a18a7cc6f4aResearchers have encountered a number of Windows kernel crashes in the ATMFD.DLL OpenType driver while processing corrupted OTF font files.
211858c5b9e08bfdb94ac6f00d553181d66e260d3e96b6772ee5d08a2eeebad8Researchers have encountered a number of Windows kernel crashes in the win32k!scl_ApplyTranslation function while processing corrupted TTF font files.
04fddfcac6b041b9767e037c57308e83d27c063d91368ef64e5e28a5f2f828adThere is a use after free in Flash caused by an improper handling of BitmapData objects in the DisplacementMapFilter.mapBitmap property.
fb9a0a904e45cd0df6256c9beee44fab0c8f0d32abe86dd2ede36f7255957e4dResearchers have encountered a number of Windows kernel crashes in the win32k!itrp_IUP function (a handler of the IUP[] TTF program instruction) while processing corrupted TTF font files.
2da68c42d8b015345141bebfbde7346273991659273a83e794878106ce64e9e5When calling Color.setRGB in AS2 it is possible to free the target_mc object used in the Color constructor while a reference remains in the stack.
025afc3b744a755fe32430c68ff260ef742b1772b907721185ee3c58dbde5b57An access violation occurs in Adobe Flash Player plugin while parsing a mutated swf file.
a9bceda55620d3ed4cd20aec8a272a586fc3442122decbc24a9ba59a81f9b08bAn access violation occurs in Adobe Flash Player plugin while parsing a mutated swf file.
d1b4ab4f8b0404b6ba7f6fd0ce0dddffa431bd6d447a9316b9385e81916c89f2In certain cases where a native AS2 class sets an internal atom to a value, it can lead to a use-after-free if the variable is a SharedObject.
90eacb51d34198b2be5fdbf20c1cbafadb5acc055ea1efde7be967cbaf2262efWhen setting the scrollRect attribute of a MovieClip in AS2 with a custom Rectangle it is possible to free the MovieClip while a reference remains in the stack.
784ff7b73b5ba4aba1ac24bbe51f62d68e8c1405d60181192fb3613898562723There is a use after free in Flash caused by an improper handling of BitmapData objects in the DisplacementMapFilter.mapBitmap property.
2e1c6f0cbff4d283e27bc67ff2c3d6a2f97825e1fb4b4c03692fb92493f675d7In certain cases where a native AS2 class sets an internal variable, it can lead to a use-after-free if the variable is a SharedObject. While this example shows setting NetConnection.contentType, this applies to several other variables including many properties of the Sound and NetStream classes.
988359360be0f5f9adf193f6cd3a04d83c07dd40e147fd6dcd237b7482c3bf8cAn instance of ActionScript's Sound class allows for loading and extracting for further processing any kind of external data, not only sound files. Same-origin policy doesn't apply here. Each input byte of raw data, loaded previously from given URL, is encoded by an unspecified function to the same 8 successive sample blocks of output. The sample block consists of 8 bytes (first 4 bytes for left channel and next 4 bytes for right channel). Only 2 bytes from 8 sound blocks (64 bytes) are crucial, the rest 52 bytes are useless. Each byte of input from range 0-255 has corresponding constant unsigned integer value (a result of encoding), so for decoding purposes you can use simply lookup table (cf. source code from BoundlessTunes.as).
fc4873a13244f4cbc031eca310103bf8bf2dd9f88a4c98659fde47aa2310d88dIf the fpadInfo property of a NetConnection object is a SharedObject, a use-after-free occurs when the property is deleted.
b56d353e5eaa5e4528ff1ffb7dc841c80fd0d96e3e3d63729b195cd39ca14474Three use-after-free proof of concept exploits for Flash.
2e4eefce9ede8e949e02bc78fdf89f165e66883de32412b8f8591292e5d9a762A use-after-free bug exists while setting the TextFilter.filters array.
31a6c05930a52b35dcd3d8092a6d0a8288bfbf9225bc353369358d98b9ab95b8There is a use-after-free issue if the scale9Grid setting is called on an object with a member that then frees display item. This issue occurs for both MovieClips and Buttons, it needs to be fixed in both classes.
80b4a9baafb714f2dd9d49514a0fc66cae5b4722cb091640d14ef74e3e9fafccThis is a OOB read vulnerability when processing the SCRIPTDATASTRING object in Flv file.
b7ac22badf51c7c646164605a8e31a6bc88e7bf96892a72cbd86c59704b16c46Researchers have encountered a number of Windows kernel crashes in the ATMFD.DLL OpenType driver while processing corrupted OTF font files.
f3c9bc75807a1970026b1a04826e0374c827b906a3593467dfd94e746404d46eEMC Documentum Content Server failed to fully address privilege escalation vulnerabilities as noted in CVE-2015-4532.
3e23749741e39d44281a4e37e4effeb870920b6c75bab3df444cee63831f8276
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed