Adobe Flash double free and cross domain bypass

Adobe security update APSB15-06 addresses a “double free” vulnerability in the Flash Player Settings Manager. It’s a standalone program that can be launched programmatically by web-embedded Flash applications.

On Windows, the Settings Manager (FlashPlayerApp.exe) can also be found in the Control Panel and on Mac OS X in the System Preferences.

Successful exploitation would lead to arbitrary code execution. This bug has been assigned the identifier CVE-2015-0346.

Flash stores its global and per-website settings as Local Shared Objects belonging to the website “macromedia.com”. In order to exploit the double-free condition, the attacker has to inject some malformed data in those Local Shared Objects and then launch the Settings Manager.

Another bug addressed by this update, CVE-2015-3044, is a method for bypassing the Flash security model and injecting data in Local Shared Objects belonging to other websites. The attacker can use this to trigger the “double free” bug.

In addition, CVE-2015-3044 can be used to bypass other Flash security policies. For example, it can be exploited to quietly record audio or video without notifying the user or asking permission. This is a cross-platform logical bug so the same exploit works on any operating system supported by Flash.

In the demonstration below, the video stream is played back on the screen. A real-world exploit could use an invisible Flash app which could store or transmit the video/audio stream to a remote site.

We are currently investigating a potential variant of CVE-2015-3044 so further details will be withheld at this time.

Demo