Adobe Flash has become a favourite target for exploit developers since 2013. One of the most common exploitation techniques against Flash 0days, especially for Use-After-Free (UAF), is to corrupt the length filed of an array-like object, which eventually leads to arbitrary memory read/write and then arbitrary code execution. Since the Vector/ByteArray primitive is so simple and powerful that lately in 2015, Adobe has introduced mitigation into Flash with the goal of making this old method a history.
Under new circumstances, gaining arbitrary memory access is not easy anymore, not to mention implementing a universal method. Unfortunately, most UAF exploits need to read process memory and then collect required ROP gadgets to achieve code execution.
This talk will introduce Use-After-Use-After-Free (UAUAF), a novel and relatively universal exploitation technique for UAF vulnerabilities in Adobe Flash. By leveraging a sequence of object occupations and releases, UAUAF can transform a UAF into a multi-class type confusion in which full memory access is gained again. More importantly, this talk will illustrate UAUAF by CVE-2016-1097, a real UAF 0day that we discovered in April. The whole detailed exploitation process, i.e., from discovering the 0day, gaining full memory access, chaining ROP gadgets, to the final arbitration code execution will be presented.