CVE-2016-4108

HIGH

Adobe Flash Player <=21.0.0.213 addProperty - Use-After-Free

Title source: manual

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-4108. PoCs published by Google Security Research.

AI-analyzed exploit summary This exploit demonstrates a use-after-free vulnerability in Adobe Flash Player's ActionScript `addProperty` method when a watch is defined on a MovieClip object. The PoC triggers the vulnerability by adding a property to a MovieClip with an existing watch, leading to potential remote code execution.

Description

Unspecified vulnerability in Adobe Flash Player 21.0.0.213 and earlier, as used in the Adobe Flash libraries in Microsoft Internet Explorer 10 and 11 and Microsoft Edge, has unknown impact and attack vectors, a different vulnerability than other CVEs listed in MS16-064.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Google Security Research · textdosmultiple

https://www.exploit-db.com/exploits/39830

View Code ZIP pw:eip

This exploit demonstrates a use-after-free vulnerability in Adobe Flash Player's ActionScript `addProperty` method when a watch is defined on a MovieClip object. The PoC triggers the vulnerability by adding a property to a MovieClip with an existing watch, leading to potential remote code execution.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Adobe Flash Player (versions affected by CVE-2016-4108)

No auth needed

Prerequisites: Victim must open a malicious SWF file

MITRE ATT&CK