I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability.
Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/
Memory corruption when Adobe Shockwave Player parses .dir media file
CVE-2010-2868
INTRODUCTION
Adobe Shockwave Player is the Adobe plugin to many different browsers to view rich-media content on the web including animations, interactive presentations, and online entertainment.
Adobe Shockwave player does not properly parse .dir media file, which causes a corruption in module IML32.dll by opening a malformed file with an invalid value located in PoC repro04.dir at offset 0x320D.
This problem was confirmed in the following versions of Adobe Shockwave Player, other versions may be also affected.
Shockwave Player version 11.5.7.609 and older for Windows and MacOS
CVSS Scoring System
The CVSS score is: 9
Base Score: 10
Temporal Score: 9
We used the following values to calculate the scores:
Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal score is: E:POC/RL:U/RC:C
TRIGGERING THE PROBLEM
To trigger the problem PoC files (repro04.dir, repro05.dir, repro06.dir, repro07.dir, repro08.dir and repro09.dir) are available to interested parts.
DETAILS
Disassembly:
69081240 74 46 JE SHORT IML32.69081288
69081242 8B16 MOV EDX,DWORD PTR DS:[ESI]
69081244 8B46 08 MOV EAX,DWORD PTR DS:[ESI+8]
69081247 83E2 02 AND EDX,2
6908124A 0BD5 OR EDX,EBP
6908124C 83CA 01 OR EDX,1
6908124F 8916 MOV DWORD PTR DS:[ESI],EDX
69081251 8B56 04 MOV EDX,DWORD PTR DS:[ESI+4]
69081254 8950 04 MOV DWORD PTR DS:[EAX+4],EDX
69081257 8B46 04 MOV EAX,DWORD PTR DS:[ESI+4]
6908125A 8B56 08 MOV EDX,DWORD PTR DS:[ESI+8]
6908125D 8950 08 MOV DWORD PTR DS:[EAX+8],EDX
69081260 8BFE MOV EDI,ESI
69081262 03F5 ADD ESI,EBP
69081264 894C31 FC MOV DWORD PTR DS:[ECX+ESI-4],ECX <--- Problem
ECX = 0x616CF240
ESI = 0x06C94038
CREDITS
This vulnerability was discovered and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT).
Best Regards,
Rodrigo.
--
Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies