Adobe Shockwave Player Memory Corruption Vulnerability

2010.08.31
Credit: Rodrigo Branco
Risk: High
Local: No
Remote: Yes
CVE: CVE-2010-2880
CWE: CWE-119


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Dear List, I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability. Check Point Software Technologies - Vulnerability Discovery Team (VDT) http://www.checkpoint.com/defense/ Memory corruption when Adobe Shockwave Player parses .dir media file CVE-2010-2880 INTRODUCTION Adobe Shockwave Player is the Adobe plugin to many different browsers to view rich-media content on the web including animations, interactive presentations, and online entertainment. Adobe Shockwave Player does not properly parse .dir media file, which causes a corruption in module DIRAPI.dll by opening a malformed file with an invalid value located in PoC repro01.dir at offset 0x47. This problem was confirmed in the following versions of Adobe Shockwave Player, other versions may be also affected. Shockwave Player version 11.5.7.609 and older for Windows and MacOS CVSS Scoring System The CVSS score is: 9 Base Score: 10 Temporal Score: 9 We used the following values to calculate the scores: Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C Temporal score is: E:POC/RL:U/RC:C TRIGGERING THE PROBLEM To trigger the problem a PoC file (repro01.dir) is available to interested parts. DETAILS Disassembly: 68001602 40 INC EAX 68001603 83E0 FE AND EAX,FFFFFFFE 68001606 8945 04 MOV DWORD PTR SS:[EBP+4],EAX 68001609 8D5408 08 LEA EDX,DWORD PTR DS:[EAX+ECX+8] 6800160D 8B47 20 MOV EAX,DWORD PTR DS:[EDI+20] 68001610 8B58 10 MOV EBX,DWORD PTR DS:[EAX+10] 68001613 83FB FF CMP EBX,-1 68001616 895424 14 MOV DWORD PTR SS:[ESP+14],EDX 6800161A 895C24 10 MOV DWORD PTR SS:[ESP+10],EBX 6800161E 0F8E 92010000 JLE DIRAPI.680017B6 68001624 53 PUSH EBX 68001625 57 PUSH EDI 68001626 E8 C5140000 CALL DIRAPI.68002AF0 6800162B 8BD8 MOV EBX,EAX 6800162D 8B43 10 MOV EAX,DWORD PTR DS:[EBX+10] <-- Problem EBX = 0x46A6FAAC EAX = 0x46A6FAAC CREDITS This vulnerability was discovered and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT). Best Regards, Rodrigo. -- Rodrigo Rubira Branco Senior Security Researcher Vulnerability Discovery Team (VDT) Check Point Software Technologies

References:

http://www.adobe.com/support/security/bulletins/apsb10-20.html
http://www.securityfocus.com/archive/1/archive/1/513331/100/0/threaded


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top