Adobe Shockwave Player Memory Corruption Vulnerability

2010.09.01
Risk: High
Local: No
Remote: Yes
CWE: CWE-119


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability. Check Point Software Technologies - Vulnerability Discovery Team (VDT) http://www.checkpoint.com/defense/ Memory corruption when Adobe Shockwave Player parses .dir media file CVE-2010-2881 INTRODUCTION Adobe Shockwave Player is the Adobe plugin to many different browsers to view rich-media content on the web including animations, interactive presentations, and online entertainment. Adobe Shockwave player does not properly parse .dir media file, which causes a corruption in module IML32.dll by opening a malformed file with an invalid value located in PoC repro02.dir at offset 0x24C0. This problem was confirmed in the following versions of Adobe Shockwave Player, other versions may be also affected. Shockwave Player version 11.5.7.609 and older for Windows and MacOS CVSS Scoring System The CVSS score is: 9 Base Score: 10 Temporal Score: 9 We used the following values to calculate the scores: Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C Temporal score is: E:POC/RL:U/RC:C TRIGGERING THE PROBLEM To trigger the problem a PoC file (repro02.dir) is available to interested parts, together with a deep exploitability analysis. DETAILS Disassembly: 6900725F 8B0D 3CEA0B69 MOV ECX,DWORD PTR DS:[690BEA3C] 69007265 8B7D 08 MOV EDI,DWORD PTR SS:[EBP+8] 69007268 8B75 0C MOV ESI,DWORD PTR SS:[EBP+C] 6900726B F7C7 07000000 TEST EDI,7 69007271 74 0F JE SHORT IML32.69007282 69007273 8A06 MOV AL,BYTE PTR DS:[ESI] 69007275 83C6 01 ADD ESI,1 69007278 8807 MOV BYTE PTR DS:[EDI],AL 6900727A 83C7 01 ADD EDI,1 6900727D 49 DEC ECX 6900727E 74 42 JE SHORT IML32.690072C2 69007280 ^EB E9 JMP SHORT IML32.6900726B 69007282 83F9 20 CMP ECX,20 69007285 7C 29 JL SHORT IML32.690072B0 69007287 0F6F5E 18 MOVQ MM3,QWORD PTR DS:[ESI+18] <--- Problem ESI = 0x06CAFFE8 CREDITS This vulnerability was discovered and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT). Best Regards, Rodrigo. -- Rodrigo Rubira Branco Senior Security Researcher Vulnerability Discovery Team (VDT) Check Point Software Technologies

References:

http://www.adobe.com/support/security/bulletins/apsb10-20.html
http://www.securityfocus.com/archive/1/archive/1/513328/100/0/threaded


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top