lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060912190048.17373.qmail@securityfocus.com>
Date: 12 Sep 2006 19:00:48 -0000
From: irc@...puterterrorism.com
To: bugtraq@...urityfocus.com
Subject: Computer Terrorism (UK) :: Incident Response Centre -
 Adobe/Macromedia Flash Player Vulnerability

Computer Terrorism  (UK) :: Incident Response Centre

www.computerterrorism.com

Security Advisory: CT12-09-2006


============================================================
Adobe/Macromedia Flash Player - Remote Code Execution
============================================================

Advisory Date: 12th, September 2006

Severity: Critical
Impact: Remote System Access
Solution Status: Vendor Patch

CVE Reference:  CVE-2006-3311  



Affected Software  
=================

Adobe Flash Player 8.0.24.0 and earlier versions
Adobe Flash Professional 8, Flash Basic
Adobe Flash MX 2004
Adobe Flex 1.5

Note: All OS Platforms are vulnerable


1. OVERVIEW
===========

Adobe/Macromedia Flash Player is the world's most ubiquitous Browser plug-in 
for Microsoft, Mozilla and Apple technologies. The plug-in claims to facilitate 
high-impact web interfaces and interactive online advertising for circa 98% of 
desktops globally.

Unfortunately, it transpires that Adobe Flash Player is prone to a remote 
arbitrary code execution vulnerability, that allows an attacker to gain
control of a target system through the simple invocation of a maliciously 
constructed web page.


2. TECHNICAL NARRATIVE
======================

The vulnerability originates out of Flash's failure to sufficiently handle
large dynamically generated strings at run time. As a result, it is possible 
(using rudimentary Action Script) to create a .swf movie in such a way that 
when processed by the Plug-in, will overwrite system memory at an explicit
location.

More specifically, the aforementioned location can (with a certain degree of 
accuracy) be attacker controlled via the direct manipulation of the overall 
length of the generated string.

The net result is that of a partially controllable condition, which opens the 
door to a multitude of differing exploitation vectors, including but not 
limited to heap/stack overwrites, and/or 3rd party race conditions.


3. EXPLOITATION
===============

Computer Terrorism (UK) can confirm the un-disclosed production of a reliable
multi-platform & multi-browser Web based Proof-Of-Concept (PoC). Such an 
exploit could be used in a web-based attack scenario, where unsuspecting 
users are lured to a maliciously constructed website.

Users that have not already done so are strongly advised to upgrade to the latest
version of Flash Player or apply the appropriate fix for their particular version. 


4. VENDOR RESPONSE
==================

The vendor security bulletin and corresponding patches are available at the 
following location:

http://www.adobe.com/go/apsb06-11/


5. DISCLOSURE ANALYSIS
======================

12/05/2006  Preliminary Vendor notification.
18/05/2006  Vulnerability confirmed in pre-release Flash 9, and earlier versions
28/06/2006  Flash Player 9 released (Fixed)
31/07/2006  Public Disclosure Deferred by Vendor.
12/09/2006  Coordinated public release.

Total Time to Fix: 4 months (123 days)


6. CREDIT
=========

The vulnerability was discovered by Stuart Pearson of Computer Terrorism (UK) Ltd




===================
About Computer Terrorism
===================

Computer Terrorism (UK) Ltd is a global provider of Digital Risk Intelligence services. 
Our unique approach to vulnerability risk assessment and mitigation has helped protect 
some of the worlds most at risk organisations. 

Headquartered in London, Computer Terrorism has representation throughout Europe & 
North America and can be reached at +44 (0) 870 250 9866 or email:-

sales [at] computerterrorism.com

To learn more about our services and to register for a FREE comprehensive website 
penetration test, visit: http:/www.computerterrorism.com


Computer Terrorism (UK) :: Protection for a vulnerable world.



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ