| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 30 Oct 2010 08:14:11 -0700 From: Rodrigo Branco <rbranco@...ckpoint.com> To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>, "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk> Subject: Adobe Shockwave Player Memory Corruption Vulnerability - CVE-2010-4087 Dear List, I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability. Check Point Software Technologies - Vulnerability Discovery Team (VDT) http://www.checkpoint.com/defense/ Memory corruption when Adobe Shockwave Player parses .dir media file (mmap record - VSWV entry) CVE-2010-4087 INTRODUCTION Adobe Shockwave Player is the Adobe plugin to many different browsers to view rich-media content on the web including animations, interactive presentations, and online entertainment. Adobe Shockwave Player does not properly parse .dir media file, which causes a corruption in module IML32.dll by opening a malformed file with an invalid length of VSWV entry inside a mmap record. This problem was confirmed in the following versions of Adobe Shockwave Player and Windows, other versions may be also affected. Shockwave Player version 11.5.8.612, Module IML32.dll on WinXP_PT SP3 Internet Explorer 8.0.6001.18702 CVSS Scoring System The CVSS score is: 9 Base Score: 10 Temporal Score: 9 We used the following values to calculate the scores: Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C Temporal score is: E:POC/RL:U/RC:C TRIGGERING THE PROBLEM To trigger the problem a PoC file (repro13.dir) is available to interested parties. DETAILS 0:008> r eax=0487d294 ebx=04830028 ecx=362607f0 edx=04930014 esi=0488dbf0 edi=0488d9e0 eip=69081264 esp=0162be10 ebp=00000210 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 IML32!Ordinal2064+0x7254: 69081264 894c31fc mov dword ptr [ecx+esi-4],ecx ds:0023:3aaee3dc=???????? 0:008> !exploitable Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - User Mode Write AV starting at IML32!Ordinal2064+0x0000000000007254 (Hash=0x3e3c3a38.0x484c154e) User mode write access violations that are not near NULL are exploitable. Disassembly: 0:008> u 0x69081264 L15 IML32!Ordinal2064+0x7254: 69081264 894c31fc mov dword ptr [ecx+esi-4],ecx 69081268 83c902 or ecx,2 6908126b 890e mov dword ptr [esi],ecx 6908126d 8b4318 mov eax,dword ptr [ebx+18h] 69081270 894608 mov dword ptr [esi+8],eax 69081273 8b4804 mov ecx,dword ptr [eax+4] 69081276 894e04 mov dword ptr [esi+4],ecx 69081279 8b5004 mov edx,dword ptr [eax+4] 6908127c 897208 mov dword ptr [edx+8],esi 6908127f 8b54241c mov edx,dword ptr [esp+1Ch] 69081283 897004 mov dword ptr [eax+4],esi 69081286 eb1e jmp IML32!Ordinal2064+0x7296 (690812a6) 69081288 8d3c31 lea edi,[ecx+esi] 6908128b 894ffc mov dword ptr [edi-4],ecx 6908128e 83c902 or ecx,2 69081291 890e mov dword ptr [esi],ecx 69081293 8b042f mov eax,dword ptr [edi+ebp] 69081296 8b7604 mov esi,dword ptr [esi+4] 69081299 83c802 or eax,2 6908129c 89042f mov dword ptr [edi+ebp],eax 6908129f 8bc5 mov eax,ebp CREDITS This vulnerability was discovered by Michael Golub and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT). Best Regards, Rodrigo. -- Rodrigo Rubira Branco Senior Security Researcher Vulnerability Discovery Team (VDT) Check Point Software Technologies
Powered by blists - more mailing lists