lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <50D13E31158CB84E8421A703294682FB1422508C71@USEXCHANGE.ad.checkpoint.com>
Date: Sat, 30 Oct 2010 08:14:24 -0700
From: Rodrigo Branco <rbranco@...ckpoint.com>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>,
	"full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Adobe Shockwave Player Memory Corruption Vulnerability -
 CVE-2010-4089

Dear List,

I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability.



Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/

Memory corruption when Adobe Shockwave Player parses .dir media file (duplicated LCSM entries in mmap record)
CVE-2010-4089


INTRODUCTION

Adobe Shockwave Player is the Adobe plugin to many different browsers to view rich-media content on the web including animations, interactive presentations, and online entertainment.

Adobe Shockwave Player does not properly parse .dir media file.  mmap records contains offsets and lengths of all other records.  One of such records is LCSM. It also contains references to other records. Duplicated LCSM entries causes memory corruption as shown in PoC (repro15.dir).

This problem was confirmed in the following versions of Adobe Shockwave Player and Windows, other versions may be also affected.

Shockwave Player version 11.5.8.612, Module IML32.dll on WinXP_PT SP3 Internet Explorer 8.0.6001.18702


CVSS Scoring System

The CVSS score is: 9
	Base Score: 10
	Temporal Score: 9
We used the following values to calculate the scores:
	Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C
	Temporal score is: E:POC/RL:U/RC:C


TRIGGERING THE PROBLEM

To trigger the problem a PoC file (repro15.dir) is available to interested parties.


DETAILS


ModLoad: 03a20000 03a27000   C:\WINDOWS\system32\Adobe\Shockwave 11\xtras\CBrowser.x32
ModLoad: 03e10000 03e27000   C:\Documents and Settings\Rodrigo\Application Data\Adobe\Shockwave Player 11\xtras\download\AdobeSystemsIncorporated\TextAsset\Text Asset.x32
ModLoad: 048a0000 04989000   C:\Documents and Settings\Rodrigo\Application Data\Adobe\Shockwave Player 11\xtras\download\AdobeSystemsIncorporated\TextXtra\TextXtra.x32
ModLoad: 04430000 04475000   C:\Documents and Settings\Rodrigo\Application Data\Adobe\Shockwave Player 11\xtras\download\AdobeSystemsIncorporated\FontXtra\Font Xtra.x32
(1cc.b74): Access violation - code c0000005 (!!! second chance !!!)
eax=00000068 ebx=00000020 ecx=0162d550 edx=00000068 esi=0162d550 edi=0543386c
eip=69009f1f esp=0162d540 ebp=0543386c iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
*** WARNING: Unable to verify checksum for C:\WINDOWS\system32\Adobe\Shockwave 11\IML32.dll
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\Adobe\Shockwave 11\IML32.dll - 
IML32!Ordinal1113+0xf:
69009f1f 8b4804          mov     ecx,dword ptr [eax+4] ds:0023:0000006c=????????
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
0:008> !exploitable
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at IML32!Ordinal1113+0x000000000000000f (Hash=0x1a537c3d.0x1a63313d)

The data from the faulting address is later used to determine whether or not a branch is taken.

Exploitation details sent to Adobe.



CREDITS

This vulnerability was discovered by Michael Golub and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT).



Best Regards,
 
Rodrigo.
 
--
Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ