| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3d7a6e870803192115g4a7ddfd9lab0c25f28ce125de@mail.gmail.com>
Date: Thu, 20 Mar 2008 12:15:18 +0800
From: cocoruder <cocoruder@...il.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Adobe Flash CS3 Professional FLA File Parsing
Multiple Local Code Execute Vulnerabilities
Adobe Flash CS3 Professional FLA File Parsing Multiple Local Code
Execute Vulnerabilities
by cocoruder(frankruder@...mail.com)
http://ruder.cdut.net
Summary:
More than three local code execute vulnerabilities exist in Adobe
Flash CS3 Professional while it is parsing FLA files. An attacker who
successfully exploit these vulnerabilities can run arbitrary code on
the affected system.
Affected Software Versions:
Adobe Flash CS3 Professional 9.0
Macromedia Flash MX 2004
Details:
All these vulnerabilities are due to the parser does not handle
the malformed FLA file accurately, by changing value of some special
addresses in normal FLA file, it can result in some unexpected errors
at "call" instruction, the following is one of the situations:
eax=00000000 ebx=00000000 ecx=41414141 edx=00000000 esi=08feac38 edi=0012eb2c
eip=00943502 esp=0012e15c ebp=08feac3c iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00250206
*** ERROR: Symbol file could not be found. Defaulted to export
symbols for Flash-unprepped.exe -
Flash_unprepped!std::basic_istream<char,std::char_traits<char>
>::basic_istream<char,std::char_traits<char> >+0x3d7762:
00943502 8b01 mov eax,dword ptr
[ecx] ds:0023:41414141=????????, can be controlled
00943504 8b10 mov edx,dword ptr [eax]
00943506 6a01 push 1
00943508 ffd2 call edx ; code executing is possible
0094350a 8bbe48020000 mov edi,dword ptr [esi+248h]
00943510 3bfb cmp edi,ebx
00943512 899ef4010000 mov dword ptr [esi+1F4h],ebx
00943518 7410 je
Flash_unprepped!std::basic_istream<char,std::char_traits<char>
>::basic_istream<char,std::char_traits<char> >+0x3d778a (0094352a)
It is confirmed that at least one of them can be written
successful working exploits for, on the other hand, because the FLA
file can not be loaded remotely, which can reduce the threat of these
vulnerabilities.
Vendor Response:
Adobe has replied me that they will fix these vulnerabilities in
the next major release of Flash Professional, we suggest all of the
Adobe Flash CS3 Professional users do not open the FLA file which are
from distrustful source.
An advisory from the vendor can be found at:
http://www.adobe.com/support/security/advisories/apsa08-03.html
Fortinet advisory can be found at:
http://www.fortiguardcenter.com/advisory/FGA-2008-07.html
CVE Information:
CVE-2008-1201
Disclosure Timeline:
2007.11.09 Vendor notified via email
2007.11.10 Vendor responded
2007.11.16 Vendor replied they can not find a way to exploit
2007.11.16 Send some notes to the vendor
2007.11.27 Vendor replied they still can not find a way to exploit
2007.11.28 Send an working exploit to the vendor
2008.03.11 Vendor replied there will not be a plan for developing
an update due to the threat of the vul, they will fix it via the next
major release.
2008.03.20 Coordinated vulnerability disclosure
--EOF--
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists