lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 25 Aug 2010 06:02:29 -0700 From: Rodrigo Branco <rbranco@...ckpoint.com> To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>, "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com> Subject: Adobe Shockwave Player Memory Corruption Vulnerability - CVE-2010-2864 I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability. Check Point Software Technologies - Vulnerability Discovery Team (VDT) http://www.checkpoint.com/defense/ Memory corruption when Adobe Shockwave Player parses .dir media file CVE-2010-2864 INTRODUCTION Adobe Shockwave Player is the Adobe plugin to many different browsers to view rich-media content on the web including animations, interactive presentations, and online entertainment. Adobe Shockwave player does not properly parse .dir media file, which causes a corruption in module IML32.dll by opening a malformed file with an invalid value located in PoC repro03.dir at offset 0x24C6. This problem was confirmed in the following versions of Adobe Shockwave Player, other versions may be also affected. Shockwave Player version 11.5.7.609 and older for Windows and MacOS CVSS Scoring System The CVSS score is: 9 Base Score: 10 Temporal Score: 9 We used the following values to calculate the scores: Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C Temporal score is: E:POC/RL:U/RC:C TRIGGERING THE PROBLEM To trigger the problem a PoC file (repro03.dir) is available to interested parts. DETAILS Disassembly: 69009F10 > 56 PUSH ESI 69009F11 8B7424 08 MOV ESI,DWORD PTR SS:[ESP+8] 69009F15 85F6 TEST ESI,ESI 69009F17 74 46 JE SHORT IML32.69009F5F 69009F19 8B06 MOV EAX,DWORD PTR DS:[ESI] 69009F1B 85C0 TEST EAX,EAX 69009F1D 74 3A JE SHORT IML32.69009F59 69009F1F 8B48 04 MOV ECX,DWORD PTR DS:[EAX+4] <--- Problem EAX = 0xA1A10000 ECX = 0x0013D0C8 CREDITS This vulnerability was discovered and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT). Best Regards, Rodrigo. -- Rodrigo Rubira Branco Senior Security Researcher Vulnerability Discovery Team (VDT) Check Point Software Technologies _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists