lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sat, 30 Oct 2010 08:13:31 -0700
From: Rodrigo Branco <rbranco@...ckpoint.com>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>,
	"full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Adobe Shockwave Player Memory Corruption
 Vulnerability - CVE-2010-4086

Dear List,

I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability.


Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/

Memory corruption when Adobe Shockwave Player parses .dir media file (mmap_element_size)
CVE-2010-4086


INTRODUCTION

Adobe Shockwave Player is the Adobe plugin to many different browsers to view rich-media content on the web including animations, interactive presentations, and online entertainment.

Adobe Shockwave Player does not properly parse .dir media file, which causes a corruption in module DIRAPI.dll by opening a malformed file with an invalid element size.  

This problem was confirmed in the following versions of Adobe Shockwave Player and Windows, other versions may be also affected.

Shockwave Player version 11.5.8.612, Module DIRAPI.dll on WinXP_PT SP3 Internet Explorer 8.0.6001.18702


CVSS Scoring System

The CVSS score is: 9
	Base Score: 10
	Temporal Score: 9
We used the following values to calculate the scores:
	Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C
	Temporal score is: E:POC/RL:U/RC:C


TRIGGERING THE PROBLEM

To trigger the problem a PoC file (repro12.dir) is available to interested parties.   Important to note that a previous vulnerability discovered by
Rodrigo Rubira Branco (CVE-2010-2880) modified the index value used in the same structure.


DETAILS

0:008> r
eax=05215678 ebx=03a82dc8 ecx=0007ef40 edx=00000001 esi=0000001a edi=05301610
eip=044b2498 esp=0162ba14 ebp=0000007c iopl=0         nv up ei ng nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010292
DIRAPI!Ordinal21+0x6f8:
044b2498 6681600c1f7f    and     word ptr [eax+0Ch],offset <Unloaded_dui.DLL>+0x7f0e (00007f1f) ds:0023:05215684=????
0:008> !exploitable
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at DIRAPI!Ordinal21+0x00000000000006f8 (Hash=0x53080807.0x53080814)

User mode write access violations that are not near NULL are exploitable.

Disassembly:

0:008> u 0x044b2498 L15
DIRAPI!Ordinal21+0x6f8:
044b2498 6681600c1f7f    and     word ptr [eax+0Ch],offset <Unloaded_dui.DLL>+0x7f0e (00007f1f)
044b249e 83fe03          cmp     esi,3
044b24a1 668b480c        mov     cx,word ptr [eax+0Ch]
044b24a5 7d1a            jge     DIRAPI!Ordinal21+0x721 (044b24c1)
044b24a7 813858464952    cmp     dword ptr [eax],52494658h
044b24ad 7509            jne     DIRAPI!Ordinal21+0x718 (044b24b8)
044b24af 8b4804          mov     ecx,dword ptr [eax+4]
044b24b2 83c108          add     ecx,8
044b24b5 894f48          mov     dword ptr [edi+48h],ecx
044b24b8 c7401000000000  mov     dword ptr [eax+10h],0
044b24bf eb19            jmp     DIRAPI!Ordinal21+0x73a (044b24da)
044b24c1 f6c104          test    cl,4
044b24c4 7507            jne     DIRAPI!Ordinal21+0x72d (044b24cd)
044b24c6 c7401000000000  mov     dword ptr [eax+10h],0
044b24cd 837804ff        cmp     dword ptr [eax+4],0FFFFFFFFh
044b24d1 7507            jne     DIRAPI!Ordinal21+0x73a (044b24da)
044b24d3 c7400400000000  mov     dword ptr [eax+4],0
044b24da 46              inc     esi
044b24db 3bf5            cmp     esi,ebp
044b24dd 7cb2            jl      DIRAPI!Ordinal21+0x6f1 (044b2491)
044b24df 90              nop



CREDITS

This vulnerability was discovered by Michael Golub and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT).



Best Regards,
 
Rodrigo.
 
--
Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ