lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <50D13E31158CB84E8421A703294682FB1422508C6F@USEXCHANGE.ad.checkpoint.com>
Date: Sat, 30 Oct 2010 08:13:58 -0700
From: Rodrigo Branco <rbranco@...ckpoint.com>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>,
	"full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Adobe Shockwave Player Memory Corruption
 Vulnerability - CVE-2010-4088

Dear List,

I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability.


Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/

Memory corruption when Adobe Shockwave Player parses .dir media file (duplicated KEY* reference in mmap record)
CVE-2010-4088


INTRODUCTION

Adobe Shockwave Player is the Adobe plugin to many different browsers to view rich-media content on the web including animations, interactive 
presentations, and online entertainment.

Adobe Shockwave Player does not properly parse .dir media file.  mmap records contains offsets and lengths of all other records.  One of such records is KEY*. It also contains references to other records. Duplicated references to the same KEY* chunk causes problems in Chrome.

This problem was confirmed in the following versions of Adobe Shockwave Player and Windows, other versions may be also affected.

Shockwave Player version 11.5.8.612, Module DIRAPI.dll on WinXP_PT SP3 Google Chrome 6.0.472.55


CVSS Scoring System

The CVSS score is: 9
	Base Score: 10
	Temporal Score: 9
We used the following values to calculate the scores:
	Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C
	Temporal score is: E:POC/RL:U/RC:C


TRIGGERING THE PROBLEM

To trigger the problem a PoC file (repro14.dir) is available to interested parties. 


DETAILS


Due to the very nature of the problem and the way the browser handles it internally, it is very difficult to debug.  The browser catches the
failure.

ModLoad: 041c0000 041c7000   C:\WINDOWS\system32\Adobe\SHOCKW~1\xtras\CBrowser.x32
(924.a78): Break instruction exception - code 80000003 (first chance)
eax=7ffdd000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005
eip=7c90120e esp=312fffcc ebp=312ffff4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246
ntdll!DbgBreakPoint:
7c90120e cc              int     3

After the break point hit, we see the browser just handles the crash of the plugin:

0:009> g
eax=7ffdd000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005
eip=7c90120f esp=312fffcc ebp=312ffff4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246
ntdll!DbgBreakPoint+0x1:
7c90120f c3              ret
0:009> k
ChildEBP RetAddr  
312fffc8 7c951e40 ntdll!DbgBreakPoint+0x1
312ffff4 00000000 ntdll!DbgUiRemoteBreakin+0x2d


Forcing the browser to run in single-mode process we have:

ModLoad: 041c0000 041c7000   C:\WINDOWS\system32\Adobe\SHOCKW~1\xtras\CBrowser.x32
ModLoad: 77920000 77a13000   C:\WINDOWS\system32\SETUPAPI.dll
eax=00000001 ebx=7c802446 ecx=00000000 edx=00000000 esi=0073abc0 edi=000009e0
eip=7c90e460 esp=042cff08 ebp=042cff50 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
ntdll!KiUserCallbackDispatcher:
7c90e460 83c404          add     esp,4
7c90e463 5a              pop     edx
7c90e464 64a118000000    mov     eax,dword ptr fs:[<Unloaded_papi.dll>+0x7 (00000018)]
7c90e46a 8b4030          mov     eax,dword ptr [eax+30h]
7c90e46d 8b402c          mov     eax,dword ptr [eax+2Ch]
7c90e470 ff1490          call    dword ptr [eax+edx*4]
7c90e473 33c9            xor     ecx,ecx
7c90e475 33d2            xor     edx,edx
7c90e477 cd2b            int     2Bh
7c90e479 cc              int     3

The Stack Trace:
ntdll!KiUserCallbackDispatcher+0x0
USER32!NtUserMessageCall+0xc
USER32!SendMessageA+0x7f
Plugin!NP_Shutdown+0x41f4



CREDITS

This vulnerability was discovered by Michael Golub and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT).



Best Regards,
 
Rodrigo.
 
--
Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ