[<prev] [next>] [day] [month] [year] [list]
Message-ID: <50D13E31158CB84E8421A703294682FB1422508C70@USEXCHANGE.ad.checkpoint.com>
Date: Sat, 30 Oct 2010 08:14:11 -0700
From: Rodrigo Branco <rbranco@...ckpoint.com>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>,
"full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Adobe Shockwave Player Memory Corruption
Vulnerability - CVE-2010-4087
Dear List,
I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability.
Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/
Memory corruption when Adobe Shockwave Player parses .dir media file (mmap record - VSWV entry)
CVE-2010-4087
INTRODUCTION
Adobe Shockwave Player is the Adobe plugin to many different browsers to view rich-media content on the web including animations, interactive presentations, and online entertainment.
Adobe Shockwave Player does not properly parse .dir media file, which causes a corruption in module IML32.dll by opening a malformed file with an invalid length of VSWV entry inside a mmap record.
This problem was confirmed in the following versions of Adobe Shockwave Player and Windows, other versions may be also affected.
Shockwave Player version 11.5.8.612, Module IML32.dll on WinXP_PT SP3 Internet Explorer 8.0.6001.18702
CVSS Scoring System
The CVSS score is: 9
Base Score: 10
Temporal Score: 9
We used the following values to calculate the scores:
Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal score is: E:POC/RL:U/RC:C
TRIGGERING THE PROBLEM
To trigger the problem a PoC file (repro13.dir) is available to interested parties.
DETAILS
0:008> r
eax=0487d294 ebx=04830028 ecx=362607f0 edx=04930014 esi=0488dbf0 edi=0488d9e0
eip=69081264 esp=0162be10 ebp=00000210 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
IML32!Ordinal2064+0x7254:
69081264 894c31fc mov dword ptr [ecx+esi-4],ecx ds:0023:3aaee3dc=????????
0:008> !exploitable
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at IML32!Ordinal2064+0x0000000000007254 (Hash=0x3e3c3a38.0x484c154e)
User mode write access violations that are not near NULL are exploitable.
Disassembly:
0:008> u 0x69081264 L15
IML32!Ordinal2064+0x7254:
69081264 894c31fc mov dword ptr [ecx+esi-4],ecx
69081268 83c902 or ecx,2
6908126b 890e mov dword ptr [esi],ecx
6908126d 8b4318 mov eax,dword ptr [ebx+18h]
69081270 894608 mov dword ptr [esi+8],eax
69081273 8b4804 mov ecx,dword ptr [eax+4]
69081276 894e04 mov dword ptr [esi+4],ecx
69081279 8b5004 mov edx,dword ptr [eax+4]
6908127c 897208 mov dword ptr [edx+8],esi
6908127f 8b54241c mov edx,dword ptr [esp+1Ch]
69081283 897004 mov dword ptr [eax+4],esi
69081286 eb1e jmp IML32!Ordinal2064+0x7296 (690812a6)
69081288 8d3c31 lea edi,[ecx+esi]
6908128b 894ffc mov dword ptr [edi-4],ecx
6908128e 83c902 or ecx,2
69081291 890e mov dword ptr [esi],ecx
69081293 8b042f mov eax,dword ptr [edi+ebp]
69081296 8b7604 mov esi,dword ptr [esi+4]
69081299 83c802 or eax,2
6908129c 89042f mov dword ptr [edi+ebp],eax
6908129f 8bc5 mov eax,ebp
CREDITS
This vulnerability was discovered by Michael Golub and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT).
Best Regards,
Rodrigo.
--
Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists