lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <50D13E31158CB84E8421A703294682FB1422508C70@USEXCHANGE.ad.checkpoint.com>
Date: Sat, 30 Oct 2010 08:14:11 -0700
From: Rodrigo Branco <rbranco@...ckpoint.com>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>,
	"full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Adobe Shockwave Player Memory Corruption
 Vulnerability - CVE-2010-4087

Dear List,

I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability.


Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/

Memory corruption when Adobe Shockwave Player parses .dir media file (mmap record - VSWV entry)
CVE-2010-4087


INTRODUCTION

Adobe Shockwave Player is the Adobe plugin to many different browsers to view rich-media content on the web including animations, interactive presentations, and online entertainment.

Adobe Shockwave Player does not properly parse .dir media file, which causes a corruption in module IML32.dll by opening a malformed file with an invalid length of VSWV entry inside a mmap record.

This problem was confirmed in the following versions of Adobe Shockwave Player and Windows, other versions may be also affected.

Shockwave Player version 11.5.8.612, Module IML32.dll on WinXP_PT SP3 Internet Explorer 8.0.6001.18702


CVSS Scoring System

The CVSS score is: 9
	Base Score: 10
	Temporal Score: 9
We used the following values to calculate the scores:
	Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C
	Temporal score is: E:POC/RL:U/RC:C


TRIGGERING THE PROBLEM

To trigger the problem a PoC file (repro13.dir) is available to interested parties. 


DETAILS

0:008> r
eax=0487d294 ebx=04830028 ecx=362607f0 edx=04930014 esi=0488dbf0 edi=0488d9e0
eip=69081264 esp=0162be10 ebp=00000210 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
IML32!Ordinal2064+0x7254:
69081264 894c31fc        mov     dword ptr [ecx+esi-4],ecx ds:0023:3aaee3dc=????????
0:008> !exploitable
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at IML32!Ordinal2064+0x0000000000007254 (Hash=0x3e3c3a38.0x484c154e)

User mode write access violations that are not near NULL are exploitable.


Disassembly:

0:008> u 0x69081264 L15
IML32!Ordinal2064+0x7254:
69081264 894c31fc        mov     dword ptr [ecx+esi-4],ecx
69081268 83c902          or      ecx,2
6908126b 890e            mov     dword ptr [esi],ecx
6908126d 8b4318          mov     eax,dword ptr [ebx+18h]
69081270 894608          mov     dword ptr [esi+8],eax
69081273 8b4804          mov     ecx,dword ptr [eax+4]
69081276 894e04          mov     dword ptr [esi+4],ecx
69081279 8b5004          mov     edx,dword ptr [eax+4]
6908127c 897208          mov     dword ptr [edx+8],esi
6908127f 8b54241c        mov     edx,dword ptr [esp+1Ch]
69081283 897004          mov     dword ptr [eax+4],esi
69081286 eb1e            jmp     IML32!Ordinal2064+0x7296 (690812a6)
69081288 8d3c31          lea     edi,[ecx+esi]
6908128b 894ffc          mov     dword ptr [edi-4],ecx
6908128e 83c902          or      ecx,2
69081291 890e            mov     dword ptr [esi],ecx
69081293 8b042f          mov     eax,dword ptr [edi+ebp]
69081296 8b7604          mov     esi,dword ptr [esi+4]
69081299 83c802          or      eax,2
6908129c 89042f          mov     dword ptr [edi+ebp],eax
6908129f 8bc5            mov     eax,ebp


CREDITS

This vulnerability was discovered by Michael Golub and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT).



Best Regards,
 
Rodrigo.
 
--
Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ