[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4EB99C8E.1060505@coresecurity.com>
Date: Tue, 08 Nov 2011 18:18:06 -0300
From: CORE Security Technologies Advisories <advisories@...esecurity.com>
To: Bugtraq <bugtraq@...urityfocus.com>,
full-disclosure@...ts.grok.org.uk
Subject: CORE-2011-0825: Adobe Shockwave Player
TextXtra.x32 vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/
Adobe Shockwave Player TextXtra.x32 vulnerability
1. *Advisory Information*
Title: Adobe Shockwave Player TextXtra.x32 vulnerability
Advisory ID: CORE-2011-0825
Advisory URL:
http://www.coresecurity.com/content/adobe-shockwave-textxtra-vulnerability
Date published: 2011-11-08
Date of last update: 2011-11-08
Vendors contacted: Adobe
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Input validation error [CWE-20]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2011-2447
3. *Vulnerability Description*
A memory corruption vulnerability in Adobe Shockwave Player can be
leveraged to execute arbitrary code on vulnerable systems by enticing
users to visit a malicious web site with a specially crafted .dir
file. This vulnerability could be used by a remote attacker to execute
arbitrary code with the privileges of the user that opened the
malicious file.
4. *Vulnerable packages*
. Adobe Shockwave Player 11.6.1.629 and earlier versions for
Windows and Macintosh.
5. *Non-vulnerable packages*
. Adobe Shockwave Player 11.6.3.633 [2]
6. *Vendor Information, Solutions and Workarounds*
Adobe recommends users of Adobe Shockwave Player 11.6.1.629 and
earlier versions upgrade to the newest version 11.6.3.633 available
at: http://get.adobe.com/shockwave/
Adobe categorizes this as a critical update and recommends that users
apply the latest update for their product installation by following
the instructions in the Security Bulletin [1].
7. *Credits*
This vulnerability was discovered and researched by Pablo Santamaria
from Core Security Technologies. The publication of this advisory was
coordinated by Carlos Sarraute.
8. *Technical Description / Proof of Concept Code*
A memory corruption vulnerability can be triggered when Adobe
Shockwave parses a specially crafted .dir file. As we can see in the
following code, it reads data from the file [3], and then it saves the
result in the ESI register [4]. This register is then used to end a
loop [5]. While this loop is executed, the sub_69774E23 function is
called any number of times the attacker wants, leading to a heap-based
memory corruption and possibly to arbitrary code execution.
/-----
.text:69774E8C push esi
.text:69774E8D push edi
.text:69774E8E push [esp+8+arg_4]
.text:69774E92 call sub_6976C9F7 ; [3]
.text:69774E97 push [esp+8+arg_4]
.text:69774E9B mov esi, eax ; [4]
.text:69774E9D call sub_6976CBC8 ;
.text:69774EA2 mov edi, eax
.text:69774EA4 jmp short loc_69774EB4 ;
.text:69774EA6 ;
-
---------------------------------------------------------------------------
.text:69774EA6
.text:69774EA6 loc_69774EA6: ;
.text:69774EA6 push edi
.text:69774EA7 push [esp+0Ch+arg_0]
.text:69774EAB call sub_69774E23 ;
.text:69774EB0 add edi, 10h ;
.text:69774EB3 dec esi ; [5]
.text:69774EB4
.text:69774EB4 loc_69774EB4: ;
.text:69774EB4 test esi, esi ; [5]
.text:69774EB6 jg short loc_69774EA6 ;
- -----/
9. *Report Timeline*
. 2011-09-19:
Core Security Technologies notifies the Adobe PSIRT team of the
vulnerability. Preliminary publication date is set to October 10, 2011.
. 2011-09-19:
The vendor requests a technical description of the vulnerability.
. 2011-09-20:
Core sends to Adobe PSIRT the technical details and a PoC file to
reproduce the vulnerability.
. 2011-09-20:
Vendor acknowledges the receipt of the technical information, and
assigns Adobe tracking number 1065 to this case.
. 2011-10-12:
Core requests an update concerning this issue, and reschedules the
publication of its advisory for November 7, 2011, as an effort to
coordinate it with the release of fixes.
. 2011-10-12:
Vendor replies that the release of a fix is currently scheduled for
the next update of Adobe Shockwave on November 8th, 2011.
. 2011-10-12:
Core acknowledges the vendor response, and asks whether a CVE name has
been assigned to the vulnerability.
. 2011-10-12:
Vendor responds that CVE names are assigned closer to the release date.
. 2011-11-03:
Core asks the vendor whether it is still on track to release fixes on
November 8th, and requests a CVE name and a list of affected versions.
. 2011-11-03:
Vendor confirms the release date, and states that affected versions of
Adobe Shockwave Player are 11.6.1.629 and earlier versions.
. 2011-11-04:
Vendor asks whether the acknowledgements text of its upcoming security
bulletin [1] is accurate.
. 2011-11-07:
Core confirms the text.
. 2011-11-08:
The advisory CORE-2011-0825 is published.
10. *References*
[1] Security bulletin for Adobe Shockwave Player
http://www.adobe.com/support/security/bulletins/apsb11-27.html
[2] Upgrade Adobe Shockwave Player
http://get.adobe.com/shockwave/
11. *About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is
charged with anticipating the future needs and requirements for
information security technologies. We conduct our research in several
important areas of computer security including system vulnerabilities,
cyber attack planning and simulation, source code auditing, and
cryptography. Our results include problem formalization,
identification of vulnerabilities, novel solutions and prototypes for
new technologies. CoreLabs regularly publishes security advisories,
technical papers, project information and shared software tools for
public use at: http://corelabs.coresecurity.com.
12. *About Core Security Technologies*
Core Security Technologies enables organizations to get ahead of
threats with security test and measurement solutions that continuously
identify and demonstrate real-world exposures to their most critical
assets. Our customers can gain real visibility into their security
standing, real validation of their security controls, and real metrics
to more effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted
research and leading-edge threat expertise from the company's Security
Consulting Services, CoreLabs and Engineering groups. Core Security
Technologies can be reached at +1 (617) 399-6980 or on the Web at:
http://www.coresecurity.com.
13. *Disclaimer*
The contents of this advisory are copyright (c) 2011 Core Security
Technologies and (c) 2011 CoreLabs, and are licensed under a Creative
Commons Attribution Non-Commercial Share-Alike 3.0 (United States)
License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
14. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iEYEARECAAYFAk65nI4ACgkQyNibggitWa3r4QCfTQBWDnGgU2zU5VIsav0W7rVi
ggwAoLEFRsdGblP/tEZKyAry8BDtw4Em
=EZuR
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists