lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4F3B03D5.7060706@gmail.com>
Date: Wed, 15 Feb 2012 09:01:09 +0800
From: Code Audit Labs <vulnhunt@...il.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [CAL-2011-0071]Adobe Shockwave Player Parsing
	cupt atom heap overflow

[CAL-2011-0071]Adobe Shockwave Player Parsing cupt atom heap overflow


Discover: instruder of code audit labs of vulnhunt.com
CAL: CAL-2011-0071
CVE: CVE-2012-0758

http://blog.vulnhunt.com/index.php/2012/02/15/cal-2011-0071_adobe-shockwave-player-parsing-cupt-atom-heap-overflow/

adobe security bulletins
http://www.adobe.com/support/security/bulletins/apsb12-02.html


1 Affected Products
=================
adobe shockwave 11.6.3.633
adobe Shockwave 11.6.1.629 and prior


2 Vulnerability Details
=====================
When adobe shockwave player parsing a dir type file,
it takes a dword from the dir file,and then take some
Computing this computing will leding to Integer overflow,
allocate a small memory,this Cause a heap overflow.


3 Analysis
=========
asm in dirapi.dll 11.6.1.629

.text:6809FC7A                 push    esi
.text:6809FC7B                 push    edi
.text:6809FC7C                 push    ebp
.text:6809FC7D                 call    IML32_1414_get_a_dword		//get a 
dword form dir file
.text:6809FC82                 mov     esi, eax				//if eax=66666680 
some like this,after esi+esi*4 Will cause a heap overflow
.text:6809FC84                 lea     eax, [esi+esi*4]			// Integrated 
  overflow
.text:6809FC87                 push    1
.text:6809FC89                 lea     ecx, ds:24h[eax*8]
.text:6809FC90                 push    ecx
.text:6809FC91                 call    IML32_1111      ; 		
.text:6809FC96                 push    eax
.text:6809FC97                 mov     [esp+14h+arg_4], eax
.text:6809FC9B                 call    IML32_1114			//allocate memory 		
.text:6809FCA0                 mov     edi, eax
.text:6809FCA2                 test    edi, edi
.text:6809FCA4                 jz      short loc_6809FD03
.text:6809FCA6                 mov     [edi+1Ch], esi
.text:6809FCA9                 test    esi, esi
.text:6809FCAB                 jbe     short loc_6809FCCB
.text:6809FCAD                 lea     esi, [edi+28h]
.text:6809FCB0
.text:6809FCB0 loc_6809FCB0:                           ; CODE XREF: 
sub_6809FC60+69.j
.text:6809FCB0                 push    ebp
.text:6809FCB1                 call    IML32_1414_get_a_dword		////write 
the dword to the heap
.text:6809FCB6                 push    20h
.text:6809FCB8                 push    esi
.text:6809FCB9                 push    ebp
.text:6809FCBA                 mov     [esi-4], eax
.text:6809FCBD                 call    IML32_1409
.text:6809FCC2                 inc     ebx
.text:6809FCC3                 add     esi, 28h				////heap buffer overflow
.text:6809FCC6                 cmp     ebx, [edi+1Ch]
.text:6809FCC9                 jb      short loc_6809FCB0		//Cycle



c code like
==================

         v6 = v4 + 40;
         do
         {
           *(_DWORD *)(v6 - 4) = IML32_1414_get_a_dword(v3);
           v4 = IML32_1409();
           ++v2;
           v6 += 40;
         }
         while ( v2 < *(_DWORD *)(v5 + 0x1C) );




4 Exploitable?
============
Successfully exploited this vulnerability could lead to arbitrary code 
execution.


5 Crash info:
===============
eax=00000000 ebx=00002a63 ecx=07916058 edx=08980028 esi=07981008 
edi=07917068
eip=0754fd5a esp=09e9ef28 ebp=08250bd8 iopl=0         nv up ei pl zr na 
pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000 
efl=00210246
*** ERROR: Module load completed but symbols could not be loaded for 
C:\WINDOWS\system32\Adobe\Shockwave 11\DIRAPI.dll
DIRAPI+0x9fd5a:
0754fd5a 8946fc          mov     dword ptr [esi-4],eax 
ds:0023:07981004=????????0:028> 0:023> kb
ChildEBP RetAddr  Args to Child
WARNING: Stack unwind information not available. Following frames may be 
wrong.
09e9ef40 0755028c 07894154 08250bb0 07894154 DIRAPI+0x9fd5a
00000000 00000000 00000000 00000000 00000000 DIRAPI+0xa028cPOC


6 About Code Audit Labs:
=====================
Code Audit Labs secure your software,provide Professional include source
code audit and binary code audit service.
Code Audit Labs:" You create value for customer,We protect your value"
http://www.VulnHunt.com
http://blog.vulnhunt.com
http://t.qq.com/vulnhunt
http://weibo.com/vulnhunt

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ