[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] Adobe Shockwave Player Memory Corruption
From: Rodrigo Branco <rbranco () checkpoint ! com>
Date: 2010-10-30 15:14:24
Message-ID: 50D13E31158CB84E8421A703294682FB1422508C71 () USEXCHANGE ! ad ! checkpoint ! com
[Download RAW message or body]
Dear List,
I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following \
vulnerability.
Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/
Memory corruption when Adobe Shockwave Player parses .dir media file (duplicated LCSM entries \
in mmap record) CVE-2010-4089
INTRODUCTION
Adobe Shockwave Player is the Adobe plugin to many different browsers to view rich-media \
content on the web including animations, interactive presentations, and online entertainment.
Adobe Shockwave Player does not properly parse .dir media file. mmap records contains offsets \
and lengths of all other records. One of such records is LCSM. It also contains references to \
other records. Duplicated LCSM entries causes memory corruption as shown in PoC (repro15.dir).
This problem was confirmed in the following versions of Adobe Shockwave Player and Windows, \
other versions may be also affected.
Shockwave Player version 11.5.8.612, Module IML32.dll on WinXP_PT SP3 Internet Explorer \
8.0.6001.18702
CVSS Scoring System
The CVSS score is: 9
Base Score: 10
Temporal Score: 9
We used the following values to calculate the scores:
Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal score is: E:POC/RL:U/RC:C
TRIGGERING THE PROBLEM
To trigger the problem a PoC file (repro15.dir) is available to interested parties.
DETAILS
ModLoad: 03a20000 03a27000 C:\WINDOWS\system32\Adobe\Shockwave 11\xtras\CBrowser.x32
ModLoad: 03e10000 03e27000 C:\Documents and Settings\Rodrigo\Application Data\Adobe\Shockwave \
Player 11\xtras\download\AdobeSystemsIncorporated\TextAsset\Text Asset.x32
ModLoad: 048a0000 04989000 C:\Documents and Settings\Rodrigo\Application Data\Adobe\Shockwave \
Player 11\xtras\download\AdobeSystemsIncorporated\TextXtra\TextXtra.x32
ModLoad: 04430000 04475000 C:\Documents and Settings\Rodrigo\Application Data\Adobe\Shockwave \
Player 11\xtras\download\AdobeSystemsIncorporated\FontXtra\Font Xtra.x32 (1cc.b74): Access \
violation - code c0000005 (!!! second chance !!!) eax=00000068 ebx=00000020 ecx=0162d550 \
edx=00000068 esi=0162d550 edi=0543386c eip=69009f1f esp=0162d540 ebp=0543386c iopl=0 nv \
up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 \
efl=00000202
*** WARNING: Unable to verify checksum for C:\WINDOWS\system32\Adobe\Shockwave 11\IML32.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for \
C:\WINDOWS\system32\Adobe\Shockwave 11\IML32.dll - IML32!Ordinal1113+0xf:
69009f1f 8b4804 mov ecx,dword ptr [eax+4] ds:0023:0000006c=????????
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
0:008> !exploitable
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at \
IML32!Ordinal1113+0x000000000000000f (Hash=0x1a537c3d.0x1a63313d)
The data from the faulting address is later used to determine whether or not a branch is taken.
Exploitation details sent to Adobe.
CREDITS
This vulnerability was discovered by Michael Golub and researched by Rodrigo Rubira Branco from \
Check Point Vulnerability Discovery Team (VDT).
Best Regards,
Rodrigo.
--
Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic