RE: EEYE: Macromedia Shockwave Flash Malformed Header Overflow

["Drew" <dcopley () eeye com>]

This is very similiar to one of the other crashes we have found.
(Breaking
into it reveals the same instruction as one of them). The current
revision
does not fix any of these other potentially exploitable crashes
mentioned
in the advisory.

The difficulty is really in making these crashes exploitable. The
one which we posted about was absolutely exploitable and which we wrote
exploit code for. This involved running bit combinations of the header
and built in stack tracing where key EIP changes were alerted and
logged to a file. Since it is nearly impossible to crack 27 bytes with
combinations between 00 and FF, we made some educated jumps at
key junctures... over a period of several weeks.

This said, running tests against other filetypes have revealed
similiar issues which we are trying to find the time to fully work
out. (The actual primary testing method does not involve so much
of bit shifting as it does going through the file systematically,
looking for memory write issues, so that every error condition might
at least be caught).

And, some filetypes are far more difficult to test in this automated
manner than Flash. For instance, pdf files involve a lengthy loading
of the slow running pdf module, and numerous office applications open
outside windows which must be automatically closed... still not giving
a solid oppourtunity to use the automated exception handler and
debugger.

Hopefully, in the not too distant future Macromedia will have all
of these potentially exploitable conditions removed from their file
type, as their software is exceedingly popular and would make for
a very bad method of attack against users. 




> -----Original Message-----
> From: Carlos Laviola [mailto:carlos () laviola org] 
> Sent: Sunday, August 11, 2002 3:14 AM
> To: 'BUGTRAQ'
> Subject: Re: EEYE: Macromedia Shockwave Flash Malformed 
> Header Overflow
>
>
> On Fri, Aug 09, 2002 at 05:44:27PM -0400, Mike Chambers wrote:
> > The linux and solaris updates will be avaliable later today.
> >
> > You will be able to download it at: 
> > www.macromedia.com/go/getflashplayer/
>
> I've downloaded this fixed version, but it seems to be 
> vulnerable to something I've discovered last week: if you 
> take a .swf and rot13 encode it (not all of it, so the 
> headers are not messed up), you can crash the user's browser. 
>  I've tested it on Netscape 4.77 with Flash 4.0 r12 and 
> Galeon 1.2.5, which is based on Mozilla 1.0, with Flash 5.0 
> r50 (both running on Debian unstable) and IE 6.0 (on Windows 
> 2000) and all of them crash instantly when I try to open the 
> rot13-garbled file.
>
> Check it out:
http://alternex.com.br/~claviola/sample1.swf (original)
http://alternex.com.br/~claviola/sample2.swf (modified)




-- 
Carlos Laviola <carlos () laviola org>