Bugtraq mailing list archives
RE: EEYE: Macromedia Shockwave Flash Malformed Header Overflow
From: "Drew" <dcopley () eeye com>
Date: Mon, 12 Aug 2002 15:11:59 -0700
This is very similiar to one of the other crashes we have found. (Breaking into it reveals the same instruction as one of them). The current revision does not fix any of these other potentially exploitable crashes mentioned in the advisory. The difficulty is really in making these crashes exploitable. The one which we posted about was absolutely exploitable and which we wrote exploit code for. This involved running bit combinations of the header and built in stack tracing where key EIP changes were alerted and logged to a file. Since it is nearly impossible to crack 27 bytes with combinations between 00 and FF, we made some educated jumps at key junctures... over a period of several weeks. This said, running tests against other filetypes have revealed similiar issues which we are trying to find the time to fully work out. (The actual primary testing method does not involve so much of bit shifting as it does going through the file systematically, looking for memory write issues, so that every error condition might at least be caught). And, some filetypes are far more difficult to test in this automated manner than Flash. For instance, pdf files involve a lengthy loading of the slow running pdf module, and numerous office applications open outside windows which must be automatically closed... still not giving a solid oppourtunity to use the automated exception handler and debugger. Hopefully, in the not too distant future Macromedia will have all of these potentially exploitable conditions removed from their file type, as their software is exceedingly popular and would make for a very bad method of attack against users.
-----Original Message----- From: Carlos Laviola [mailto:carlos () laviola org] Sent: Sunday, August 11, 2002 3:14 AM To: 'BUGTRAQ' Subject: Re: EEYE: Macromedia Shockwave Flash Malformed Header Overflow On Fri, Aug 09, 2002 at 05:44:27PM -0400, Mike Chambers wrote:The linux and solaris updates will be avaliable later today. You will be able to download it at: www.macromedia.com/go/getflashplayer/I've downloaded this fixed version, but it seems to be vulnerable to something I've discovered last week: if you take a .swf and rot13 encode it (not all of it, so the headers are not messed up), you can crash the user's browser. I've tested it on Netscape 4.77 with Flash 4.0 r12 and Galeon 1.2.5, which is based on Mozilla 1.0, with Flash 5.0 r50 (both running on Debian unstable) and IE 6.0 (on Windows 2000) and all of them crash instantly when I try to open the rot13-garbled file. Check it out:
http://alternex.com.br/~claviola/sample1.swf (original) http://alternex.com.br/~claviola/sample2.swf (modified) -- Carlos Laviola <carlos () laviola org>
Current thread:
- EEYE: Macromedia Shockwave Flash Malformed Header Overflow Marc Maiffret (Aug 09)
- Re: EEYE: Macromedia Shockwave Flash Malformed Header Overflow ismail donmez (Aug 09)
- Re: EEYE: Macromedia Shockwave Flash Malformed Header Overflow Scott Lampert (Aug 09)
- RE: EEYE: Macromedia Shockwave Flash Malformed Header Overflow Mike Chambers (Aug 09)
- RE: EEYE: Macromedia Shockwave Flash Malformed Header Overflow Richard M. Smith (Aug 10)
- Re: EEYE: Macromedia Shockwave Flash Malformed Header Overflow Carlos Laviola (Aug 12)
- RE: EEYE: Macromedia Shockwave Flash Malformed Header Overflow Drew (Aug 13)
- RE: EEYE: Macromedia Shockwave Flash Malformed Header Overflow Mike Chambers (Aug 09)
- Re: EEYE: Macromedia Shockwave Flash Malformed Header Overflow Tim Jackson (Aug 09)
- <Possible follow-ups>
- Re: EEYE: Macromedia Shockwave Flash Malformed Header Overflow Will Bryant (Aug 13)