Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Adobe Shockwave Player Memory Corruption Vulnerability - CVE-2010-2881

From: Rodrigo Branco <rbranco () checkpoint com>
Date: Wed, 25 Aug 2010 06:02:39 -0700
I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability.


Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/

Memory corruption when Adobe Shockwave Player parses .dir media file
CVE-2010-2881

INTRODUCTION

Adobe Shockwave Player is the Adobe plugin to many different browsers to view rich-media content on the web including 
animations, interactive presentations, and online entertainment.

Adobe Shockwave player does not properly parse .dir media file, which causes a corruption in module IML32.dll by 
opening a malformed file with an invalid value located in PoC repro02.dir at offset 0x24C0.

This problem was confirmed in the following versions of Adobe Shockwave Player, other versions may be also affected.

Shockwave Player version 11.5.7.609 and older for Windows and MacOS


CVSS Scoring System

The CVSS score is: 9
        Base Score: 10
        Temporal Score: 9
We used the following values to calculate the scores:
        Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C
        Temporal score is: E:POC/RL:U/RC:C


TRIGGERING THE PROBLEM

To trigger the problem a PoC file (repro02.dir) is available to interested parts, together with a deep exploitability 
analysis.


DETAILS

Disassembly:

6900725F   8B0D 3CEA0B69    MOV ECX,DWORD PTR DS:[690BEA3C]
69007265   8B7D 08          MOV EDI,DWORD PTR SS:[EBP+8]
69007268   8B75 0C          MOV ESI,DWORD PTR SS:[EBP+C]
6900726B   F7C7 07000000    TEST EDI,7
69007271   74 0F            JE SHORT IML32.69007282
69007273   8A06             MOV AL,BYTE PTR DS:[ESI]
69007275   83C6 01          ADD ESI,1
69007278   8807             MOV BYTE PTR DS:[EDI],AL
6900727A   83C7 01          ADD EDI,1
6900727D   49               DEC ECX
6900727E   74 42            JE SHORT IML32.690072C2
69007280  ^EB E9            JMP SHORT IML32.6900726B
69007282   83F9 20          CMP ECX,20
69007285   7C 29            JL SHORT IML32.690072B0
69007287   0F6F5E 18        MOVQ MM3,QWORD PTR DS:[ESI+18] <--- Problem

ESI = 0x06CAFFE8


CREDITS

This vulnerability was discovered and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team 
(VDT).



Best Regards,
 
Rodrigo.
 
--
Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies
Previous By Date Next
Previous By Thread Next

Current thread: