[guru] Adobe biztonsagi frissitesek
DATE: Tue, 31 Aug 2010 23:25:43 +0200
Az Adobe Shockwave Player és Directory számtalan biztonsági hibát tartalmaz:
több integer és heap overflow, több tömb túlcímzési, valamint inicializálatlan
memóriaterület használati hiba a RIFF formátum feldolgozójában, valamint
több integer overflow hibát találtak a TextXtra.x32 modulban is.
--- Begin Message ---
TPTI-10-09: Adobe Shockwave CSWV Chunk Memory Corruption Remote Code Execution Vulnerability
http://dvlabs.tippingpoint.com/advisory/TPTI-10-09
August 24, 2010
-- CVE ID:
CVE-2010-2877
-- CVSS:
9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)
-- Affected Vendors:
Adobe
-- Affected Products:
Adobe Shockwave Player
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Adobe Shockwave Player. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The specific flaw exists within IML32X.dll and DIRAPIX.dll which are
responsible for parsing the Director movies, a RIFF-based file format.
The code trusts a value from the file as a count and performs an
endian-flipping loop on data in heap memory. If the value is large
enough the process can be made to seek outside the bounds of the
allocation and thus corrupt memory in a controlled fashion. This can be
leveraged by an attacker to execute arbitrary code under the context of
the user running the web browser.
-- Vendor Response:
Adobe has issued an update to correct this vulnerability. More
details can be found at:
http://www.adobe.com/support/security/bulletins/apsb10-20.html
-- Disclosure Timeline:
2010-08-11 - Vulnerability reported to vendor
2010-08-24 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Aaron Portnoy, Logan Brown, and Team lollersk8erz
--- End Message ---
--- Begin Message ---
TPTI-10-10: Adobe Shockwave tSAC Chunk Invalid Seek Memory Corruption Remote Code Execution Vulnerability
http://dvlabs.tippingpoint.com/advisory/TPTI-10-10
August 24, 2010
-- CVE ID:
CVE-2010-2878
-- CVSS:
9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)
-- Affected Vendors:
Adobe
-- Affected Products:
Adobe Shockwave Player
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Adobe Shockwave Player. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The specific flaw exists within DIRAPIX.dll which is responsible for
parsing the Director movies, a RIFF-based file format. The code directly
uses a value from the file while seeking into a heap buffer. The process
then attempts to write a NULL byte to the seeked address. By specifying
a large enough value for this field, an attacker can force the process
to seek beyond the allocated bounds of the buffer. This can be leveraged
by an attacker to execute arbitrary code under the context of the user
running the web browser.
-- Vendor Response:
Adobe has issued an update to correct this vulnerability. More
details can be found at:
http://www.adobe.com/support/security/bulletins/apsb10-20.html
-- Disclosure Timeline:
2010-08-11 - Vulnerability reported to vendor
2010-08-24 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Aaron Portnoy, Logan Brown, and Team lollersk8erz
--- End Message ---
--- Begin Message ---
TPTI-10-11: Adobe Shockwave tSAC Chunk Pointer Offset Memory Corruption Remote Code Execution Vulnerability
http://dvlabs.tippingpoint.com/advisory/TPTI-10-11
August 24, 2010
-- CVE ID:
CVE-2010-2874
-- CVSS:
9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)
-- Affected Vendors:
Adobe
-- Affected Products:
Adobe Shockwave Player
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Adobe Shockwave Player. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The specific flaw exists within DIRAPIX.dll which is responsible for
parsing the Director movies, a RIFF-based file format. The code
sign-extends a value from the input file and uses it as an offset to
seek into a heap buffer before performing a write operation. By crafting
particular values for this field, an attacker can force the process to
seek beyond the allocated bounds of the buffer. This can be leveraged by
an attacker to execute arbitrary code under the context of the user
running the web browser.
-- Vendor Response:
Adobe has issued an update to correct this vulnerability. More
details can be found at:
http://www.adobe.com/support/security/bulletins/apsb10-20.html
-- Disclosure Timeline:
2010-08-11 - Vulnerability reported to vendor
2010-08-24 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Aaron Portnoy, Logan Brown, and Team lollersk8erz
--- End Message ---
--- Begin Message ---
TPTI-10-12: Adobe Shockwave TextXtra Allocator Integer Overflow Remote Code Execution Vulnerability
http://dvlabs.tippingpoint.com/advisory/TPTI-10-12
August 24, 2010
-- CVE ID:
CVE-2010-2879
-- CVSS:
9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)
-- Affected Vendors:
Adobe
-- Affected Products:
Adobe Shockwave Player
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Adobe Shockwave Player. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The specific flaw exists due to a faulty allocation routine within the
TextXtra.x32 module. This allocator allocates a buffer on the heap based
on arithmetic involving a number of elements and a size of an individual
element. As the fields come from the file, if either of them are large
enough, the value used for the number of bytes to allocate can be made
to overflow. As the return value is rarely checked any caller of this
function can usually be made to overflow the returned buffer with
user-supplied data. An attacker can leverage this to execute remote code
under the context of the user running the browser.
-- Vendor Response:
Adobe has issued an update to correct this vulnerability. More
details can be found at:
http://www.adobe.com/support/security/bulletins/apsb10-20.html
-- Disclosure Timeline:
2010-08-11 - Vulnerability reported to vendor
2010-08-24 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Aaron Portnoy, Logan Brown, and Team Montreal Hotties
--- End Message ---
--- Begin Message ---
TPTI-10-13: Adobe Shockwave Director tSAC Chunk Remote Code Execution Vulnerability
http://dvlabs.tippingpoint.com/advisory/TPTI-10-13
August 24, 2010
-- CVE ID:
CVE-2010-2866
-- CVSS:
10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)
-- Affected Vendors:
Adobe
-- Affected Products:
Adobe Shockwave Player
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Adobe Shockwave player. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The specific flaw exists within the code responsible for parsing
Director's RIFF-based file format. While parsing the tSAC chunk, the
DIRAPI module does not properly verify the signedness of a count value
within an undocumented structure. By providing a large enough negative
value a pointer can be miscalculated leading to memory corruption. This
can be exploited by a remote attacker to execute arbitrary code under
the context of the user running the web browser.
-- Vendor Response:
Adobe has issued an update to correct this vulnerability. More
details can be found at:
http://www.adobe.com/support/security/bulletins/apsb10-20.html
-- Disclosure Timeline:
2010-05-27 - Vulnerability reported to vendor
2010-08-24 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* TippingPoint FuzzBox as driven by Aaron Portnoy and Logan Brown
--- End Message ---
--- Begin Message ---
TPTI-10-14: Adobe Shockwave Director rcsL Chunk Pointer Offset Remote Code Execution Vulnerability
http://dvlabs.tippingpoint.com/advisory/TPTI-10-14
August 24, 2010
-- CVE ID:
CVE-2010-2867
-- Affected Vendors:
Adobe
-- Affected Products:
Adobe Shockwave Player
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Adobe Shockwave Player. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The specific flaw exists within the code responsible for parsing the
Director RIFF based file format. While handling the rcsL chunk, code
within DIRAPIX sign-extends a return value from a call to Ordinal1412
within the IML32X module. This ordinal is responsible for unmarshalling
a WORD value from the RIFF chunk. If the value is signed, DIRAPIX
sign-extends the value, performs arithmetic on it, and then proceeds to
use it as an offset into a heap-based buffer. By supplying any of a
specific range of values, an attacker can exploit this condition to
execute arbitrary code under the context of the user running the web
browser.
-- Vendor Response:
Adobe has issued an update to correct this vulnerability. More
details can be found at:
http://www.adobe.com/support/security/bulletins/apsb10-20.html
-- Disclosure Timeline:
2010-05-27 - Vulnerability reported to vendor
2010-08-24 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* TippingPoint FuzzBox as driven by Aaron Portnoy and Logan Brown
--- End Message ---
--- Begin Message ---
TPTI-10-15: Adobe Shockwave Director mmap Trusted Chunk Size Remote Code Execution Vulnerability
http://dvlabs.tippingpoint.com/advisory/TPTI-10-15
August 24, 2010
-- CVE ID:
CVE-2010-2870
-- Affected Vendors:
Adobe
-- Affected Products:
Adobe Shockwave Player
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Adobe Shockwave. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The specific flaw exists within the DIRAPIX module responsible for
parsing the RIFF-based Director file format. When handling the mmap
chunk, the process trusts the chunk size immediately following the
fourCC value. It is passed to Ordinal1111 exported by the IML32X module
which is responsible for allocating a heap buffer for processing the
rest of the chunk. If an incorrect size is provided, later memory copies
can corrupt data beyond the allocated buffer. This can be abused to
execute remote code under the context of the user running the web
browser.
-- Vendor Response:
Adobe has issued an update to correct this vulnerability. More
details can be found at:
http://www.adobe.com/support/security/bulletins/apsb10-20.html
-- Disclosure Timeline:
2010-05-27 - Vulnerability reported to vendor
2010-08-24 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* TippingPoint FuzzBox as driven by Aaron Portnoy and Logan Brown
--- End Message ---
--- Begin Message ---
ZDI-10-160: Adobe Shockwave Player Director File FFFFFF45 Record Processing Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-160
August 24, 2010
-- CVE ID:
CVE-2010-2871
-- CVSS:
10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)
-- Affected Vendors:
Adobe
-- Affected Products:
Adobe Shockwave Player
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 10286.
For further product information on the TippingPoint IPS, visit:
http://www.tippingpoint.com
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of the Adobe Shockwave Player. User interaction
is required to exploit this vulnerability in that the target must visit
a malicious page or open a malicious file.
The specific flaw exists within the application's support for 3D
objects. While parsing the 0xFFFFFF45 RIFF record type, the process
performs arithmetic on a size value and uses the result for a heap-based
allocation. By specifying a large enough value an attacker can force the
integer to wrap and thus the process will under-allocate the buffer.
This memory is later copied into using a different size value which
results in object corruption that can be leveraged to execute arbitrary
code under the context of the user running the browser.
-- Vendor Response:
Adobe has issued an update to correct this vulnerability. More
details can be found at:
http://www.adobe.com/support/security/bulletins/apsb10-20.html
-- Disclosure Timeline:
2010-06-30 - Vulnerability reported to vendor
2010-08-24 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Anonymous
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
--- End Message ---
--- Begin Message ---
ZDI-10-161: Adobe Shockwave Director PAMI Chunk Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-161
August 24, 2010
-- CVE ID:
CVE-2010-2872
-- CVSS:
10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)
-- Affected Vendors:
Adobe
-- Affected Products:
Adobe Shockwave Player
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 9969.
For further product information on the TippingPoint IPS, visit:
http://www.tippingpoint.com
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Adobe Shockwave. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The specific flaw exists within the code responsible for parsing
Director files. When the application parses the pami RIFF chunk, it
trusts an offset value and seeks into the file data. If provided with
signed values in the data at the given offset, the process can be made
to incorrectly calculate a pointer and operate on the data at it's
location. This can be abused by an attacker to execute arbitrary code
under the context of the user running the browser.
-- Vendor Response:
Adobe has issued an update to correct this vulnerability. More
details can be found at:
http://www.adobe.com/support/security/bulletins/apsb10-20.html
-- Disclosure Timeline:
2010-06-30 - Vulnerability reported to vendor
2010-08-24 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Damian Put
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
--- End Message ---
--- Begin Message ---
ZDI-10-162: Adobe Shockwave Director rcsL Chunk Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-162
August 24, 2010
-- CVE ID:
CVE-2010-2873
-- CVSS:
10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)
-- Affected Vendors:
Adobe
-- Affected Products:
Adobe Shockwave Player
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of the Adobe Shockwave Player. User interaction
is required to exploit this vulnerability in that the target must visit
a malicious page or open a malicious file.
The specific flaw exists within the parsing of the rcsL RIFF chunk
within director files of extension DIR or DCR. While parsing this
undocumented structure, the application blindly trusts an offset value
and uses it while operating on heap memory. An attacker can abuse this
to corrupt a function pointer which can lead to arbitrary code execution
under the context of the user running the web browser.
-- Vendor Response:
Adobe has issued an update to correct this vulnerability. More
details can be found at:
http://www.adobe.com/support/security/bulletins/apsb10-20.html
-- Disclosure Timeline:
2010-06-30 - Vulnerability reported to vendor
2010-08-24 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Damian Put
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
--- End Message ---
--- Begin Message ---
ZDI-10-163: Adobe Shockwave Director tSAC Chunk Parsing Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-163
August 24, 2010
-- CVE ID:
CVE-2010-2874
-- CVSS:
10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)
-- Affected Vendors:
Adobe
-- Affected Products:
Adobe Shockwave Player
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of the Adobe Shockwave Player. User interaction
is required to exploit this vulnerability in that the target must visit
a malicious page or open a malicious file.
The specific flaw exists within the parsing of the undocumented tSAC
RIFF chunk. By setting a specified field within this structure to NULL,
the application fails to initialize an object pointer. This
uninitialized pointer is later called which causes the application to
jump into random heap memory. By crafting the applications memory state
an attacker can utilize this issue to execute arbitrary code under the
context of the user running the browser.
-- Vendor Response:
Adobe has issued an update to correct this vulnerability. More
details can be found at:
http://www.adobe.com/support/security/bulletins/apsb10-20.html
-- Disclosure Timeline:
2010-06-30 - Vulnerability reported to vendor
2010-08-24 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Anonymous
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
--- End Message ---
--- Begin Message ---
ZDI-10-164: Adobe Shockwave Player Director File FFFFFF88 Record Processing Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-164
August 24, 2010
-- CVE ID:
CVE-2010-2876
-- CVSS:
9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)
-- Affected Vendors:
Adobe
-- Affected Products:
Adobe Shockwave Player
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 10285.
For further product information on the TippingPoint IPS, visit:
http://www.tippingpoint.com
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of the Adobe Shockwave Player. User interaction
is required to exploit this vulnerability in that the target must visit
a malicious page or open a malicious file.
The specific flaw exists within the code responsible for parsing .dir
and .dcr files. The director file format is RIFF based. While parsing an
undocumented record of type 0xFFFFFFF8 the process trusts two user
supplied word values when performing arithmetic to calculate a heap
buffer size. By specifying large enough values an integer wrap can
occur. The allocated heap buffer can later be overflowed with user
supplied data. This can be leveraged by attackers to execute remote code
under the context of the user running the browser.
-- Vendor Response:
Adobe has issued an update to correct this vulnerability. More
details can be found at:
http://www.adobe.com/support/security/bulletins/apsb10-20.html
-- Disclosure Timeline:
2010-07-20 - Vulnerability reported to vendor
2010-08-24 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Anonymous
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
--- End Message ---
--- Begin Message ---
iDefense Security Advisory 08.24.10
http://labs.idefense.com/intelligence/vulnerabilities/
Aug 24, 2010
I. BACKGROUND
Adobe Shockwave Player is a popular Web browser plugin. It is available
for multiple Web browsers and platforms, including Windows, and MacOS.
Shockwave Player enables Web browsers to display rich multimedia
content in the form of Shockwave videos. For more information, see the
vendor's site found at the following link:
http://get.adobe.com/shockwave
II. DESCRIPTION
Remote exploitation of a memory corruption vulnerability in Adobe
Systems Inc.'s Shockwave Player could allow an attacker to execute
arbitrary code with the privileges of the current user. <BR> <BR> The
vulnerability takes place during the processing of a tSAC chunk within
an Adobe Director file. A length value is read from the tSAC chunk and
a signed comparison is made against the length value. If the length
value is negative, a memory address is incorrectly calculated and a
null byte is written to the memory address. This condition may lead to
arbitrary code execution.
III. ANALYSIS
Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the user viewing the Web page. To exploit
this vulnerability, a targeted user must load a malicious Adobe
Director file created by an attacker. An attacker typically
accomplishes this via social engineering or injecting content into a
compromised, trusted site.
IV. DETECTION
Shockwave Player 11.5.7.609 and earlier versions for Windows and
Macintosh are vulnerable.
V. WORKAROUND
The killbit for the Shockwave Player ActiveX control can be set by
creating the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{233C1507-6A77-46A4-9443-F871F945D258} <BR> <BR> Under
this key create a new DWORD value called "Compatibility Flags" and set
its hexadecimal value to 400. <BR> <BR> To re-enable Shockwave Player
set the "Compatibility Flags" value to 0.
VI. VENDOR RESPONSE
Adobe has released a fix which addresses this issue. Information about
downloadable vendor updates can be found by clicking on the URLs shown.
http://get.adobe.com/shockwave/
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2010-2875 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
07/07/2010 Initial Vendor Notification
07/07/2010 Initial Vendor Reply
08/24/2010 Coordinated Public Disclosure
IX. CREDIT
The discoverer of this vulnerability wishes to remain anonymous.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright © 2010 iDefense, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
--- End Message ---
--- Begin Message ---
I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability.
Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/
Memory corruption when Adobe Shockwave Player parses .dir media file
CVE-2010-2868
INTRODUCTION
Adobe Shockwave Player is the Adobe plugin to many different browsers to view rich-media content on the web including animations, interactive presentations, and online entertainment.
Adobe Shockwave player does not properly parse .dir media file, which causes a corruption in module IML32.dll by opening a malformed file with an invalid value located in PoC repro04.dir at offset 0x320D.
This problem was confirmed in the following versions of Adobe Shockwave Player, other versions may be also affected.
Shockwave Player version 11.5.7.609 and older for Windows and MacOS
CVSS Scoring System
The CVSS score is: 9
Base Score: 10
Temporal Score: 9
We used the following values to calculate the scores:
Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal score is: E:POC/RL:U/RC:C
TRIGGERING THE PROBLEM
To trigger the problem PoC files (repro04.dir, repro05.dir, repro06.dir, repro07.dir, repro08.dir and repro09.dir) are available to interested parts.
DETAILS
Disassembly:
69081240 74 46 JE SHORT IML32.69081288
69081242 8B16 MOV EDX,DWORD PTR DS:[ESI]
69081244 8B46 08 MOV EAX,DWORD PTR DS:[ESI+8]
69081247 83E2 02 AND EDX,2
6908124A 0BD5 OR EDX,EBP
6908124C 83CA 01 OR EDX,1
6908124F 8916 MOV DWORD PTR DS:[ESI],EDX
69081251 8B56 04 MOV EDX,DWORD PTR DS:[ESI+4]
69081254 8950 04 MOV DWORD PTR DS:[EAX+4],EDX
69081257 8B46 04 MOV EAX,DWORD PTR DS:[ESI+4]
6908125A 8B56 08 MOV EDX,DWORD PTR DS:[ESI+8]
6908125D 8950 08 MOV DWORD PTR DS:[EAX+8],EDX
69081260 8BFE MOV EDI,ESI
69081262 03F5 ADD ESI,EBP
69081264 894C31 FC MOV DWORD PTR DS:[ECX+ESI-4],ECX <--- Problem
ECX = 0x616CF240
ESI = 0x06C94038
CREDITS
This vulnerability was discovered and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT).
Best Regards,
Rodrigo.
--
Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies
--- End Message ---
--- Begin Message ---
I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability.
Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/
Memory corruption when Adobe Shockwave Player parses .dir media file
CVE-2010-2882
INTRODUCTION
Adobe Shockwave Player is the Adobe plugin to many different browsers to view rich-media content on the web including animations, interactive presentations, and online entertainment.
Adobe Shockwave player does not properly parse .dir media file, which causes a corruption in module DIRAPI.dll by opening a malformed file with an invalid value located in PoC repro.dir at offset 0x3812.
This problem was confirmed in the following versions of Adobe Shockwave Player, other versions may be also affected.
Shockwave Player version 11.5.7.609 and older for Windows and MacOS
CVSS Scoring System
The CVSS score is: 9
Base Score: 10
Temporal Score: 9
We used the following values to calculate the scores:
Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal score is: E:POC/RL:U/RC:C
TRIGGERING THE PROBLEM
To trigger the problem a PoC file (repro11.dir) is available to interested parts.
DETAILS
Disassembly:
68113255 8B4C24 24 MOV ECX,DWORD PTR SS:[ESP+24]
68113259 8B01 MOV EAX,DWORD PTR DS:[ECX]
6811325B FF48 04 DEC DWORD PTR DS:[EAX+4]
6811325E 8B01 MOV EAX,DWORD PTR DS:[ECX]
68113260 8B48 04 MOV ECX,DWORD PTR DS:[EAX+4]
68113263 85C9 TEST ECX,ECX
68113265 ^0F8F 95EEFFFF JG DIRAPI.68112100
6811326B 8B5424 24 MOV EDX,DWORD PTR SS:[ESP+24]
6811326F 8B08 MOV ECX,DWORD PTR DS:[EAX]
68113271 52 PUSH EDX
68113272 56 PUSH ESI
68113273 FF51 0C CALL DWORD PTR DS:[ECX+C] <--- Problem
ECX = 0x00000000
CREDITS
This vulnerability was discovered and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT).
Best Regards,
Rodrigo.
--
Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies
--- End Message ---
--- Begin Message ---
I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability.
Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/
Memory corruption when Adobe Shockwave Player parses .dir media file
CVE-2010-2869
INTRODUCTION
Adobe Shockwave Player is the Adobe plugin to many different browsers to view rich-media content on the web including animations, interactive presentations, and online entertainment.
Adobe Shockwave player does not properly parse .dir media file, which causes a corruption in module IML32.dll by opening a malformed file with an invalid value located in PoC repro10.dir at offset 0x3712.
This problem was confirmed in the following versions of Adobe Shockwave Player, other versions may be also affected.
Shockwave Player version 11.5.7.609 and older for Windows and MacOS
CVSS Scoring System
The CVSS score is: 9
Base Score: 10
Temporal Score: 9
We used the following values to calculate the scores:
Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal score is: E:POC/RL:U/RC:C
TRIGGERING THE PROBLEM
To trigger the problem a PoC file (repro10.dir) is available to interested parts.
DETAILS
Disassembly:
7C9011DD > 8BFF MOV EDI,EDI
7C9011DF 55 PUSH EBP
7C9011E0 8BEC MOV EBP,ESP
7C9011E2 83EC 54 SUB ESP,54
7C9011E5 56 PUSH ESI
7C9011E6 64:A1 18000000 MOV EAX,DWORD PTR FS:[18]
7C9011EC 803D 94E0977C 00 CMP BYTE PTR DS:[7C97E094],0
7C9011F3 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]
7C9011F6 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
7C9011F9 0F85 F7EC0000 JNZ ntdll.7C90FEF6
7C9011FF F646 10 10 TEST BYTE PTR DS:[ESI+10],10
7C901203 0F84 EDEC0000 JE ntdll.7C90FEF6
7C901209 5E POP ESI
7C90120A C9 LEAVE
7C90120B C2 0400 RETN 4
7C90120E > CC INT3
7C90120F C3 RETN <--- Stop Here :)
EIP = 0x00000000
CREDITS
This vulnerability was discovered and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT).
Best Regards,
Rodrigo.
--
Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies
--- End Message ---
--- Begin Message ---
I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability.
Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/
Memory corruption when Adobe Shockwave Player parses .dir media file
CVE-2010-2864
INTRODUCTION
Adobe Shockwave Player is the Adobe plugin to many different browsers to view rich-media content on the web including animations, interactive presentations, and online entertainment.
Adobe Shockwave player does not properly parse .dir media file, which causes a corruption in module IML32.dll by opening a malformed file with an invalid value located in PoC repro03.dir at offset 0x24C6.
This problem was confirmed in the following versions of Adobe Shockwave Player, other versions may be also affected.
Shockwave Player version 11.5.7.609 and older for Windows and MacOS
CVSS Scoring System
The CVSS score is: 9
Base Score: 10
Temporal Score: 9
We used the following values to calculate the scores:
Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal score is: E:POC/RL:U/RC:C
TRIGGERING THE PROBLEM
To trigger the problem a PoC file (repro03.dir) is available to interested parts.
DETAILS
Disassembly:
69009F10 > 56 PUSH ESI
69009F11 8B7424 08 MOV ESI,DWORD PTR SS:[ESP+8]
69009F15 85F6 TEST ESI,ESI
69009F17 74 46 JE SHORT IML32.69009F5F
69009F19 8B06 MOV EAX,DWORD PTR DS:[ESI]
69009F1B 85C0 TEST EAX,EAX
69009F1D 74 3A JE SHORT IML32.69009F59
69009F1F 8B48 04 MOV ECX,DWORD PTR DS:[EAX+4] <--- Problem
EAX = 0xA1A10000
ECX = 0x0013D0C8
CREDITS
This vulnerability was discovered and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT).
Best Regards,
Rodrigo.
--
Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies
--- End Message ---
--- Begin Message ---
I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability.
Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/
Memory corruption when Adobe Shockwave Player parses .dir media file
CVE-2010-2881
INTRODUCTION
Adobe Shockwave Player is the Adobe plugin to many different browsers to view rich-media content on the web including animations, interactive presentations, and online entertainment.
Adobe Shockwave player does not properly parse .dir media file, which causes a corruption in module IML32.dll by opening a malformed file with an invalid value located in PoC repro02.dir at offset 0x24C0.
This problem was confirmed in the following versions of Adobe Shockwave Player, other versions may be also affected.
Shockwave Player version 11.5.7.609 and older for Windows and MacOS
CVSS Scoring System
The CVSS score is: 9
Base Score: 10
Temporal Score: 9
We used the following values to calculate the scores:
Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal score is: E:POC/RL:U/RC:C
TRIGGERING THE PROBLEM
To trigger the problem a PoC file (repro02.dir) is available to interested parts, together with a deep exploitability analysis.
DETAILS
Disassembly:
6900725F 8B0D 3CEA0B69 MOV ECX,DWORD PTR DS:[690BEA3C]
69007265 8B7D 08 MOV EDI,DWORD PTR SS:[EBP+8]
69007268 8B75 0C MOV ESI,DWORD PTR SS:[EBP+C]
6900726B F7C7 07000000 TEST EDI,7
69007271 74 0F JE SHORT IML32.69007282
69007273 8A06 MOV AL,BYTE PTR DS:[ESI]
69007275 83C6 01 ADD ESI,1
69007278 8807 MOV BYTE PTR DS:[EDI],AL
6900727A 83C7 01 ADD EDI,1
6900727D 49 DEC ECX
6900727E 74 42 JE SHORT IML32.690072C2
69007280 ^EB E9 JMP SHORT IML32.6900726B
69007282 83F9 20 CMP ECX,20
69007285 7C 29 JL SHORT IML32.690072B0
69007287 0F6F5E 18 MOVQ MM3,QWORD PTR DS:[ESI+18] <--- Problem
ESI = 0x06CAFFE8
CREDITS
This vulnerability was discovered and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT).
Best Regards,
Rodrigo.
--
Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies
--- End Message ---
--- Begin Message ---
Dear List,
I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability.
Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/
Memory corruption when Adobe Shockwave Player parses .dir media file
CVE-2010-2880
INTRODUCTION
Adobe Shockwave Player is the Adobe plugin to many different browsers to view rich-media content on the web including animations, interactive presentations, and online entertainment.
Adobe Shockwave Player does not properly parse .dir media file, which causes a corruption in module DIRAPI.dll by opening a malformed file with an invalid value located in PoC repro01.dir at offset 0x47.
This problem was confirmed in the following versions of Adobe Shockwave Player, other versions may be also affected.
Shockwave Player version 11.5.7.609 and older for Windows and MacOS
CVSS Scoring System
The CVSS score is: 9
Base Score: 10
Temporal Score: 9
We used the following values to calculate the scores:
Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal score is: E:POC/RL:U/RC:C
TRIGGERING THE PROBLEM
To trigger the problem a PoC file (repro01.dir) is available to interested parts.
DETAILS
Disassembly:
68001602 40 INC EAX
68001603 83E0 FE AND EAX,FFFFFFFE
68001606 8945 04 MOV DWORD PTR SS:[EBP+4],EAX
68001609 8D5408 08 LEA EDX,DWORD PTR DS:[EAX+ECX+8]
6800160D 8B47 20 MOV EAX,DWORD PTR DS:[EDI+20]
68001610 8B58 10 MOV EBX,DWORD PTR DS:[EAX+10]
68001613 83FB FF CMP EBX,-1
68001616 895424 14 MOV DWORD PTR SS:[ESP+14],EDX
6800161A 895C24 10 MOV DWORD PTR SS:[ESP+10],EBX
6800161E 0F8E 92010000 JLE DIRAPI.680017B6
68001624 53 PUSH EBX
68001625 57 PUSH EDI
68001626 E8 C5140000 CALL DIRAPI.68002AF0
6800162B 8BD8 MOV EBX,EAX
6800162D 8B43 10 MOV EAX,DWORD PTR DS:[EBX+10] <-- Problem
EBX = 0x46A6FAAC
EAX = 0x46A6FAAC
CREDITS
This vulnerability was discovered and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT).
Best Regards,
Rodrigo.
--
Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies
--- End Message ---