Bugtraq mailing list archives
Re: LOM: Multiple vulnerabilities in Macromedia Flash ActiveX
From: Troy Evans <tevans () macromedia com>
Date: 18 Nov 2002 18:38:18 -0000
In-Reply-To: <118-2136623052.20021118134327 () SECURITY NNOV RU> Status on the below posting regarding: 1. zlib 1.1.3 double free() bug 2. Buffer overflow in SWRemote parameter for flash object. 1. zlib 1.1.4 double free() bug ===================== Flash Player 6 was released with the fix for the double free() bug back in March 2002, the player ships with the latest version 1.1.4. We have not found any exploit of this to date, since we ship with the latest version 2. SW Remote parameter tag ===================== We investigated this issue and worked with LOM <lom at lom.spb.ru> to try and reproduce this buffer overflow. In all of our testing we could NOT reproduce a buffer overflow, but there is indeed a crash bug which we have a fix for in our public beta at <http://www.macromedia.com/software/flashplayer/special/beta/> In all of these cases we worked directly with the reporter and resolved these issues, to be either an issue or a non issue. Macromedia is committed to security, we take security very seriously. Regards Troy Evans Flash Player Product Manager
Author: LOM <lom at lom.spb.ru> Product: Macromedia Flash ActiveX 6.0 (6,0,47,0) for Microsoft Internet Explorer Vendor: Macromedia was contacted on 23 Oct 2002. Risk: High Remote: Yes Exploitable: Yes Into: Macromedia flash ActiveX plugin displays .swf files under Internet Explorer. Quoting www.macromedia.com: "Over 97.8% of all web users have the Macromedia Flash Player". Vulnerabilities: Few vulnerabilities were identified: protected memory reading, memory consumption DoS and more serious: 1. zlib 1.1.3 double free() bug 2. Buffer overflow in SWRemote parameter for flash object. Details: Last bug is very close to one reported by eEye in May [2]. Probably it was not found by eEye because overflow is heap based, so exception is triggered on free(). It may be achieved by setting and changing property with Javascript, for example. This kind of overflows (heap based Unicode overflow) is exploitable under Internet Explorer. Attached proof of concept (by LOM)[1] demonstrates exception triggered in free(). See [3] for exploiting heap overflows, [4] for exploiting Unicode overflows under Internet Explorer. Credits: Vulnerabilities were discovered by LOM <lom at lom.spb.ru> Vendor: Macromedia was contacted on 23 Oct 2002. The only reply was received on 29 Oct 2002 that Macromedia will look into these issues. Workaround: Disable ActiveX in Internet Explorer or uninstall flash ActiveX. References: 1. Macromedia Shockwave proof of concept http://www.security.nnov.ru/files/swfexpl.zip 2. eEye, Macromedia Flash Activex Buffer overflow http://www.eeye.com/html/Research/Advisories/AD20020502.html 3. w00w00 on Heap Overflows http://www.w00w00.org/files/articles/heaptut.txt 4. 3APA3A, Details and exploitation of buffer overflow in mshtml.dll (and few sidenotes on Unicode overflows in general) http://www.security.nnov.ru/search/document.asp?docid=2554 5. Additional or updated information on this issue http://www.security.nnov.ru/search/news.asp?binid=1982
Current thread:
- Re: LOM: Multiple vulnerabilities in Macromedia Flash ActiveX Troy Evans (Nov 19)
- <Possible follow-ups>
- LOM: Multiple vulnerabilities in Macromedia Flash ActiveX 3APA3A (Nov 19)