Re: LOM: Multiple vulnerabilities in Macromedia Flash ActiveX

[Troy Evans <tevans () macromedia com>]

In-Reply-To: <118-2136623052.20021118134327 () SECURITY NNOV RU>

Status on the below posting regarding:

1. zlib 1.1.3 double free() bug
2. Buffer overflow in SWRemote parameter for flash object.

1. zlib 1.1.4 double free() bug
=====================
Flash Player 6 was released with the fix for the double free() bug back in 
March 2002, the player ships with the latest version 1.1.4.

We have not found any exploit of this to date, since we ship with the 
latest version


2. SW Remote parameter tag
=====================
We investigated this issue and worked with LOM <lom at lom.spb.ru> to try 
and reproduce this buffer overflow.  In all of our testing we could NOT 
reproduce a buffer overflow, but there is indeed a crash bug which we have 
a fix for in our public beta at
<http://www.macromedia.com/software/flashplayer/special/beta/>

In all of these cases we worked directly with the reporter and resolved 
these issues, to be either an issue or a non issue.

Macromedia is committed to security, we take security very seriously.

Regards
Troy Evans
Flash Player Product Manager




> Author: LOM <lom at lom.spb.ru>
> Product:  Macromedia Flash ActiveX 6.0 (6,0,47,0) for Microsoft Internet
>          Explorer
> Vendor: Macromedia was contacted on 23 Oct 2002.
> Risk: High
> Remote: Yes
> Exploitable: Yes
>
> Into:
>
> Macromedia  flash  ActiveX  plugin  displays  .swf  files under Internet
> Explorer.  Quoting www.macromedia.com: "Over 97.8% of all web users have
> the Macromedia Flash Player".
>
> Vulnerabilities:
>
> Few  vulnerabilities  were  identified: protected memory reading, memory
> consumption DoS and more serious:
> 1. zlib 1.1.3 double free() bug
> 2. Buffer overflow in SWRemote parameter for flash object.
>
> Details:
>
> Last  bug  is very close to one reported by eEye in May [2]. Probably it
> was  not  found  by eEye because overflow is heap based, so exception is
> triggered on free(). It may be achieved by setting and changing property
> with Javascript, for example. This kind of overflows (heap based Unicode
> overflow)  is  exploitable  under  Internet  Explorer. Attached proof of
> concept  (by LOM)[1] demonstrates exception triggered in free(). See [3]
> for  exploiting  heap  overflows,  [4]  for exploiting Unicode overflows
> under Internet Explorer.
>
> Credits:
>
> Vulnerabilities were discovered by LOM <lom at lom.spb.ru>
>
> Vendor:
>
> Macromedia  was contacted on 23 Oct 2002. The only reply was received on
> 29 Oct 2002 that Macromedia will look into these issues.
>
> Workaround:
>
> Disable ActiveX in Internet Explorer or uninstall flash ActiveX.
>
> References:
>
> 1. Macromedia Shockwave proof of concept
>   http://www.security.nnov.ru/files/swfexpl.zip
> 2. eEye, Macromedia Flash Activex Buffer overflow
>   http://www.eeye.com/html/Research/Advisories/AD20020502.html
> 3. w00w00 on Heap Overflows
>   http://www.w00w00.org/files/articles/heaptut.txt
> 4. 3APA3A, Details and exploitation of buffer overflow in mshtml.dll (and
>   few sidenotes on Unicode overflows in general)
>   http://www.security.nnov.ru/search/document.asp?docid=2554
> 5. Additional or updated information on this issue
>   http://www.security.nnov.ru/search/news.asp?binid=1982

>