MacroMedia Flash/Shockwave plug-in on linux : memcpy overrun problem.

[Chiaki Ishikawa <Chiaki.Ishikawa () PERSONAL-MEDIA CO JP>]

X-PMC-CI-e-mail-id: 13428

A replacement library for checking well-known type of stack overrun
caused by memory copy / string copy operations has been made
available, namely libsafe.

I have used it on Linux and I spotted a couple of suspicous popular
programs on linux.

I have been using libsafe on linux and found that
 - netscape plug-in for Flash/Shockwave plug-in seems to have
   memcpy overrun problem.
 ( and adobe acrobat reader on linux have some issues with libsafe.
   But this seems to be caused by the different libc, somewhat old
   compat-libc, used by acrobat reader. So I won't go into details on
   acrobat reader.)

Flash / ShockWave plug-in for netscape.

For netscape flash/shockwave plug-in on linux,
the log output below shows the output from libsafe.
The first and the second last messages are from the test
suite of libsafe.
The other logs are from netscape
(during flash/shockwave plug-in operation from what I remember).
You can see that the version of netscape 4.72, 4.73 and 4.74 suffered
from the memcpy() overwrite problem.
(During the period, the kernel was upgraded from 2.2.14
to 2.2.15,2.2.16, 2.4.0-test4, etc..)

ishikawa@standard$ more libsafe-netscape-showckwave-flash.bug
Apr 23 01:04:15 standard libsafe.so[1534]: version 1.3
Apr 23 01:04:15 standard libsafe.so[1534]: detected an attempt to write across stack boundary.
Apr 23 01:04:15 standard libsafe.so[1534]: terminating /opt2/tools/libsafe/exploits/t1
Apr 23 01:04:15 standard libsafe.so[1534]: overflow caused by strcpy()
Apr 29 04:35:23 standard libsafe.so[648]: version 1.3
Apr 29 04:35:23 standard libsafe.so[648]: detected an attempt to write across stack boundary.
Apr 29 04:35:23 standard libsafe.so[648]: terminating /opt/ns472/netscape
Apr 29 04:35:23 standard libsafe.so[648]: overflow caused by memcpy()
May  2 02:11:53 standard libsafe.so[1153]: version 1.3
May  2 02:11:53 standard libsafe.so[1153]: detected an attempt to write across stack boundary.
May  2 02:11:53 standard libsafe.so[1153]: terminating /opt/ns472/netscape
May  2 02:11:53 standard libsafe.so[1153]: overflow caused by memcpy()
Jul  2 02:58:32 standard libsafe.so[1648]: version 1.3
Jul  2 02:58:32 standard libsafe.so[1648]: detected an attempt to write across stack boundary.
Jul  2 02:58:32 standard libsafe.so[1648]: terminating /opt/ns473/netscape
Jul  2 02:58:32 standard libsafe.so[1648]: overflow caused by memcpy()
Jul  2 23:39:05 standard libsafe.so[639]: version 1.3
Jul  2 23:39:05 standard libsafe.so[639]: detected an attempt to write across stack boundary.
Jul  2 23:39:05 standard libsafe.so[639]: terminating /opt/ns473/netscape
Jul  2 23:39:05 standard libsafe.so[639]: overflow caused by memcpy()
Jul  8 03:04:47 standard libsafe.so[390]: version 1.3
Jul  8 03:04:47 standard libsafe.so[390]: detected an attempt to write across stack boundary.
Jul  8 03:04:47 standard libsafe.so[390]: terminating /opt/ns473/netscape
Jul  8 03:04:47 standard libsafe.so[390]: overflow caused by memcpy()
Jul 11 04:10:47 standard libsafe.so[1424]: version 1.3
Jul 11 04:10:47 standard libsafe.so[1424]: detected an attempt to write across stack boundary.
Jul 11 04:10:47 standard libsafe.so[1424]: terminating /opt2/tools/libsafe/exploits/t1
Jul 11 04:10:47 standard libsafe.so[1424]: overflow caused by strcpy()
Aug 14 00:30:11 standard libsafe.so[393]: version 1.3
Aug 14 00:30:11 standard libsafe.so[393]: detected an attempt to write across stack boundary.
Aug 14 00:30:11 standard libsafe.so[393]: terminating /opt/ns474/netscape
Aug 14 00:30:11 standard libsafe.so[393]: overflow caused by memcpy()

It has been rather difficult to figure out what URL exactly caused
the libsafe to detect the error and abort netscape.
Often times, when I clicked on a new URL, one of the URL links in
the new web page is a flash shockwave page and the loading
automatically started, and before I knew it, the netscape aborted.

But for the last one, dated Aug 14, I know what URL caused the abort
exactly. This prompted me to write this article.
(Presumably, those who have access to the source code of
the Flash/Shockwave plug-in should be able to fix this problem easily by
trying the URL.)

        URL:
        http://www.washingtonpost.com/wp-srv/photo/conventions/

        There is a big photo of the national political convention
        in the middle and "ENTER" button.
        Clicking on  "ENTER" will start loading the flash/shockwave
        movie or something and this triggered the error reported
        in the above log. (As soon as the loading of ~ 500KB
        data endded, my netscape aborted.)

Severity/Exploit:

I have no idea how hard it is to exploit this memcpy overrun.
But given that some linux distribution vendors felt it was necessary
to do something about jpeg decoder bug in netscape, this plug-in issue
probably ought to be dealt with in a similar manner : this can cause
DoS attack certainly.

Before I forget, let me explain that I tried to reach the people
responsible for technical problems/security problems at Macromedia
without success so far. Simply stated, I could not find contact e-mail
addresses easily. I am not a registered user of these programs (they
are available for free), and so it is very difficult to use MacroMedia web
submission forms. It has been a few weeks since I wrote to various
addresses I found on the web pages. I have not heard from human
recipients yet and decided to post this article instead in the hope of
getting someone at MacroMedia to become aware of the problem.

(Come to think of it, I thought this may be marginally related to the
netscape browser itself, and so sent a message using the security
reporting form on the Netscape web page. I wonder if the message was
forwarded to MacroMedia.)

I would welcome anyone forward this post to responsible parties.

My suggestions to software vendors: on the web page,
either post a security-related contact address or at least a
generic e-mail address where these findings can be sent.
Posting only e-mail addresses for very limited use is not very helpful
under these circumstances.


--
     Ishikawa, Chiaki        ishikawa () personal-media co jp.NoSpam  or
 (family name, given name) Chiaki.Ishikawa () personal-media co jp.NoSpam
    Personal Media Corp.      ** Remove .NoSpam at the end before use **
  Shinagawa, Tokyo, Japan 142-0051