Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Adobe Shockwave Player Memory Corruption Vulnerability - CVE-2010-2880

From: Rodrigo Branco <rbranco () checkpoint com>
Date: Wed, 25 Aug 2010 06:02:41 -0700
Dear List,

I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability.



Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/

Memory corruption when Adobe Shockwave Player parses .dir media file
CVE-2010-2880


INTRODUCTION

Adobe Shockwave Player is the Adobe plugin to many different browsers to view rich-media content on the web including 
animations, interactive presentations, and online entertainment.

Adobe Shockwave Player does not properly parse .dir media file, which causes a corruption in module DIRAPI.dll by 
opening a malformed file with an invalid value located in PoC repro01.dir at offset 0x47.

This problem was confirmed in the following versions of Adobe Shockwave Player, other versions may be also affected.

Shockwave Player version 11.5.7.609 and older for Windows and MacOS


CVSS Scoring System

The CVSS score is: 9
        Base Score: 10
        Temporal Score: 9
We used the following values to calculate the scores:
        Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C
        Temporal score is: E:POC/RL:U/RC:C


TRIGGERING THE PROBLEM

To trigger the problem a PoC file (repro01.dir) is available to interested parts. 


DETAILS

Disassembly:

68001602   40               INC EAX
68001603   83E0 FE          AND EAX,FFFFFFFE
68001606   8945 04          MOV DWORD PTR SS:[EBP+4],EAX
68001609   8D5408 08        LEA EDX,DWORD PTR DS:[EAX+ECX+8]
6800160D   8B47 20          MOV EAX,DWORD PTR DS:[EDI+20]
68001610   8B58 10          MOV EBX,DWORD PTR DS:[EAX+10]
68001613   83FB FF          CMP EBX,-1
68001616   895424 14        MOV DWORD PTR SS:[ESP+14],EDX
6800161A   895C24 10        MOV DWORD PTR SS:[ESP+10],EBX
6800161E   0F8E 92010000    JLE DIRAPI.680017B6
68001624   53               PUSH EBX
68001625   57               PUSH EDI
68001626   E8 C5140000      CALL DIRAPI.68002AF0
6800162B   8BD8             MOV EBX,EAX
6800162D   8B43 10          MOV EAX,DWORD PTR DS:[EBX+10]   <-- Problem

EBX = 0x46A6FAAC
EAX = 0x46A6FAAC


CREDITS

This vulnerability was discovered and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team 
(VDT).




Best Regards,
 
Rodrigo.
 
--
Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: