[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Adobe Shockwave Player Memory Corruption Vulnerability - CVE-2010-4087



Dear List,

I'm writing on behalf of the Check Point Vulnerability Discovery Team to 
publish the following vulnerability.


Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/

Memory corruption when Adobe Shockwave Player parses .dir media file (mmap 
record - VSWV entry)
CVE-2010-4087


INTRODUCTION

Adobe Shockwave Player is the Adobe plugin to many different browsers to view 
rich-media content on the web including animations, interactive presentations, 
and online entertainment.

Adobe Shockwave Player does not properly parse .dir media file, which causes a 
corruption in module IML32.dll by opening a malformed file with an invalid 
length of VSWV entry inside a mmap record.

This problem was confirmed in the following versions of Adobe Shockwave Player 
and Windows, other versions may be also affected.

Shockwave Player version 11.5.8.612, Module IML32.dll on WinXP_PT SP3 Internet 
Explorer 8.0.6001.18702


CVSS Scoring System

The CVSS score is: 9
        Base Score: 10
        Temporal Score: 9
We used the following values to calculate the scores:
        Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C
        Temporal score is: E:POC/RL:U/RC:C


TRIGGERING THE PROBLEM

To trigger the problem a PoC file (repro13.dir) is available to interested 
parties. 


DETAILS

0:008> r
eax=0487d294 ebx=04830028 ecx=362607f0 edx=04930014 esi=0488dbf0 edi=0488d9e0
eip=69081264 esp=0162be10 ebp=00000210 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
IML32!Ordinal2064+0x7254:
69081264 894c31fc        mov     dword ptr [ecx+esi-4],ecx 
ds:0023:3aaee3dc=????????
0:008> !exploitable
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at 
IML32!Ordinal2064+0x0000000000007254 (Hash=0x3e3c3a38.0x484c154e)

User mode write access violations that are not near NULL are exploitable.


Disassembly:

0:008> u 0x69081264 L15
IML32!Ordinal2064+0x7254:
69081264 894c31fc        mov     dword ptr [ecx+esi-4],ecx
69081268 83c902          or      ecx,2
6908126b 890e            mov     dword ptr [esi],ecx
6908126d 8b4318          mov     eax,dword ptr [ebx+18h]
69081270 894608          mov     dword ptr [esi+8],eax
69081273 8b4804          mov     ecx,dword ptr [eax+4]
69081276 894e04          mov     dword ptr [esi+4],ecx
69081279 8b5004          mov     edx,dword ptr [eax+4]
6908127c 897208          mov     dword ptr [edx+8],esi
6908127f 8b54241c        mov     edx,dword ptr [esp+1Ch]
69081283 897004          mov     dword ptr [eax+4],esi
69081286 eb1e            jmp     IML32!Ordinal2064+0x7296 (690812a6)
69081288 8d3c31          lea     edi,[ecx+esi]
6908128b 894ffc          mov     dword ptr [edi-4],ecx
6908128e 83c902          or      ecx,2
69081291 890e            mov     dword ptr [esi],ecx
69081293 8b042f          mov     eax,dword ptr [edi+ebp]
69081296 8b7604          mov     esi,dword ptr [esi+4]
69081299 83c802          or      eax,2
6908129c 89042f          mov     dword ptr [edi+ebp],eax
6908129f 8bc5            mov     eax,ebp


CREDITS

This vulnerability was discovered by Michael Golub and researched by Rodrigo 
Rubira Branco from Check Point Vulnerability Discovery Team (VDT).



Best Regards,
 
Rodrigo.
 
--
Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies