exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

EEYEB-20050627B.txt

EEYEB-20050627B.txt
Posted Nov 5, 2005
Authored by Fang Xing | Site eeye.com

eEye Security Advisory - eEye Digital Security has discovered a vulnerability in Macromedia Flash Player versions 6 and 7 that will allow an attacker to run arbitrary code in the context of the logged in user. An array boundary condition may be violated by a malicious SWF file in order to redirect execution into attacker-supplied data.

tags | advisory, arbitrary
advisories | CVE-2005-2628
SHA-256 | 9fed5fc5b6f35c0a68064bb3eba38b089f2ea09373f01b1eca9cbef787d60c1f

EEYEB-20050627B.txt

Change Mirror Download
Macromedia Flash Player Improper Memory Access Vulnerability

Release Date:
November 4, 2005

Date Reported:
June 27, 2005

Severity:
High

Vendor:
Macromedia

Systems Affected:
Macromedia Flash 6 (on all Windows platforms)
Macromedia Flash 7 (on all Windows platforms)

Overview:
eEye Digital Security has discovered a vulnerability in Macromedia Flash
Player versions 6 and 7 that will allow an attacker to run arbitrary
code in the context of the logged in user. An array boundary condition
may be violated by a malicious SWF file in order to redirect execution
into attacker-supplied data.

Technical Details:
The vulnerable code exists in Flash.ocx, which embodies the code
responsible for playing back SWF files. One function maintains a large,
256-element table of function pointers on the stack, and uses a frame
type identifier read from the SWF file as an index into the array,
without enforcing the array boundaries. The following disassembly
depicts the affected code:

.text:1002714F mov eax, [esi+0CA4h] ; type number
.text:10027155 mov ecx, [esi+94h] ; base of table
.text:1002715B lea eax, [ecx+eax*8] ; get element address
.text:1002715E mov ecx, [eax] ;

Although the index is not validated, its value is elsewhere restricted
to be at most 0x8000, so the attacker can cause a function pointer to be
retrieved from memory up to roughly 64KB after the base of the table on
the stack. Typically this range will include heap memory, so by
planting specific data on the heap, the attacker can very easily control
the exact value of the function pointer. Reliable exploitation using
this technique within Internet Explorer has been demonstrated by eEye
Digital Security.

Protection:
Retina Network Security Scanner has been updated to identify this
vulnerability.
Blink - Endpoint Vulnerability Prevention - protects from this
vulnerability.

Vendor Status:
Macromedia has addressed this issue in the following security bulletin;
http://www.macromedia.com/devnet/security/security_zone/mpsb05-07.html

This vulnerability has been assigned the CVE identifier CAN-2005-2628
and OSVDB ID 18825.

Greetings:
Thanks Derek and and eEye guys help me wrote this advisory. Greeting
xfocus guys and venustech lab guys.

Credit:
Fang Xing

Copyright (c) 1998-2005 eEye Digital Security Permission is hereby
granted for the redistribution of this alert electronically. It is not
to be edited in any way without express consent of eEye. If you wish to
reprint the whole or any part of this alert in any other medium
excluding electronic medium, please email alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the user's
own risk.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close