what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Adobe Shockwave Player TextXtra.x32 Memory Corruption

Adobe Shockwave Player TextXtra.x32 Memory Corruption
Posted Nov 9, 2011
Authored by Core Security Technologies, Pablo Santamaria | Site coresecurity.com

Core Security Technologies Advisory - A memory corruption vulnerability in Adobe Shockwave Player can be leveraged to execute arbitrary code on vulnerable systems by enticing users to visit a malicious web site with a specially crafted .dir file. This vulnerability could be used by a remote attacker to execute arbitrary code with the privileges of the user that opened the malicious file.

tags | advisory, remote, web, arbitrary
advisories | CVE-2011-2447
SHA-256 | 695649c7d963064d7f163ac945a29aca4d694e1c7ff52a09ee8e2a7a93377531

Adobe Shockwave Player TextXtra.x32 Memory Corruption

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/

Adobe Shockwave Player TextXtra.x32 vulnerability


1. *Advisory Information*

Title: Adobe Shockwave Player TextXtra.x32 vulnerability
Advisory ID: CORE-2011-0825
Advisory URL:
http://www.coresecurity.com/content/adobe-shockwave-textxtra-vulnerability
Date published: 2011-11-08
Date of last update: 2011-11-08
Vendors contacted: Adobe
Release mode: Coordinated release


2. *Vulnerability Information*

Class: Input validation error [CWE-20]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2011-2447


3. *Vulnerability Description*

A memory corruption vulnerability in Adobe Shockwave Player can be
leveraged to execute arbitrary code on vulnerable systems by enticing
users to visit a malicious web site with a specially crafted .dir
file. This vulnerability could be used by a remote attacker to execute
arbitrary code with the privileges of the user that opened the
malicious file.


4. *Vulnerable packages*

. Adobe Shockwave Player 11.6.1.629 and earlier versions for
Windows and Macintosh.


5. *Non-vulnerable packages*

. Adobe Shockwave Player 11.6.3.633 [2]


6. *Vendor Information, Solutions and Workarounds*

Adobe recommends users of Adobe Shockwave Player 11.6.1.629 and
earlier versions upgrade to the newest version 11.6.3.633 available
at: http://get.adobe.com/shockwave/

Adobe categorizes this as a critical update and recommends that users
apply the latest update for their product installation by following
the instructions in the Security Bulletin [1].


7. *Credits*

This vulnerability was discovered and researched by Pablo Santamaria
from Core Security Technologies. The publication of this advisory was
coordinated by Carlos Sarraute.


8. *Technical Description / Proof of Concept Code*

A memory corruption vulnerability can be triggered when Adobe
Shockwave parses a specially crafted .dir file. As we can see in the
following code, it reads data from the file [3], and then it saves the
result in the ESI register [4]. This register is then used to end a
loop [5]. While this loop is executed, the sub_69774E23 function is
called any number of times the attacker wants, leading to a heap-based
memory corruption and possibly to arbitrary code execution.

/-----
.text:69774E8C push esi
.text:69774E8D push edi
.text:69774E8E push [esp+8+arg_4]
.text:69774E92 call sub_6976C9F7 ; [3]
.text:69774E97 push [esp+8+arg_4]
.text:69774E9B mov esi, eax ; [4]
.text:69774E9D call sub_6976CBC8 ;
.text:69774EA2 mov edi, eax
.text:69774EA4 jmp short loc_69774EB4 ;
.text:69774EA6 ;
-
---------------------------------------------------------------------------
.text:69774EA6
.text:69774EA6 loc_69774EA6: ;
.text:69774EA6 push edi
.text:69774EA7 push [esp+0Ch+arg_0]
.text:69774EAB call sub_69774E23 ;
.text:69774EB0 add edi, 10h ;
.text:69774EB3 dec esi ; [5]
.text:69774EB4
.text:69774EB4 loc_69774EB4: ;
.text:69774EB4 test esi, esi ; [5]
.text:69774EB6 jg short loc_69774EA6 ;
- -----/


9. *Report Timeline*

. 2011-09-19:
Core Security Technologies notifies the Adobe PSIRT team of the
vulnerability. Preliminary publication date is set to October 10, 2011.

. 2011-09-19:
The vendor requests a technical description of the vulnerability.

. 2011-09-20:
Core sends to Adobe PSIRT the technical details and a PoC file to
reproduce the vulnerability.

. 2011-09-20:
Vendor acknowledges the receipt of the technical information, and
assigns Adobe tracking number 1065 to this case.

. 2011-10-12:
Core requests an update concerning this issue, and reschedules the
publication of its advisory for November 7, 2011, as an effort to
coordinate it with the release of fixes.

. 2011-10-12:
Vendor replies that the release of a fix is currently scheduled for
the next update of Adobe Shockwave on November 8th, 2011.

. 2011-10-12:
Core acknowledges the vendor response, and asks whether a CVE name has
been assigned to the vulnerability.

. 2011-10-12:
Vendor responds that CVE names are assigned closer to the release date.

. 2011-11-03:
Core asks the vendor whether it is still on track to release fixes on
November 8th, and requests a CVE name and a list of affected versions.

. 2011-11-03:
Vendor confirms the release date, and states that affected versions of
Adobe Shockwave Player are 11.6.1.629 and earlier versions.

. 2011-11-04:
Vendor asks whether the acknowledgements text of its upcoming security
bulletin [1] is accurate.

. 2011-11-07:
Core confirms the text.

. 2011-11-08:
The advisory CORE-2011-0825 is published.


10. *References*

[1] Security bulletin for Adobe Shockwave Player
http://www.adobe.com/support/security/bulletins/apsb11-27.html
[2] Upgrade Adobe Shockwave Player
http://get.adobe.com/shockwave/


11. *About CoreLabs*

CoreLabs, the research center of Core Security Technologies, is
charged with anticipating the future needs and requirements for
information security technologies. We conduct our research in several
important areas of computer security including system vulnerabilities,
cyber attack planning and simulation, source code auditing, and
cryptography. Our results include problem formalization,
identification of vulnerabilities, novel solutions and prototypes for
new technologies. CoreLabs regularly publishes security advisories,
technical papers, project information and shared software tools for
public use at: http://corelabs.coresecurity.com.


12. *About Core Security Technologies*

Core Security Technologies enables organizations to get ahead of
threats with security test and measurement solutions that continuously
identify and demonstrate real-world exposures to their most critical
assets. Our customers can gain real visibility into their security
standing, real validation of their security controls, and real metrics
to more effectively secure their organizations.

Core Security's software solutions build on over a decade of trusted
research and leading-edge threat expertise from the company's Security
Consulting Services, CoreLabs and Engineering groups. Core Security
Technologies can be reached at +1 (617) 399-6980 or on the Web at:
http://www.coresecurity.com.


13. *Disclaimer*

The contents of this advisory are copyright (c) 2011 Core Security
Technologies and (c) 2011 CoreLabs, and are licensed under a Creative
Commons Attribution Non-Commercial Share-Alike 3.0 (United States)
License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/


14. *PGP/GPG Keys*

This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iEYEARECAAYFAk65nI4ACgkQyNibggitWa3r4QCfTQBWDnGgU2zU5VIsav0W7rVi
ggwAoLEFRsdGblP/tEZKyAry8BDtw4Em
=EZuR
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close