what you don't know can hurt you

Adobe Shockwave Player TextXtra.x32 Memory Corruption

Adobe Shockwave Player TextXtra.x32 Memory Corruption
Posted Nov 9, 2011
Authored by Core Security Technologies, Pablo Santamaria | Site coresecurity.com

Core Security Technologies Advisory - A memory corruption vulnerability in Adobe Shockwave Player can be leveraged to execute arbitrary code on vulnerable systems by enticing users to visit a malicious web site with a specially crafted .dir file. This vulnerability could be used by a remote attacker to execute arbitrary code with the privileges of the user that opened the malicious file.

tags | advisory, remote, web, arbitrary
advisories | CVE-2011-2447
MD5 | d3b84c019ed4dff8a2cd96a854297dc7

Adobe Shockwave Player TextXtra.x32 Memory Corruption

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/

Adobe Shockwave Player TextXtra.x32 vulnerability


1. *Advisory Information*

Title: Adobe Shockwave Player TextXtra.x32 vulnerability
Advisory ID: CORE-2011-0825
Advisory URL:
http://www.coresecurity.com/content/adobe-shockwave-textxtra-vulnerability
Date published: 2011-11-08
Date of last update: 2011-11-08
Vendors contacted: Adobe
Release mode: Coordinated release


2. *Vulnerability Information*

Class: Input validation error [CWE-20]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2011-2447


3. *Vulnerability Description*

A memory corruption vulnerability in Adobe Shockwave Player can be
leveraged to execute arbitrary code on vulnerable systems by enticing
users to visit a malicious web site with a specially crafted .dir
file. This vulnerability could be used by a remote attacker to execute
arbitrary code with the privileges of the user that opened the
malicious file.


4. *Vulnerable packages*

. Adobe Shockwave Player 11.6.1.629 and earlier versions for
Windows and Macintosh.


5. *Non-vulnerable packages*

. Adobe Shockwave Player 11.6.3.633 [2]


6. *Vendor Information, Solutions and Workarounds*

Adobe recommends users of Adobe Shockwave Player 11.6.1.629 and
earlier versions upgrade to the newest version 11.6.3.633 available
at: http://get.adobe.com/shockwave/

Adobe categorizes this as a critical update and recommends that users
apply the latest update for their product installation by following
the instructions in the Security Bulletin [1].


7. *Credits*

This vulnerability was discovered and researched by Pablo Santamaria
from Core Security Technologies. The publication of this advisory was
coordinated by Carlos Sarraute.


8. *Technical Description / Proof of Concept Code*

A memory corruption vulnerability can be triggered when Adobe
Shockwave parses a specially crafted .dir file. As we can see in the
following code, it reads data from the file [3], and then it saves the
result in the ESI register [4]. This register is then used to end a
loop [5]. While this loop is executed, the sub_69774E23 function is
called any number of times the attacker wants, leading to a heap-based
memory corruption and possibly to arbitrary code execution.

/-----
.text:69774E8C push esi
.text:69774E8D push edi
.text:69774E8E push [esp+8+arg_4]
.text:69774E92 call sub_6976C9F7 ; [3]
.text:69774E97 push [esp+8+arg_4]
.text:69774E9B mov esi, eax ; [4]
.text:69774E9D call sub_6976CBC8 ;
.text:69774EA2 mov edi, eax
.text:69774EA4 jmp short loc_69774EB4 ;
.text:69774EA6 ;
-
---------------------------------------------------------------------------
.text:69774EA6
.text:69774EA6 loc_69774EA6: ;
.text:69774EA6 push edi
.text:69774EA7 push [esp+0Ch+arg_0]
.text:69774EAB call sub_69774E23 ;
.text:69774EB0 add edi, 10h ;
.text:69774EB3 dec esi ; [5]
.text:69774EB4
.text:69774EB4 loc_69774EB4: ;
.text:69774EB4 test esi, esi ; [5]
.text:69774EB6 jg short loc_69774EA6 ;
- -----/


9. *Report Timeline*

. 2011-09-19:
Core Security Technologies notifies the Adobe PSIRT team of the
vulnerability. Preliminary publication date is set to October 10, 2011.

. 2011-09-19:
The vendor requests a technical description of the vulnerability.

. 2011-09-20:
Core sends to Adobe PSIRT the technical details and a PoC file to
reproduce the vulnerability.

. 2011-09-20:
Vendor acknowledges the receipt of the technical information, and
assigns Adobe tracking number 1065 to this case.

. 2011-10-12:
Core requests an update concerning this issue, and reschedules the
publication of its advisory for November 7, 2011, as an effort to
coordinate it with the release of fixes.

. 2011-10-12:
Vendor replies that the release of a fix is currently scheduled for
the next update of Adobe Shockwave on November 8th, 2011.

. 2011-10-12:
Core acknowledges the vendor response, and asks whether a CVE name has
been assigned to the vulnerability.

. 2011-10-12:
Vendor responds that CVE names are assigned closer to the release date.

. 2011-11-03:
Core asks the vendor whether it is still on track to release fixes on
November 8th, and requests a CVE name and a list of affected versions.

. 2011-11-03:
Vendor confirms the release date, and states that affected versions of
Adobe Shockwave Player are 11.6.1.629 and earlier versions.

. 2011-11-04:
Vendor asks whether the acknowledgements text of its upcoming security
bulletin [1] is accurate.

. 2011-11-07:
Core confirms the text.

. 2011-11-08:
The advisory CORE-2011-0825 is published.


10. *References*

[1] Security bulletin for Adobe Shockwave Player
http://www.adobe.com/support/security/bulletins/apsb11-27.html
[2] Upgrade Adobe Shockwave Player
http://get.adobe.com/shockwave/


11. *About CoreLabs*

CoreLabs, the research center of Core Security Technologies, is
charged with anticipating the future needs and requirements for
information security technologies. We conduct our research in several
important areas of computer security including system vulnerabilities,
cyber attack planning and simulation, source code auditing, and
cryptography. Our results include problem formalization,
identification of vulnerabilities, novel solutions and prototypes for
new technologies. CoreLabs regularly publishes security advisories,
technical papers, project information and shared software tools for
public use at: http://corelabs.coresecurity.com.


12. *About Core Security Technologies*

Core Security Technologies enables organizations to get ahead of
threats with security test and measurement solutions that continuously
identify and demonstrate real-world exposures to their most critical
assets. Our customers can gain real visibility into their security
standing, real validation of their security controls, and real metrics
to more effectively secure their organizations.

Core Security's software solutions build on over a decade of trusted
research and leading-edge threat expertise from the company's Security
Consulting Services, CoreLabs and Engineering groups. Core Security
Technologies can be reached at +1 (617) 399-6980 or on the Web at:
http://www.coresecurity.com.


13. *Disclaimer*

The contents of this advisory are copyright (c) 2011 Core Security
Technologies and (c) 2011 CoreLabs, and are licensed under a Creative
Commons Attribution Non-Commercial Share-Alike 3.0 (United States)
License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/


14. *PGP/GPG Keys*

This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iEYEARECAAYFAk65nI4ACgkQyNibggitWa3r4QCfTQBWDnGgU2zU5VIsav0W7rVi
ggwAoLEFRsdGblP/tEZKyAry8BDtw4Em
=EZuR
-----END PGP SIGNATURE-----

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    24 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    7 Files
  • 4
    Oct 4th
    4 Files
  • 5
    Oct 5th
    10 Files
  • 6
    Oct 6th
    1 Files
  • 7
    Oct 7th
    21 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    5 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    17 Files
  • 12
    Oct 12th
    4 Files
  • 13
    Oct 13th
    4 Files
  • 14
    Oct 14th
    15 Files
  • 15
    Oct 15th
    19 Files
  • 16
    Oct 16th
    25 Files
  • 17
    Oct 17th
    17 Files
  • 18
    Oct 18th
    7 Files
  • 19
    Oct 19th
    1 Files
  • 20
    Oct 20th
    3 Files
  • 21
    Oct 21st
    12 Files
  • 22
    Oct 22nd
    11 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close