Adobe Shockwave Player Memory Corruption

Adobe Shockwave Player Memory Corruption: Posted Nov 9, 2011; Authored by Code Audit Labs | Site vulnhunt.com; Code Audit Labs has discovered that Adobe Shockwave Player suffers from a director file PAMM memory corruption vulnerability.; tags | advisory; advisories | CVE-2011-2446; SHA-256 | 8fa0331e11caebc74f418fca888a60b9a5de00d45ee773bf9557006f4fd13e66; Download | Favorite | View

Adobe Shockwave Player Memory Corruption

[CAL-2011-0052]Adobe Shockwave Player Director File Parsing PAMM memory
 corruption vulnerability



CAL ID: CAL-2011-0052
CVE ID: CVE-2011-2446
Discover: instruder of code audit labs of vulnhunt.com
http://www.adobe.com/support/security/bulletins/apsb11-27.html


1 Affected Products
=================
Test Version£ºAdobe Shockwave Player 11.6.1.629(last)


2 Vulnerability Details
=====================
instruder of code audit labs of vulnhunt.com have discovered a
vulnerability in
Adobe Shockwave Player.when adobe shockwave player parsing header of
Director
 File, although the field of block_count of PAMM atom haved done
strictly limited,
but you can bypass the limit with other fields.Thus in the
cycle,leading to a wrong address to write  to cause Memory corruption.


3 Exploitable?
============
This vulnerability will lead to memory corruption ,Successful exploition
may cause code execution .



4 Crash info:
===============
(308.9d0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=07dd1ff4 ebx=7ffffffb ecx=00007f1f edx=000b8e5c esi=07ed3d48
edi=000093eb
eip=07052920 esp=0227dc9c ebp=00000000 iopl=0         nv up ei ng nz ac
po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000
efl=00010292
*** ERROR: Module load completed but symbols could not be loaded for
C:\WINDOWS\system32\Adobe\Shockwave 11\DIRAPI.dll
DIRAPI+0x2920:
07052920 6621480c        and     word ptr [eax+0Ch],cx
ds:0023:07dd2000=????
0:005> kb
ChildEBP RetAddr  Args to Child
WARNING: Stack unwind information not available. Following frames may be
wrong.
00000000 00000000 00000000 00000000 00000000 DIRAPI+0x2920


5 Timeline
=========
2011-9-16 report to adobe
2011-9-17 vendor ask poc file
2011-9-17 we sent the poc file.
2011-9-20 vendor comfirm the issue.
2011-11-8 Coordinated public release of advisory.


6 About Code Audit Labs:
=====================
Code Audit Labs secure your software,provide Professional include source
code audit and binary code audit service.
Code Audit Labs:" You create value for customer,We protect your value"
http://www.VulnHunt.com

Top Authors In Last 30 Days

Red Hat 221 files
Ubuntu 59 files
Debian 30 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
tmrswrr 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,298)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,550)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,453)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

Adobe Shockwave Player Memory Corruption

Adobe Shockwave Player Memory Corruption

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Adobe Shockwave Player Memory Corruption

Share This

Adobe Shockwave Player Memory Corruption

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems