what you don't know can hurt you

Adobe Shockwave Player Parsing Heap Overflow

Adobe Shockwave Player Parsing Heap Overflow
Posted Feb 15, 2012
Authored by Code Audit Labs | Site vulnhunt.com

Adobe Shockwave Player versions 11.6.x.x suffer from a parsing cupt atom heap overflow vulnerability.

tags | advisory, overflow
advisories | CVE-2012-0758
MD5 | 2d79df0828357da26b0bbcd16992ea83

Adobe Shockwave Player Parsing Heap Overflow

Change Mirror Download
[CAL-2011-0071]Adobe Shockwave Player Parsing cupt atom heap overflow


Discover: instruder of code audit labs of vulnhunt.com
CAL: CAL-2011-0071
CVE: CVE-2012-0758

http://blog.vulnhunt.com/index.php/2012/02/15/cal-2011-0071_adobe-shockwave-player-parsing-cupt-atom-heap-overflow/

adobe security bulletins
http://www.adobe.com/support/security/bulletins/apsb12-02.html


1 Affected Products
=================
adobe shockwave 11.6.3.633
adobe Shockwave 11.6.1.629 and prior


2 Vulnerability Details
=====================
When adobe shockwave player parsing a dir type file,
it takes a dword from the dir file,and then take some
Computing this computing will leding to Integer overflow,
allocate a small memory,this Cause a heap overflow.


3 Analysis
=========
asm in dirapi.dll 11.6.1.629

.text:6809FC7A push esi
.text:6809FC7B push edi
.text:6809FC7C push ebp
.text:6809FC7D call IML32_1414_get_a_dword //get a
dword form dir file
.text:6809FC82 mov esi, eax //if eax=66666680
some like this,after esi+esi*4 Will cause a heap overflow
.text:6809FC84 lea eax, [esi+esi*4] // Integrated
overflow
.text:6809FC87 push 1
.text:6809FC89 lea ecx, ds:24h[eax*8]
.text:6809FC90 push ecx
.text:6809FC91 call IML32_1111 ;
.text:6809FC96 push eax
.text:6809FC97 mov [esp+14h+arg_4], eax
.text:6809FC9B call IML32_1114 //allocate memory
.text:6809FCA0 mov edi, eax
.text:6809FCA2 test edi, edi
.text:6809FCA4 jz short loc_6809FD03
.text:6809FCA6 mov [edi+1Ch], esi
.text:6809FCA9 test esi, esi
.text:6809FCAB jbe short loc_6809FCCB
.text:6809FCAD lea esi, [edi+28h]
.text:6809FCB0
.text:6809FCB0 loc_6809FCB0: ; CODE XREF:
sub_6809FC60+69j
.text:6809FCB0 push ebp
.text:6809FCB1 call IML32_1414_get_a_dword ////write
the dword to the heap
.text:6809FCB6 push 20h
.text:6809FCB8 push esi
.text:6809FCB9 push ebp
.text:6809FCBA mov [esi-4], eax
.text:6809FCBD call IML32_1409
.text:6809FCC2 inc ebx
.text:6809FCC3 add esi, 28h ////heap buffer overflow
.text:6809FCC6 cmp ebx, [edi+1Ch]
.text:6809FCC9 jb short loc_6809FCB0 //Cycle



c code like
==================

v6 = v4 + 40;
do
{
*(_DWORD *)(v6 - 4) = IML32_1414_get_a_dword(v3);
v4 = IML32_1409();
++v2;
v6 += 40;
}
while ( v2 < *(_DWORD *)(v5 + 0x1C) );




4 Exploitable?
============
Successfully exploited this vulnerability could lead to arbitrary code
execution.


5 Crash info:
===============
eax=00000000 ebx=00002a63 ecx=07916058 edx=08980028 esi=07981008
edi=07917068
eip=0754fd5a esp=09e9ef28 ebp=08250bd8 iopl=0 nv up ei pl zr na
pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00210246
*** ERROR: Module load completed but symbols could not be loaded for
C:\WINDOWS\system32\Adobe\Shockwave 11\DIRAPI.dll
DIRAPI+0x9fd5a:
0754fd5a 8946fc mov dword ptr [esi-4],eax
ds:0023:07981004=????????0:028> 0:023> kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be
wrong.
09e9ef40 0755028c 07894154 08250bb0 07894154 DIRAPI+0x9fd5a
00000000 00000000 00000000 00000000 00000000 DIRAPI+0xa028cPOC


6 About Code Audit Labs:
=====================
Code Audit Labs secure your software,provide Professional include source
code audit and binary code audit service.
Code Audit Labs:" You create value for customer,We protect your value"
http://www.VulnHunt.com
http://blog.vulnhunt.com
http://t.qq.com/vulnhunt
http://weibo.com/vulnhunt

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    15 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close