exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

eeye.flash.txt

eeye.flash.txt
Posted Aug 9, 2002
Authored by Marc Maiffret | Site eEye.com

Eeye Advisory - All versions of Macromedia Shockwave Flash for Windows and Unix contains remotely exploitable overflows in the handling of SWF files. Since this is a browser based bug, it makes it trivial to bypass firewalls and attack the user at his desktop. Also, application browser bugs allow you to target users based on the websites they visit, the newsgroups they read, or the mailing lists they frequent.

tags | overflow
systems | windows, unix
SHA-256 | ef61f5c7bb22a7f1570c610ede3c3d279065fdc8c0930aa34c2231c4cd2e2ea9

eeye.flash.txt

Change Mirror Download
Macromedia Shockwave Flash Malformed Header Overflow

Release Date: August 8, 2002

Severity:
High (Remote Code Execution)

Systems Affected:
Macromedia Shockwave Flash - All Versions;
Unix and Windows; Netscape and Internet Explorer

Description:
While working on some pre-release eEye Retina CHAM tools, an exploitable
condition was discovered within the Shockwave Flash file format called SWF
(pronounced "SWIF").

Since this is a browser based bug, it makes it trivial to bypass firewalls
and attack the user at his desktop. Also, application browser bugs allow you
to target users based on the websites they visit, the newsgroups they read,
or the mailing lists they frequent. It is a "one button" push attack, and
using anonymous remailers or proxies for these attacks is possible.

This vulnerability has been proven to work with all versions of Macromedia
Flash on Windows and Unix, through IE and Netscape. It may be run wherever
Shockwave files may be displayed or attached, including: websites, email,
news postings, forums, Instant Messengers, and within applications utilizing
web-browsing functionality.

Technical Description:
The data header is roughly made out to:

[Flash signature][version (1)][File Length(A number of bytes too
short)][frame size (malformed)][Frame Rate (malformed)][Frame Count
(malformed)][Data]

By creating a malformed header we can supply more frame data than the
decoder is expecting. By supplying enough data we can overwrite a function
pointer address and redirect the flow of control to a specified location as
soon as this address is used. At the moment the overwritten address takes
control flow, an address pointing to a portion of our data is 8 bytes back
from the stack pointer. By using a relative jump we redirect flow into a
"call dword ptr [esp+N]", where N is the number of bytes from the stack
pointer. These "jump points" can be located in multiple loaded dll's. By
creating a simple tool using the debugging API and ReadMemory, you can
examine a process's virtual address space for useful data to help you with
your exploitation.

This is not to say other potentially vulnerable situations have not been
found in Macromedia's Flash. We discovered about seventeen others before we
ended our testing. We are working with Macromedia on these issues.

Protection:
Retina(R) Network Security Scanner already scans for this latest version of
Flash on users' systems. Ensure all users within your control upgrade their
systems.

Vendor Status:
Macromedia has released a patch for this vulnerability, available at:
http://www.macromedia.com/v1/handlers/index.cfm?ID=23293&Method=Full&Title=M
PSB02%2D09%20%2D%20Macromedia%20Flash%20Malformed%20Header%20Vulnerability%2
0Issue&Cache=False

Discovery: Drew Copley
Exploitation: Riley Hassell

Greetings: Hacktivismo!, Centra Spike

Copyright (c) 1998-2002 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express consent of
eEye. If you wish to reprint the whole or any part of this alert in any
other medium excluding electronic medium, please e-mail alert@eEye.com for
permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.

Feedback
Please send suggestions, updates, and comments to:

eEye Digital Security
http://www.eEye.com
info@eEye.com

Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    17 Files
  • 8
    Oct 8th
    66 Files
  • 9
    Oct 9th
    25 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    21 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close