exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

eeye.flash.6.0.65.0.txt

eeye.flash.6.0.65.0.txt
Posted Dec 21, 2002
Authored by eEye Digital Security | Site eEye.com

Macromedia Shockwave Flash Malformed Header Overflow #2 - Macromedia Flash Player versions less than 6.0.65.0 allows remote code execution via HTML email and web pages. Fix available here.

tags | advisory, remote, web, overflow, code execution
SHA-256 | 018888a6c288f72d88dd0f5fddd22ecea22e5d438947c9dabdd5059490d624a6

eeye.flash.6.0.65.0.txt

Change Mirror Download
Macromedia Shockwave Flash Malformed Header Overflow #2

Release Date:
December 16, 2002

Severity:
High (Remote Code Execution)

Systems Affected:
Macromedia Flash Player versions less than 6.0.65.0

Description:
While working on some pre-release Retina® CHAM tools, multiple exploitable
conditions were discovered within the Shockwave Flash file format SWF
(pronounced "SWIF").

There exists a vulnerability within Macromedia's Flash software and its
handling of malformed Flash files. Attackers can use this vulnerability to
compromise users of Macromedia's Flash software. A corrupt file may be
placed on a website or in some cases within an HTML email.

We provided Macromedia with various corrupt Flash files, a few of which we
verified for exploitability. Macromedia has since fixed the exploitable
conditions as well as various other bugs that were found.

The primary danger of exploiting Macromedia Flash is its extensive user base
and portability across operating systems. Further, it is "version frozen" on
operating system installation set-ups, so issues may linger for sometime.
Regardless, Macromedia has fixed all of the known issues.

Technical Description:
The data header is roughly made out as:

[Flash Signature][version (1)][File Length(a number of bytes too
short)][Frame Size (malformed)][Frame Rate (malformed)][Frame Count
(malformed)][Data]

While the diagram may remain the same for this issue as in the previous
issue (http://www.eeye.com/html/Research/Advisories/AD20020808b.html), there
are variations in the malformed data which are very specific to this issue.
In this case, EBP is completely controlled, so exploitation is
straight-forward. EDI is also directly controlled as well as EDX and EDI
which all give attackers the ability to easily exploit the vulnerable
scenarios.

Protection:
Retina® Network Security Scanner (http://www.eeye.com/Retina) has been
updated to identify this latest Macromedia Flash vulnerability.

Vendor Status:
Macromedia has been notified and released a patch for this vulnerability,
available at:
http://www.macromedia.com/v1/handlers/index.cfm?ID=23569

Credit:
Drew Copley, Research Engineer, eEye Digital Security

Greetings:
StoneFisk, the Shrug, Zonetripper, Die Liu Yu, Dror Shalev, Malware.

Copyright (c) 1998-2002 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express consent of
eEye. If you wish to reprint the whole or any part of this alert in any
other medium excluding electronic medium, please e-mail alert@eEye.com for
permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.

Feedback
Please send suggestions, updates, and comments to:

eEye Digital Security
http://www.eEye.com
info@eEye.com

Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    0 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close