exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Trustix Secure Linux Security Advisory 2008.1

Trustix Secure Linux Security Advisory 2008.1
Posted Nov 24, 2008
Authored by Riley Hassell | Site isecpartners.com

iSEC applied targeted fuzzing to the ActionScript 2 virtual machine used by the Adobe Flash player, and identified several issues which could lead to denial of service, information disclosure or code execution when parsing a malicious SWF file. Adobe Flash Player versions and below, AIR 1.1, Flash CS3/CS4 Professional, and Flex 3 are all affected.

tags | advisory, denial of service, code execution, info disclosure
SHA-256 | 8e6606f27424c5ca99f203f2867baed82d3d8dfb7c7883135b0107b1d88d1740

Trustix Secure Linux Security Advisory 2008.1

Change Mirror Download
iSEC Partners Security Advisory - 2008-01-flash

Adobe Flash Multiple Vulnerabilities

Vendor: Adobe, Inc.
Vendor URL: http://www.adobe.com
Versions affected: Flash Player and earlier,
AIR 1.1, Flash CS4 Professional, Flash CS3 Professional, Flex 3
Systems Affected: All platforms
Severity: High - potential code execution
Author: Riley Hassell <riley[at]isecpartners[dot]com>
Vendor notified: 2008-07-22
Public release: 2008-11-21
Advisory URL: https://www.isecpartners.com/advisories/2008-01-flash.txt
Vendor Advisory URL: http://www.adobe.com/support/security/bulletins/apsb08-22.html

iSEC applied targeted fuzzing to the ActionScript 2 virtual machine used
by the Adobe Flash player, and identified several issues which could
lead to denial of service, information disclosure or code execution
when parsing a malicious SWF file. The majority of testing occurred
during 120 hours of automated SWF-specific fault injection testing
in which several hundred unique control paths were identified that
trigger bugs and/or potential vulnerabilities in the Adobe Flash Player.
Paths leading to duplicate issues where condensed down to a number of
unique problems in the Adobe Flash Player. The primary cause for these
vulnerabilities appears to be simple failures in verifying the bounds of
compartmentalized structures.

Of the reported issues, several could be used by an attacker to
partially or fully control object member pointers with addresses of
his or her choosing. This may result in write operations into the host
process' memory with data of the attacker's choosing, which is usually a
serious problem and could lead to code execution.

The majority of the issues discovered lead to a out of bounds read,
often caught by the operating system and converted into an error. For
example, in the affected versions of Flash player the following Action
Record (ActionScript 2.0) types failed to verify the size of member
elements (DefineConstantPool, ActionJump, ActionPush, ActionTry), as
well as several other Action Record types. These boundary issues become
apparent when Flash movies (.swf files consisting of a series of Action
Records or "tags") contain data with values for offsets which point to
regions beyond the end of the Flash file's memory.

When tried randomly, these read beyond bounds often hit an invalid
memory page, for example at the end of the Flash movie. Perhaps because
of this, out of bounds reads are, often incorrectly, considered harmless
by developers and testers. Unbounded reads which result in side effects
can still be used to expose sensitive information however. iSEC was
able to read sensitive data structures from process memory using this
technique. Since the Flash movie is located in an region of process
memory that is highly fragmented, the memory following our Flash movie
is often unavailable, and in its place is an invalid page. When this
page is encountered an exception will be thrown. Using the behavior of
the memory management system to guide us, we can reduce the size of the
movie buffer so that it no longer resides in highly fragmented memory
but instead in more interesting contiguous regions, such as a private

In the case of the DefineConstantPool record we were able supply an
arbitrary constant count. The player then parses constant values
(strings) from the string table, and continues reading null terminated
strings in the adjacent tag data, eventually reading from memory
adjacent to the Flash movie. References to these values are stored in
a table of constants that can be later accessed using a set of action
records. A proof of concept was developed and presented to the vendor
to demonstrate the threat of read beyond bounds issues to complex file
formats such as the SWF file format.

Finally, other issues were found that suggest the lack of validation
on the contents of the dictionary data structure. Elements in the
structure, e.g. "characters" are previously defined using a variety of
define operations. They are subsequent referenced by their "character
id" and inserted in the Flash player workspace. During the retrieval of
the character elements from the dictionary, they are not validated to
in fact exist, and often their structure is not validated prior to use.
This typically leads to a null pointer dereference and crash, which is
much less dangerous.

Fix Information:
All issues considered by Adobe to be critical are reported resolved in
current versions of the Flash Player and Adobe AIR. Adobe recommends
all users of Adobe Flash Player and earlier versions upgrade
to the newest version by downloading it from the Player
Download Center, or by using the auto-update mechanism within the
product when prompted.

Vendor Communication:
07/22/08 - Adobe PSIRT contacted and vulnerabilities disclosed

07/23/08 - Proof of Concept for memory corruption, null pointer issues provided

07/24/08 - Proof of Concept delivered for read beyond bounds issues provided

07/30/08 - Communication initiated for POC samples, PSIRT acknowledges
verification testing is underway

08/02/08 - PSIRT response to iSEC that patch release was set at hard date in
mid November and requested a stay of release until mid November

09/09/08 - PSIRT reports major issues have been remediated, but some issues
were declared safe because they only resulted in denial of service

11/17/08 - Vendor advisory released

11/21/08 - iSEC advisory released

Thanks to:
The Adobe product security team for a timely response to this issue.
Josh Zelonis of iSEC for his assistance dissecting the SWF file format
and development of the SWF 010 Editor Template.

About iSEC Partners:
iSEC Partners is a full-service security consulting firm that provides
penetration testing, secure systems development, security education and
software design verification, with offices in San Francisco, Seattle,
and Ewa Beach.

Login or Register to add favorites

File Archive:

February 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    11 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    5 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    0 Files
  • 6
    Feb 6th
    0 Files
  • 7
    Feb 7th
    0 Files
  • 8
    Feb 8th
    0 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By