what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Adobe Shockwave Director tSAC Chunk Remote Code Execution

Adobe Shockwave Director tSAC Chunk Remote Code Execution
Posted Aug 26, 2010
Authored by Aaron Portnoy, Logan Brown | Site dvlabs.tippingpoint.com

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Shockwave player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the code responsible for parsing Director's RIFF-based file format. While parsing the tSAC chunk, the DIRAPI module does not properly verify the signedness of a count value within an undocumented structure. By providing a large enough negative value a pointer can be miscalculated leading to memory corruption. This can be exploited by a remote attacker to execute arbitrary code under the context of the user running the web browser.

tags | advisory, remote, web, arbitrary
advisories | CVE-2010-2866
SHA-256 | 86a222ba1e8cbc3a092252acfbbfd4d5af69f70800dc8b82c9dfe26831862381

Adobe Shockwave Director tSAC Chunk Remote Code Execution

Change Mirror Download
TPTI-10-13: Adobe Shockwave Director tSAC Chunk Remote Code Execution Vulnerability
http://dvlabs.tippingpoint.com/advisory/TPTI-10-13
August 24, 2010

-- CVE ID:
CVE-2010-2866

-- CVSS:
10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)

-- Affected Vendors:
Adobe

-- Affected Products:
Adobe Shockwave Player

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Adobe Shockwave player. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.

The specific flaw exists within the code responsible for parsing
Director's RIFF-based file format. While parsing the tSAC chunk, the
DIRAPI module does not properly verify the signedness of a count value
within an undocumented structure. By providing a large enough negative
value a pointer can be miscalculated leading to memory corruption. This
can be exploited by a remote attacker to execute arbitrary code under
the context of the user running the web browser.

-- Vendor Response:
Adobe has issued an update to correct this vulnerability. More
details can be found at:

http://www.adobe.com/support/security/bulletins/apsb10-20.html

-- Disclosure Timeline:
2010-05-27 - Vulnerability reported to vendor
2010-08-24 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
* TippingPoint FuzzBox as driven by Aaron Portnoy and Logan Brown
Login or Register to add favorites

File Archive:

January 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    0 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    5 Files
  • 4
    Jan 4th
    5 Files
  • 5
    Jan 5th
    9 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    0 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    18 Files
  • 10
    Jan 10th
    31 Files
  • 11
    Jan 11th
    30 Files
  • 12
    Jan 12th
    33 Files
  • 13
    Jan 13th
    25 Files
  • 14
    Jan 14th
    0 Files
  • 15
    Jan 15th
    0 Files
  • 16
    Jan 16th
    7 Files
  • 17
    Jan 17th
    25 Files
  • 18
    Jan 18th
    38 Files
  • 19
    Jan 19th
    6 Files
  • 20
    Jan 20th
    21 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    24 Files
  • 24
    Jan 24th
    68 Files
  • 25
    Jan 25th
    22 Files
  • 26
    Jan 26th
    20 Files
  • 27
    Jan 27th
    17 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    20 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close