what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Adobe Shockwave Player Memory Corruption

Adobe Shockwave Player Memory Corruption
Posted Nov 1, 2010
Authored by Rodrigo Rubira Branco, Michael Golub

Adobe Shockwave Player suffers from multiple memory corruption vulnerabilities.

tags | advisory, vulnerability
advisories | CVE-2010-4086, CVE-2010-4087, CVE-2010-4088, CVE-2010-4089
SHA-256 | 11361a286c7fb83e25af1b9c1340df96ba726fed468d57467a1833d1809da8d7

Adobe Shockwave Player Memory Corruption

Change Mirror Download
========================================================================
Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/

Memory corruption when Adobe Shockwave Player parses .dir media file (mmap_element_size)
CVE-2010-4086


INTRODUCTION

Adobe Shockwave Player is the Adobe plugin to many different browsers to view rich-media content on the web including animations, interactive presentations, and online entertainment.

Adobe Shockwave Player does not properly parse .dir media file, which causes a corruption in module DIRAPI.dll by opening a malformed file with an invalid element size.

This problem was confirmed in the following versions of Adobe Shockwave Player and Windows, other versions may be also affected.

Shockwave Player version 11.5.8.612, Module DIRAPI.dll on WinXP_PT SP3 Internet Explorer 8.0.6001.18702


CVSS Scoring System

The CVSS score is: 9
Base Score: 10
Temporal Score: 9
We used the following values to calculate the scores:
Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal score is: E:POC/RL:U/RC:C


TRIGGERING THE PROBLEM

To trigger the problem a PoC file (repro12.dir) is available to interested parties. Important to note that a previous vulnerability discovered by
Rodrigo Rubira Branco (CVE-2010-2880) modified the index value used in the same structure.


DETAILS

0:008> r
eax=05215678 ebx=03a82dc8 ecx=0007ef40 edx=00000001 esi=0000001a edi=05301610
eip=044b2498 esp=0162ba14 ebp=0000007c iopl=0 nv up ei ng nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010292
DIRAPI!Ordinal21+0x6f8:
044b2498 6681600c1f7f and word ptr [eax+0Ch],offset <Unloaded_dui.DLL>+0x7f0e (00007f1f) ds:0023:05215684=????
0:008> !exploitable
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at DIRAPI!Ordinal21+0x00000000000006f8 (Hash=0x53080807.0x53080814)

User mode write access violations that are not near NULL are exploitable.

Disassembly:

0:008> u 0x044b2498 L15
DIRAPI!Ordinal21+0x6f8:
044b2498 6681600c1f7f and word ptr [eax+0Ch],offset <Unloaded_dui.DLL>+0x7f0e (00007f1f)
044b249e 83fe03 cmp esi,3
044b24a1 668b480c mov cx,word ptr [eax+0Ch]
044b24a5 7d1a jge DIRAPI!Ordinal21+0x721 (044b24c1)
044b24a7 813858464952 cmp dword ptr [eax],52494658h
044b24ad 7509 jne DIRAPI!Ordinal21+0x718 (044b24b8)
044b24af 8b4804 mov ecx,dword ptr [eax+4]
044b24b2 83c108 add ecx,8
044b24b5 894f48 mov dword ptr [edi+48h],ecx
044b24b8 c7401000000000 mov dword ptr [eax+10h],0
044b24bf eb19 jmp DIRAPI!Ordinal21+0x73a (044b24da)
044b24c1 f6c104 test cl,4
044b24c4 7507 jne DIRAPI!Ordinal21+0x72d (044b24cd)
044b24c6 c7401000000000 mov dword ptr [eax+10h],0
044b24cd 837804ff cmp dword ptr [eax+4],0FFFFFFFFh
044b24d1 7507 jne DIRAPI!Ordinal21+0x73a (044b24da)
044b24d3 c7400400000000 mov dword ptr [eax+4],0
044b24da 46 inc esi
044b24db 3bf5 cmp esi,ebp
044b24dd 7cb2 jl DIRAPI!Ordinal21+0x6f1 (044b2491)
044b24df 90 nop



CREDITS

This vulnerability was discovered by Michael Golub and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT).



========================================================================
Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/

Memory corruption when Adobe Shockwave Player parses .dir media file (duplicated KEY* reference in mmap record)
CVE-2010-4088


INTRODUCTION

Adobe Shockwave Player is the Adobe plugin to many different browsers to view rich-media content on the web including animations, interactive
presentations, and online entertainment.

Adobe Shockwave Player does not properly parse .dir media file. mmap records contains offsets and lengths of all other records. One of such records is KEY*. It also contains references to other records. Duplicated references to the same KEY* chunk causes problems in Chrome.

This problem was confirmed in the following versions of Adobe Shockwave Player and Windows, other versions may be also affected.

Shockwave Player version 11.5.8.612, Module DIRAPI.dll on WinXP_PT SP3 Google Chrome 6.0.472.55


CVSS Scoring System

The CVSS score is: 9
Base Score: 10
Temporal Score: 9
We used the following values to calculate the scores:
Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal score is: E:POC/RL:U/RC:C


TRIGGERING THE PROBLEM

To trigger the problem a PoC file (repro14.dir) is available to interested parties.


DETAILS


Due to the very nature of the problem and the way the browser handles it internally, it is very difficult to debug. The browser catches the
failure.

ModLoad: 041c0000 041c7000 C:\WINDOWS\system32\Adobe\SHOCKW~1\xtras\CBrowser.x32
(924.a78): Break instruction exception - code 80000003 (first chance)
eax=7ffdd000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005
eip=7c90120e esp=312fffcc ebp=312ffff4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246
ntdll!DbgBreakPoint:
7c90120e cc int 3

After the break point hit, we see the browser just handles the crash of the plugin:

0:009> g
eax=7ffdd000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005
eip=7c90120f esp=312fffcc ebp=312ffff4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246
ntdll!DbgBreakPoint+0x1:
7c90120f c3 ret
0:009> k
ChildEBP RetAddr
312fffc8 7c951e40 ntdll!DbgBreakPoint+0x1
312ffff4 00000000 ntdll!DbgUiRemoteBreakin+0x2d


Forcing the browser to run in single-mode process we have:

ModLoad: 041c0000 041c7000 C:\WINDOWS\system32\Adobe\SHOCKW~1\xtras\CBrowser.x32
ModLoad: 77920000 77a13000 C:\WINDOWS\system32\SETUPAPI.dll
eax=00000001 ebx=7c802446 ecx=00000000 edx=00000000 esi=0073abc0 edi=000009e0
eip=7c90e460 esp=042cff08 ebp=042cff50 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
ntdll!KiUserCallbackDispatcher:
7c90e460 83c404 add esp,4
7c90e463 5a pop edx
7c90e464 64a118000000 mov eax,dword ptr fs:[<Unloaded_papi.dll>+0x7 (00000018)]
7c90e46a 8b4030 mov eax,dword ptr [eax+30h]
7c90e46d 8b402c mov eax,dword ptr [eax+2Ch]
7c90e470 ff1490 call dword ptr [eax+edx*4]
7c90e473 33c9 xor ecx,ecx
7c90e475 33d2 xor edx,edx
7c90e477 cd2b int 2Bh
7c90e479 cc int 3

The Stack Trace:
ntdll!KiUserCallbackDispatcher+0x0
USER32!NtUserMessageCall+0xc
USER32!SendMessageA+0x7f
Plugin!NP_Shutdown+0x41f4



CREDITS

This vulnerability was discovered by Michael Golub and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT).

========================================================================
Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/

Memory corruption when Adobe Shockwave Player parses .dir media file (mmap record - VSWV entry)
CVE-2010-4087


INTRODUCTION

Adobe Shockwave Player is the Adobe plugin to many different browsers to view rich-media content on the web including animations, interactive presentations, and online entertainment.

Adobe Shockwave Player does not properly parse .dir media file, which causes a corruption in module IML32.dll by opening a malformed file with an invalid length of VSWV entry inside a mmap record.

This problem was confirmed in the following versions of Adobe Shockwave Player and Windows, other versions may be also affected.

Shockwave Player version 11.5.8.612, Module IML32.dll on WinXP_PT SP3 Internet Explorer 8.0.6001.18702


CVSS Scoring System

The CVSS score is: 9
Base Score: 10
Temporal Score: 9
We used the following values to calculate the scores:
Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal score is: E:POC/RL:U/RC:C


TRIGGERING THE PROBLEM

To trigger the problem a PoC file (repro13.dir) is available to interested parties.


DETAILS

0:008> r
eax=0487d294 ebx=04830028 ecx=362607f0 edx=04930014 esi=0488dbf0 edi=0488d9e0
eip=69081264 esp=0162be10 ebp=00000210 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
IML32!Ordinal2064+0x7254:
69081264 894c31fc mov dword ptr [ecx+esi-4],ecx ds:0023:3aaee3dc=????????
0:008> !exploitable
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at IML32!Ordinal2064+0x0000000000007254 (Hash=0x3e3c3a38.0x484c154e)

User mode write access violations that are not near NULL are exploitable.


Disassembly:

0:008> u 0x69081264 L15
IML32!Ordinal2064+0x7254:
69081264 894c31fc mov dword ptr [ecx+esi-4],ecx
69081268 83c902 or ecx,2
6908126b 890e mov dword ptr [esi],ecx
6908126d 8b4318 mov eax,dword ptr [ebx+18h]
69081270 894608 mov dword ptr [esi+8],eax
69081273 8b4804 mov ecx,dword ptr [eax+4]
69081276 894e04 mov dword ptr [esi+4],ecx
69081279 8b5004 mov edx,dword ptr [eax+4]
6908127c 897208 mov dword ptr [edx+8],esi
6908127f 8b54241c mov edx,dword ptr [esp+1Ch]
69081283 897004 mov dword ptr [eax+4],esi
69081286 eb1e jmp IML32!Ordinal2064+0x7296 (690812a6)
69081288 8d3c31 lea edi,[ecx+esi]
6908128b 894ffc mov dword ptr [edi-4],ecx
6908128e 83c902 or ecx,2
69081291 890e mov dword ptr [esi],ecx
69081293 8b042f mov eax,dword ptr [edi+ebp]
69081296 8b7604 mov esi,dword ptr [esi+4]
69081299 83c802 or eax,2
6908129c 89042f mov dword ptr [edi+ebp],eax
6908129f 8bc5 mov eax,ebp


CREDITS

This vulnerability was discovered by Michael Golub and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT).


========================================================================
Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/

Memory corruption when Adobe Shockwave Player parses .dir media file (duplicated LCSM entries in mmap record)
CVE-2010-4089


INTRODUCTION

Adobe Shockwave Player is the Adobe plugin to many different browsers to view rich-media content on the web including animations, interactive presentations, and online entertainment.

Adobe Shockwave Player does not properly parse .dir media file. mmap records contains offsets and lengths of all other records. One of such records is LCSM. It also contains references to other records. Duplicated LCSM entries causes memory corruption as shown in PoC (repro15.dir).

This problem was confirmed in the following versions of Adobe Shockwave Player and Windows, other versions may be also affected.

Shockwave Player version 11.5.8.612, Module IML32.dll on WinXP_PT SP3 Internet Explorer 8.0.6001.18702


CVSS Scoring System

The CVSS score is: 9
Base Score: 10
Temporal Score: 9
We used the following values to calculate the scores:
Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal score is: E:POC/RL:U/RC:C


TRIGGERING THE PROBLEM

To trigger the problem a PoC file (repro15.dir) is available to interested parties.


DETAILS


ModLoad: 03a20000 03a27000 C:\WINDOWS\system32\Adobe\Shockwave 11\xtras\CBrowser.x32
ModLoad: 03e10000 03e27000 C:\Documents and Settings\Rodrigo\Application Data\Adobe\Shockwave Player 11\xtras\download\AdobeSystemsIncorporated\TextAsset\Text Asset.x32
ModLoad: 048a0000 04989000 C:\Documents and Settings\Rodrigo\Application Data\Adobe\Shockwave Player 11\xtras\download\AdobeSystemsIncorporated\TextXtra\TextXtra.x32
ModLoad: 04430000 04475000 C:\Documents and Settings\Rodrigo\Application Data\Adobe\Shockwave Player 11\xtras\download\AdobeSystemsIncorporated\FontXtra\Font Xtra.x32
(1cc.b74): Access violation - code c0000005 (!!! second chance !!!)
eax=00000068 ebx=00000020 ecx=0162d550 edx=00000068 esi=0162d550 edi=0543386c
eip=69009f1f esp=0162d540 ebp=0543386c iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
*** WARNING: Unable to verify checksum for C:\WINDOWS\system32\Adobe\Shockwave 11\IML32.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\Adobe\Shockwave 11\IML32.dll -
IML32!Ordinal1113+0xf:
69009f1f 8b4804 mov ecx,dword ptr [eax+4] ds:0023:0000006c=????????
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
0:008> !exploitable
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at IML32!Ordinal1113+0x000000000000000f (Hash=0x1a537c3d.0x1a63313d)

The data from the faulting address is later used to determine whether or not a branch is taken.

Exploitation details sent to Adobe.



CREDITS

This vulnerability was discovered by Michael Golub and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT).
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close