iDefense Security Advisory 06.14.11 - Remote exploitation of a heap overflow vulnerability in Adobe Systems Inc.'s Shockwave could allow an attacker to execute arbitrary code with the privileges of the current user. This vulnerability occurs when Shockwave processes a maliciously constructed "DRCF" chunk. Specifically, when parsing a substructure inside of this chunk, it is possible to trigger a code path that leads to an incorrect string copy operation. The vulnerable code performs a certain operation on a heap-based buffer, which has the effect of overwriting the NULL terminator of the string in the middle of the copy operation. This will lead to an endless copy loop until the read operation hits the end of the memory segment. This operation writes beyond the allocated heap buffer, and can lead to the execution of arbitrary code. Shockwave Player version 11.5.9.620 and prior are vulnerable.
3b0ec1fef75086d0e796f5ce1dea0706958798bc9b403f2258059ba1d3e7612fiDefense Security Advisory 06.14.11 - Remote exploitation of a integer signedness vulnerability in Adobe Systems Inc.'s Shockwave could allow an attacker to execute arbitrary code with the privileges of the current user. This vulnerability occurs when Shockwave processes a maliciously constructed "Lscr" record. This record can embed Lingo script code, which is Shockwave's scripting language. The vulnerability occurs when processing certain opcodes. Specifically, a 32-bit value from the file is used as an offset into a heap buffer without proper validation. When comparing the value to the maximum buffer size, a signed comparison is performed. By using a negative value, it is possible to index outside of the allocated buffer. This results in data outside of the buffer being treated as a valid pointer, and this pointer is later used as the destination of a write operation. This can corrupt an arbitrary memory address, which can lead to the execution of arbitrary code. Shockwave Player version 11.5.9.620 and prior are vulnerable.
952c40d913beb9b78faaad430aeb7a3d76e8f0453128f6534822d4e3d407462dA vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the rcsL chunk inside Adobe's RIFF-based Director file format. The code within the dirapi.dll does not properly validate substructure elements before using them to manipulate memory. This can lead to memory corruption which can be leveraged to execute arbitrary code under the context of the user running the browser.
2e9a419ed0169c3cc6d9ce5d2e301542d14e6febbed1409f4b43cadd505ed726Zero Day Initiative Advisory 11-220 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Shockwave. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of the RIFF-based Director (.dir) files. When handling an undocumented substructure, the code within dirapi.dll can be forced to incorrectly calculate a destination pointer if it encounters certain 1-byte opcodes within the .dir file. The assumptions made by the code can allow for malicious values to influence a size parameter that is used to calculate a memory address. This address is then written to with controlled data. This can be abused by an attacker to corrupt memory and subsequently execute arbitrary code under the context of the user running the browser.
7ce4bc2e5363a0845511ebbcaf9f91ca8d13fd5a47368fb1908ec0231aa16841Zero Day Initiative Advisory 11-216 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the rcsL chunk inside Adobe's RIFF-based Director file format. The code within the Dirapi.dll is affected by an integer wrap caused by size values being calculated without proper checking. This can lead to memory corruption which can be leveraged to execute arbitrary code under the context of the user running the browser.
176bd1c412d29418a16f3ba7958308ea7a8459e66782c9e781ece208211e42f0Zero Day Initiative Advisory 11-209 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the rcsL chunk inside Adobe's RIFF-based Director file format. The code within the Dirapi.dll is affected by an integer wrap caused by the size value being calculated from the difference of two pointers without checking if the first is above the other and resulting in endless copying. This can lead to memory corruption which can be leveraged to execute arbitrary code under the context of the user running the browser.
5034d98cbb0d3ea6446f4c09451dc005fa93652011d8321fb4238383016f74c7Zero Day Initiative Advisory 11-205 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Shockwave. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of the RIFF-based Director file format that Shockwave utilizes. When parsing such files, the code within the dirapi.dll module expects to find a chunk with a fourCC value of Lctx. The code does not consider the possibility that one may not exist and in that scenario if fails to properly initialize certain values that are used later on in parsing other chunks. By removing the Lctx chunk and also filling heap memory, an attacker can take advantage of the uninitialized values to write values to an arbitrary location in memory. This can be leveraged to execute remote code under the context of the user running the browser.
fd5ea199b1d51fae2bfd1e359349e926c0c617d581efbdf9c9895e040bd33ff0
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed