BugTraq
Adobe Shockwave Player Memory Corruption Vulnerability - CVE-2010-4087 Oct 30 2010 03:14PM
Rodrigo Branco (rbranco checkpoint com)
Dear List,

I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability.

Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/

Memory corruption when Adobe Shockwave Player parses .dir media file (mmap record - VSWV entry)
CVE-2010-4087

INTRODUCTION

Adobe Shockwave Player is the Adobe plugin to many different browsers to view rich-media content on the web including animations, interactive presentations, and online entertainment.

Adobe Shockwave Player does not properly parse .dir media file, which causes a corruption in module IML32.dll by opening a malformed file with an invalid length of VSWV entry inside a mmap record.

This problem was confirmed in the following versions of Adobe Shockwave Player and Windows, other versions may be also affected.

Shockwave Player version 11.5.8.612, Module IML32.dll on WinXP_PT SP3 Internet Explorer 8.0.6001.18702

CVSS Scoring System

The CVSS score is: 9
Base Score: 10
Temporal Score: 9
We used the following values to calculate the scores:
Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal score is: E:POC/RL:U/RC:C

TRIGGERING THE PROBLEM

To trigger the problem a PoC file (repro13.dir) is available to interested parties.

DETAILS

0:008> r
eax=0487d294 ebx=04830028 ecx=362607f0 edx=04930014 esi=0488dbf0 edi=0488d9e0
eip=69081264 esp=0162be10 ebp=00000210 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
IML32!Ordinal2064+0x7254:
69081264 894c31fc mov dword ptr [ecx+esi-4],ecx ds:0023:3aaee3dc=????????
0:008> !exploitable
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at IML32!Ordinal2064+0x0000000000007254 (Hash=0x3e3c3a38.0x484c154e)

User mode write access violations that are not near NULL are exploitable.

Disassembly:

0:008> u 0x69081264 L15
IML32!Ordinal2064+0x7254:
69081264 894c31fc mov dword ptr [ecx+esi-4],ecx
69081268 83c902 or ecx,2
6908126b 890e mov dword ptr [esi],ecx
6908126d 8b4318 mov eax,dword ptr [ebx+18h]
69081270 894608 mov dword ptr [esi+8],eax
69081273 8b4804 mov ecx,dword ptr [eax+4]
69081276 894e04 mov dword ptr [esi+4],ecx
69081279 8b5004 mov edx,dword ptr [eax+4]
6908127c 897208 mov dword ptr [edx+8],esi
6908127f 8b54241c mov edx,dword ptr [esp+1Ch]
69081283 897004 mov dword ptr [eax+4],esi
69081286 eb1e jmp IML32!Ordinal2064+0x7296 (690812a6)
69081288 8d3c31 lea edi,[ecx+esi]
6908128b 894ffc mov dword ptr [edi-4],ecx
6908128e 83c902 or ecx,2
69081291 890e mov dword ptr [esi],ecx
69081293 8b042f mov eax,dword ptr [edi+ebp]
69081296 8b7604 mov esi,dword ptr [esi+4]
69081299 83c802 or eax,2
6908129c 89042f mov dword ptr [edi+ebp],eax
6908129f 8bc5 mov eax,ebp

CREDITS

This vulnerability was discovered by Michael Golub and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT).

Best Regards,

Rodrigo.

--
Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus