Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:24594
HistoryAug 26, 2010 - 12:00 a.m.

Adobe Shockwave Player Memory Corruption Vulnerability - CVE-2010-2869

2010-08-2600:00:00
vulners.com
19
JSON

I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability.

Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/

Memory corruption when Adobe Shockwave Player parses .dir media file
CVE-2010-2869

INTRODUCTION

Adobe Shockwave Player is the Adobe plugin to many different browsers to view rich-media content on the web including animations, interactive presentations, and online entertainment.

Adobe Shockwave player does not properly parse .dir media file, which causes a corruption in module IML32.dll by opening a malformed file with an invalid value located in PoC repro10.dir at offset 0x3712.

This problem was confirmed in the following versions of Adobe Shockwave Player, other versions may be also affected.

Shockwave Player version 11.5.7.609 and older for Windows and MacOS

CVSS Scoring System

The CVSS score is: 9
Base Score: 10
Temporal Score: 9
We used the following values to calculate the scores:
Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal score is: E:POC/RL:U/RC:C

TRIGGERING THE PROBLEM

To trigger the problem a PoC file (repro10.dir) is available to interested parts.

DETAILS

Disassembly:

7C9011DD > 8BFF MOV EDI,EDI
7C9011DF 55 PUSH EBP
7C9011E0 8BEC MOV EBP,ESP
7C9011E2 83EC 54 SUB ESP,54
7C9011E5 56 PUSH ESI
7C9011E6 64:A1 18000000 MOV EAX,DWORD PTR FS:[18]
7C9011EC 803D 94E0977C 00 CMP BYTE PTR DS:[7C97E094],0
7C9011F3 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]
7C9011F6 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
7C9011F9 0F85 F7EC0000 JNZ ntdll.7C90FEF6
7C9011FF F646 10 10 TEST BYTE PTR DS:[ESI+10],10
7C901203 0F84 EDEC0000 JE ntdll.7C90FEF6
7C901209 5E POP ESI
7C90120A C9 LEAVE
7C90120B C2 0400 RETN 4
7C90120E > CC INT3
7C90120F C3 RETN <— Stop Here :)

EIP = 0x00000000

CREDITS

This vulnerability was discovered and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT).

Best Regards,

Rodrigo.


Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies

Related

checkpoint_advisories 1
cve 1
prion 1
securityvulns 2
nessus 2
openvas 2
checkpoint_advisories
checkpoint_advisories
Adobe Shockwave Player IML32.dll XtcL Denial of Service (APSB10-20; CVE-2010-2869)
2010-08-25 00:00:00
cve
cve
CVE-2010-2869
2010-08-26 21:00:00
prion
prion
Memory corruption
2010-08-26 21:00:00
securityvulns
securityvulns
Adobe Shockwave Player multiple security vulnerabilities
2010-08-26 00:00:00
Security update available for Shockwave Player
2010-08-26 00:00:00
nessus
nessus
Adobe Shockwave Player <= 11.5.7.609 (APSB10-20) (Mac OS X)
2014-12-22 00:00:00
Shockwave Player < 11.5.8.612
2010-08-25 00:00:00
openvas
openvas
Adobe Shockwave Player Multiple Vulnerabilities Aug-10
2010-09-01 00:00:00
Adobe Shockwave Player Multiple Vulnerabilities (Aug 2010)
2010-09-01 00:00:00
JSON
Related for SECURITYVULNS:DOC:24594
checkpoint_advisories1cve1prion1securityvulns2nessus2openvas2