Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:24597
HistoryAug 26, 2010 - 12:00 a.m.

Adobe Shockwave Player Memory Corruption Vulnerability - CVE-2010-2882

2010-08-2600:00:00
vulners.com
27
JSON

I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability.

Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/

Memory corruption when Adobe Shockwave Player parses .dir media file
CVE-2010-2882

INTRODUCTION

Adobe Shockwave Player is the Adobe plugin to many different browsers to view rich-media content on the web including animations, interactive presentations, and online entertainment.

Adobe Shockwave player does not properly parse .dir media file, which causes a corruption in module DIRAPI.dll by opening a malformed file with an invalid value located in PoC repro.dir at offset 0x3812.

This problem was confirmed in the following versions of Adobe Shockwave Player, other versions may be also affected.

Shockwave Player version 11.5.7.609 and older for Windows and MacOS

CVSS Scoring System

The CVSS score is: 9
Base Score: 10
Temporal Score: 9
We used the following values to calculate the scores:
Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal score is: E:POC/RL:U/RC:C

TRIGGERING THE PROBLEM

To trigger the problem a PoC file (repro11.dir) is available to interested parts.

DETAILS

Disassembly:

68113255 8B4C24 24 MOV ECX,DWORD PTR SS:[ESP+24]
68113259 8B01 MOV EAX,DWORD PTR DS:[ECX]
6811325B FF48 04 DEC DWORD PTR DS:[EAX+4]
6811325E 8B01 MOV EAX,DWORD PTR DS:[ECX]
68113260 8B48 04 MOV ECX,DWORD PTR DS:[EAX+4]
68113263 85C9 TEST ECX,ECX
68113265 ^0F8F 95EEFFFF JG DIRAPI.68112100
6811326B 8B5424 24 MOV EDX,DWORD PTR SS:[ESP+24]
6811326F 8B08 MOV ECX,DWORD PTR DS:[EAX]
68113271 52 PUSH EDX
68113272 56 PUSH ESI
68113273 FF51 0C CALL DWORD PTR DS:[ECX+C] <— Problem

ECX = 0x00000000

CREDITS

This vulnerability was discovered and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT).

Best Regards,

Rodrigo.


Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies

Related

checkpoint_advisories 1
cve 1
prion 1
nessus 2
openvas 2
securityvulns 2
checkpoint_advisories
checkpoint_advisories
Adobe Shockwave Player rcsL Chunk Symbol Access Violations (APSB10-20; CVE-2010-2882)
2010-08-25 00:00:00
cve
cve
CVE-2010-2882
2010-08-26 21:00:00
prion
prion
Memory corruption
2010-08-26 21:00:00
nessus
nessus
Shockwave Player < 11.5.8.612
2010-08-25 00:00:00
Adobe Shockwave Player <= 11.5.7.609 (APSB10-20) (Mac OS X)
2014-12-22 00:00:00
openvas
openvas
Adobe Shockwave Player Multiple Vulnerabilities Aug-10
2010-09-01 00:00:00
Adobe Shockwave Player Multiple Vulnerabilities Aug-10
2010-09-01 00:00:00
securityvulns
securityvulns
Security update available for Shockwave Player
2010-08-26 00:00:00
Adobe Shockwave Player multiple security vulnerabilities
2010-08-26 00:00:00
JSON
Related for SECURITYVULNS:DOC:24597
checkpoint_advisories1cve1prion1nessus2openvas2securityvulns2