Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:25029
HistoryNov 02, 2010 - 12:00 a.m.

Adobe Shockwave Player Memory Corruption Vulnerability - CVE-2010-4086

2010-11-0200:00:00
vulners.com
15
JSON

Dear List,

I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish
the following vulnerability.

Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/

Memory corruption when Adobe Shockwave Player parses .dir media file
(mmap_element_size)
CVE-2010-4086

INTRODUCTION

Adobe Shockwave Player is the Adobe plugin to many different browsers to view
rich-media content on the web including animations, interactive presentations, and
online entertainment.

Adobe Shockwave Player does not properly parse .dir media file, which causes a
corruption in module DIRAPI.dll by opening a malformed file with an invalid
element size.

This problem was confirmed in the following versions of Adobe Shockwave Player
and Windows, other versions may be also affected.

Shockwave Player version 11.5.8.612, Module DIRAPI.dll on WinXP_PT SP3 Internet
Explorer 8.0.6001.18702

CVSS Scoring System

The CVSS score is: 9
Base Score: 10
Temporal Score: 9
We used the following values to calculate the scores:
Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal score is: E:POC/RL:U/RC:C

TRIGGERING THE PROBLEM

To trigger the problem a PoC file (repro12.dir) is available to interested
parties. Important to note that a previous vulnerability discovered by
Rodrigo Rubira Branco (CVE-2010-2880) modified the index value used in the same
structure.

DETAILS

0:008> r
eax=05215678 ebx=03a82dc8 ecx=0007ef40 edx=00000001 esi=0000001a edi=05301610
eip=044b2498 esp=0162ba14 ebp=0000007c iopl=0 nv up ei ng nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010292
DIRAPI!Ordinal21+0x6f8:
044b2498 6681600c1f7f and word ptr [eax+0Ch],offset
<Unloaded_dui.DLL>+0x7f0e (00007f1f) ds:0023:05215684=???
0:008> !exploitable
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at
DIRAPI!Ordinal21+0x00000000000006f8 (Hash=0x53080807.0x53080814)

User mode write access violations that are not near NULL are exploitable.

Disassembly:

0:008> u 0x044b2498 L15
DIRAPI!Ordinal21+0x6f8:
044b2498 6681600c1f7f and word ptr [eax+0Ch],offset
<Unloaded_dui.DLL>+0x7f0e (00007f1f)
044b249e 83fe03 cmp esi,3
044b24a1 668b480c mov cx,word ptr [eax+0Ch]
044b24a5 7d1a jge DIRAPI!Ordinal21+0x721 (044b24c1)
044b24a7 813858464952 cmp dword ptr [eax],52494658h
044b24ad 7509 jne DIRAPI!Ordinal21+0x718 (044b24b8)
044b24af 8b4804 mov ecx,dword ptr [eax+4]
044b24b2 83c108 add ecx,8
044b24b5 894f48 mov dword ptr [edi+48h],ecx
044b24b8 c7401000000000 mov dword ptr [eax+10h],0
044b24bf eb19 jmp DIRAPI!Ordinal21+0x73a (044b24da)
044b24c1 f6c104 test cl,4
044b24c4 7507 jne DIRAPI!Ordinal21+0x72d (044b24cd)
044b24c6 c7401000000000 mov dword ptr [eax+10h],0
044b24cd 837804ff cmp dword ptr [eax+4],0FFFFFFFFh
044b24d1 7507 jne DIRAPI!Ordinal21+0x73a (044b24da)
044b24d3 c7400400000000 mov dword ptr [eax+4],0
044b24da 46 inc esi
044b24db 3bf5 cmp esi,ebp
044b24dd 7cb2 jl DIRAPI!Ordinal21+0x6f1 (044b2491)
044b24df 90 nop

CREDITS

This vulnerability was discovered by Michael Golub and researched by Rodrigo
Rubira Branco from Check Point Vulnerability Discovery Team (VDT).

Best Regards,

Rodrigo.


Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies

Related

cve 6
securityvulns 4
prion 6
checkpoint_advisories 2
nessus 4
openvas 4
cve
cve
CVE-2010-2880
2010-08-26 21:00:00
CVE-2010-4086
2010-10-29 19:00:00
CVE-2010-4084
2010-10-29 19:00:00
securityvulns
securityvulns
Adobe Shockwave Player Memory Corruption Vulnerability - CVE-2010-2880
2010-08-26 00:00:00
Adobe Shockwave multiple security vulnerabilities
2010-11-02 00:00:00
Security update available for Shockwave Player
2010-08-26 00:00:00
prion
prion
Memory corruption
2010-08-26 21:00:00
Memory corruption
2010-10-29 19:00:00
Memory corruption
2010-10-29 19:00:00
checkpoint_advisories
checkpoint_advisories
Adobe Shockwave Player MMAP Index Memory Corruption (APSB10-20; CVE-2010-2880)
2010-08-24 00:00:00
Adobe Shockwave Player MMAP Entry Size Memory Corruption (APSB10-25; CVE-2010-4084; CVE-2010-4086)
2010-10-28 00:00:00
nessus
nessus
Shockwave Player < 11.5.9.615
2010-10-28 00:00:00
Adobe Shockwave Player <= 11.5.8.612 (APSB10-25) (Mac OS X)
2014-12-22 00:00:00
Shockwave Player < 11.5.8.612
2010-08-25 00:00:00
openvas
openvas
Adobe Shockwave Player Multiple Vulnerabilities Nov-10
2010-12-09 00:00:00
Adobe Shockwave Player Multiple Vulnerabilities (Nov 2010)
2010-12-09 00:00:00
Adobe Shockwave Player Multiple Vulnerabilities (Aug 2010)
2010-09-01 00:00:00
JSON
Related for SECURITYVULNS:DOC:25029
cve6securityvulns4prion6checkpoint_advisories2nessus4openvas4