Computer Security
[EN] securityvulns.ru no-pyccku


Related information

  Buffer overflow in Macromedia Flash

  Дырки в Macromedia Flash

  Macromedia Flash Activex Buffer overflow

From:3APA3A <3APA3A_(at)_security.nnov.ru>
Date:29.10.2002
Subject:Multiple vulnerabilities in Macromedia Flash ActiveX

Author: LOM <lom at lom.spb.ru>
Product: Macromedia Flash ActiveX 6.0 (6,0,47,0)
Vendor: Macromedia was not contacted
Risk: High
Remote: Yes
Exploitable: Yes

Into:

Macromedia  flash  ActiveX  plugin  displays  .swf  files under Internet
Explorer.

Vulnerabilities:

Few  vulnerabilities  were  identified: protected memory reading, memory
consumption DoS and more serious:
1. zlib 1.1.3 double free() bug
2. Buffer overflow in SWRemote parameter for flash object.

Details:

Last  bug is very close to one reported by eEye in May [2]. This kind of
overflows  (heap based Unicode overflow) is definitely exploitable under
Internet  Explorer.  Attached  proof of concept (by LOM)[1] demonstrates
exception  triggered  in  free(). See [3] for exploiting heap overflows,
[4] for exploiting Unicode overflows under Internet Explorer.

Credits:

Vulnerabilities were discovered by LOM <lom at lom.spb.ru>

References:

1. Macromedia Shockwave proof of concept
  http://www.security.nnov.ru/files/swfexpl.zip
2. eEye, Macromedia Flash Activex Buffer overflow
  http://www.eeye.com/html/Research/Advisories/AD20020502.html
3. w00w00 on Heap Overflows
  http://www.w00w00.org/files/articles/heaptut.txt
4. 3APA3A, Details and exploitation of buffer overflow in mshtml.dll (and
  few sidenotes on Unicode overflows in general)
  http://www.security.nnov.ru/search/document.asp?docid=2554

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod