[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[CORE-2010-0405] Adobe Director Invalid Read

Hash: SHA1

      Core Security Technologies - CoreLabs Advisory

Adobe Director DIRAPI.DLL Invalid Read Vulnerability

1. *Advisory Information*

Title: Adobe Director DIRAPI.DLL Invalid Read Vulnerability
Advisory Id: CORE-2010-0405
Advisory URL:
Date published: 2010-05-11
Date of last update: 2010-05-11
Vendors contacted: Adobe
Release mode: Coordinated release

2. *Vulnerability Information*

Class: Input validation error [CWE-20]
Impact: Denial of service
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
CVE Name: CVE-2010-0128
Bugtraq ID: N/A

3. *Vulnerability Description*

Adobe Director is prone to a vulnerability due to an invalid read in
'DIRAPI.DLL', when opening a malformed .dir file. This vulnerability
could be used by a remote attacker to execute arbitrary code, by
enticing the user of Adobe Director to open a specially crafted file.

4. *Vulnerable packages*

   . Adobe Director 11.5
   . Adobe Director 11 (Version:

5. *Non-vulnerable packages*

   . Adobe Director 11.5 (Version:

6. *Solutions and Workarounds*

    See the Adobe Security Bulletin [1] available at

7. *Credits*

This vulnerability was discovered and researched by Nahuel Riva, from
Core Security Technologies. Publication was coordinated by Jorge
Lucangeli Obes.

8. *Technical Description*

The vulnerability occurs at offset '0x68174813' of the 'dirapi.dll'
module of Adobe Director. Improper validation of input data leads to a
crash in the memory read instruction. This vulnerability could result in
arbitrary code execution, although it was not verified.

App: Adobe Director 11
Module crash: Dirapi.dll Version:

68174813  |.  8906          |MOV DWORD PTR DS:[ESI],EAX
68174815  |>  8B4C24 14     |MOV ECX,DWORD PTR SS:[ESP+14]
68174819  |.  51            |PUSH ECX
6817481A  |.  E8 3197F5FF   |CALL <JMP.&IML32.#1414>
6817481F  |.  8946 04       |MOV DWORD PTR DS:[ESI+4],EAX
68174822  |.  83C6 08       |ADD ESI,8
68174825  |.  4D            |DEC EBP
68174826  |.^ 75 C8         \JNZ SHORT DIRAPI.681747F0


EAX 00000000
ECX 00000068
EDX 00000001
ESP 0012DFB8
EBP 0000373D
ESI 02889B20
EDI 01BC9964
EIP 68174813 DIRAPI.68174813
C 0  ES 0023 32bit 0(FFFFFFFF)
P 1  CS 001B 32bit 0(FFFFFFFF)
A 0  SS 0023 32bit 0(FFFFFFFF)
Z 1  DS 0023 32bit 0(FFFFFFFF)
S 0  FS 003B 32bit 7FFDD000(FFF)
T 0  GS 0000 NULL
D 0
O 0  LastErr ERROR_NEGATIVE_SEEK (00000083)
EFL 00250246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty -??? FFFF 00000000 00000000
ST1 empty -??? FFFF 00000000 00000000
ST2 empty -??? FFFF 00000000 00000000
ST3 empty -??? FFFF 00000000 00000000
ST4 empty 0.0000106994366433355
ST5 empty 0.6322773098945617676
ST6 empty -0.0034003453329205513
ST7 empty 1041416.9375000000000
               3 2 1 0      E S P U O Z D I
FST 4220  Cond 1 0 1 0  Err 0 0 1 0 0 0 0 0  (EQ)
FCW 007F  Prec NEAR,24  Mask    1 1 1 1 1 1

Stack Trace:
Call stack of main thread
Address    Stack      Procedure / arguments                 Called from
0012DFC4   68175563   DIRAPI.681747A0                    DIRAPI.6817555E
0012DFE4   6817003B   DIRAPI.68175290                    DIRAPI.68170036
0012E018   6817020D   DIRAPI.6816FF40                    DIRAPI.68170208
0012E01C   00A923C8     Arg1 = 00A923C8
0012E020   00000011     Arg2 = 00000011
0012E024   00000003     Arg3 = 00000003
0012E028   0012E050     Arg4 = 0012E050
0012E02C   00001100     Arg5 = 00001100
0012E048   680F6D50   DIRAPI.681701A0                    DIRAPI.680F6D4B
0012E04C   00000000     Arg1 = 00000000
0012E050   00000003     Arg2 = 00000003
0012E054   00000091     Arg3 = 00000091
0012E058   0012E07C     Arg4 = 0012E07C
0012E05C   00001100     Arg5 = 00001100
0012E068   6800CFC0   DIRAPI.680F6D30                    DIRAPI.6800CFBB
0012E088   680817EC   DIRAPI.6800CF80                    DIRAPI.680817E7
0012E0B4   680823E3   DIRAPI.68081760                    DIRAPI.680823DE
0012E0C8   680836A7   DIRAPI.68082380                    DIRAPI.680836A2
0012E638   680839E2   DIRAPI.68082EA0                    DIRAPI.680839DD
0012E63C   00A86E8C     Arg1 = 00A86E8C
0012E640   0012F5EC     Arg2 = 0012F5EC
0012E644   00000000     Arg3 = 00000000
0012E648   00000000     Arg4 = 00000000
0012E64C   0000001A     Arg5 = 0000001A
0012E674   68042D8C   DIRAPI.68083970                    DIRAPI.68042D87
0012E678   00A86E8C     Arg1 = 00A86E8C
0012E67C   0012F5EC     Arg2 = 0012F5EC
0012E680   00000000     Arg3 = 00000000
0012E684   00000000     Arg4 = 00000000
0012E688   0000001A     Arg5 = 0000001A
0012E6B0   6800A111   DIRAPI.68042C90                    DIRAPI.#88+7C
0012E6B4   00A92588     Arg1 = 00A92588
0012E6B8   0012F5EC     Arg2 = 0012F5EC
0012E6BC   00000000     Arg3 = 00000000
0012E6C0   0000001A     Arg4 = 0000001A
0012E6DC   2018BB23   <JMP.&DIRAPI.#88>                Director.2018BB1E
0012E83C   2027E776   ? Director.2018BAB0              Director.2027E771
- -----/

9. *Report Timeline*

. 2010-04-14:
Vendor contacted.

. 2010-04-14:
Vendor requests PoC file.

. 2010-04-14:
Core replies with the PoC file and the draft advisory.

. 2010-04-14:
Adobe replies that will investigate the issue and sets a preliminary
release date for June/July.

. 2010-04-15:
Core agrees with the preliminary release date.

. 2010-04-28:
Core requests an update on the situation, and asks whether Adobe was
able to confirm if the bug is exploitable.

. 2010-04-28:
Adobe replies that the issue was investigated and is scheduled to be
fixed in the next release of Adobe Shockwave Player, planned for May;
they did not carry out further exploitability research.

. 2010-04-28:
Core requests a specific publication date for the fix.

. 2010-05-06:
Adobe informs Core that the release date for the fix has been set to May

. 2010-05-07:
Core asks Adobe if they want to provide the text for the "Solutions and
Workarounds" section of the advisory.

. 2010-05-07:
Adobe replies with the text for the "Solutions and Workarounds" section
of the advisory.

. 2010-05-11:
Advisory published.

10. *References*

[1] Adobe Security Bulletin [http://www.adobe.com/go/apsb10-12/].

11. *About CoreLabs*

CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:

12. *About Core Security Technologies*

Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at

13. *Disclaimer*

The contents of this advisory are copyright (c) 2010 Core Security
Technologies and (c) 2010 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.

14. *PGP/GPG Keys*

This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at

Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org