[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Adobe Shockwave Player Memory Corruption Vulnerability - CVE-2010-2864

I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability.

Check Point Software Technologies - Vulnerability Discovery Team (VDT)

Memory corruption when Adobe Shockwave Player parses .dir media file


Adobe Shockwave Player is the Adobe plugin to many different browsers to view rich-media content on the web including animations, interactive presentations, and online entertainment.

Adobe Shockwave player does not properly parse .dir media file, which causes a corruption in module IML32.dll by opening a malformed file with an invalid value located in PoC repro03.dir at offset 0x24C6.

This problem was confirmed in the following versions of Adobe Shockwave Player, other versions may be also affected.

Shockwave Player version and older for Windows and MacOS

CVSS Scoring System

The CVSS score is: 9
	Base Score: 10
	Temporal Score: 9
We used the following values to calculate the scores:
	Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C
	Temporal score is: E:POC/RL:U/RC:C


To trigger the problem a PoC file (repro03.dir) is available to interested parts. 



69009F10 > 56               PUSH ESI
69009F11   8B7424 08        MOV ESI,DWORD PTR SS:[ESP+8]
69009F15   85F6             TEST ESI,ESI
69009F17   74 46            JE SHORT IML32.69009F5F
69009F19   8B06             MOV EAX,DWORD PTR DS:[ESI]
69009F1B   85C0             TEST EAX,EAX
69009F1D   74 3A            JE SHORT IML32.69009F59
69009F1F   8B48 04          MOV ECX,DWORD PTR DS:[EAX+4] <--- Problem

EAX = 0xA1A10000
ECX = 0x0013D0C8


This vulnerability was discovered and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT).

Best Regards,
Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies