[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Adobe Shockwave Player Memory Corruption Vulnerability - CVE-2010-4087

Dear List,

I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability.

Check Point Software Technologies - Vulnerability Discovery Team (VDT)

Memory corruption when Adobe Shockwave Player parses .dir media file (mmap record - VSWV entry)


Adobe Shockwave Player is the Adobe plugin to many different browsers to view rich-media content on the web including animations, interactive presentations, and online entertainment.

Adobe Shockwave Player does not properly parse .dir media file, which causes a corruption in module IML32.dll by opening a malformed file with an invalid length of VSWV entry inside a mmap record.

This problem was confirmed in the following versions of Adobe Shockwave Player and Windows, other versions may be also affected.

Shockwave Player version, Module IML32.dll on WinXP_PT SP3 Internet Explorer 8.0.6001.18702

CVSS Scoring System

The CVSS score is: 9
	Base Score: 10
	Temporal Score: 9
We used the following values to calculate the scores:
	Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C
	Temporal score is: E:POC/RL:U/RC:C


To trigger the problem a PoC file (repro13.dir) is available to interested parties. 


0:008> r
eax=0487d294 ebx=04830028 ecx=362607f0 edx=04930014 esi=0488dbf0 edi=0488d9e0
eip=69081264 esp=0162be10 ebp=00000210 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
69081264 894c31fc        mov     dword ptr [ecx+esi-4],ecx ds:0023:3aaee3dc=????????
0:008> !exploitable
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at IML32!Ordinal2064+0x0000000000007254 (Hash=0x3e3c3a38.0x484c154e)

User mode write access violations that are not near NULL are exploitable.


0:008> u 0x69081264 L15
69081264 894c31fc        mov     dword ptr [ecx+esi-4],ecx
69081268 83c902          or      ecx,2
6908126b 890e            mov     dword ptr [esi],ecx
6908126d 8b4318          mov     eax,dword ptr [ebx+18h]
69081270 894608          mov     dword ptr [esi+8],eax
69081273 8b4804          mov     ecx,dword ptr [eax+4]
69081276 894e04          mov     dword ptr [esi+4],ecx
69081279 8b5004          mov     edx,dword ptr [eax+4]
6908127c 897208          mov     dword ptr [edx+8],esi
6908127f 8b54241c        mov     edx,dword ptr [esp+1Ch]
69081283 897004          mov     dword ptr [eax+4],esi
69081286 eb1e            jmp     IML32!Ordinal2064+0x7296 (690812a6)
69081288 8d3c31          lea     edi,[ecx+esi]
6908128b 894ffc          mov     dword ptr [edi-4],ecx
6908128e 83c902          or      ecx,2
69081291 890e            mov     dword ptr [esi],ecx
69081293 8b042f          mov     eax,dword ptr [edi+ebp]
69081296 8b7604          mov     esi,dword ptr [esi+4]
69081299 83c802          or      eax,2
6908129c 89042f          mov     dword ptr [edi+ebp],eax
6908129f 8bc5            mov     eax,ebp


This vulnerability was discovered by Michael Golub and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT).

Best Regards,
Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies