Home page logo
/

bugtraq logo Bugtraq mailing list archives

Adobe Shockwave Player Memory Corruption Vulnerability - CVE-2010-2882
From: Rodrigo Branco <rbranco () checkpoint com>
Date: Wed, 25 Aug 2010 06:02:26 -0700

I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability.



Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/

Memory corruption when Adobe Shockwave Player parses .dir media file
CVE-2010-2882


INTRODUCTION

Adobe Shockwave Player is the Adobe plugin to many different browsers to view rich-media content on the web including 
animations, interactive presentations, and online entertainment.

Adobe Shockwave player does not properly parse .dir media file, which causes a corruption in module DIRAPI.dll by 
opening a malformed file with an invalid value located in PoC repro.dir at offset 0x3812.

This problem was confirmed in the following versions of Adobe Shockwave Player, other versions may be also affected.

Shockwave Player version 11.5.7.609 and older for Windows and MacOS


CVSS Scoring System

The CVSS score is: 9
        Base Score: 10
        Temporal Score: 9
We used the following values to calculate the scores:
        Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C
        Temporal score is: E:POC/RL:U/RC:C


TRIGGERING THE PROBLEM

To trigger the problem a PoC file (repro11.dir) is available to interested parts. 


DETAILS

Disassembly:

68113255   8B4C24 24        MOV ECX,DWORD PTR SS:[ESP+24]
68113259   8B01             MOV EAX,DWORD PTR DS:[ECX]
6811325B   FF48 04          DEC DWORD PTR DS:[EAX+4]
6811325E   8B01             MOV EAX,DWORD PTR DS:[ECX]
68113260   8B48 04          MOV ECX,DWORD PTR DS:[EAX+4]
68113263   85C9             TEST ECX,ECX
68113265  ^0F8F 95EEFFFF    JG DIRAPI.68112100
6811326B   8B5424 24        MOV EDX,DWORD PTR SS:[ESP+24]
6811326F   8B08             MOV ECX,DWORD PTR DS:[EAX]
68113271   52               PUSH EDX
68113272   56               PUSH ESI
68113273   FF51 0C          CALL DWORD PTR DS:[ECX+C] <--- Problem


ECX = 0x00000000


CREDITS

This vulnerability was discovered and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team 
(VDT).




Best Regards,
 
Rodrigo.
 
--
Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies


  By Date           By Thread  

Current thread:
  • Adobe Shockwave Player Memory Corruption Vulnerability - CVE-2010-2882 Rodrigo Branco (Aug 25)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault