Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Adobe Shockwave Player Remote Code Execution (CVE-2012-2030)
From: "Rodrigo Rubira Branco (BSDaemon)" <rodrigo () kernelhacking com>
Date: Wed, 09 May 2012 09:39:39 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Qualys Vulnerability & Malware Research Labs (VMRL)
http://www.dissect.pe

Memory corruption when Adobe Shockwave Player parses .dir media file
CVE-2012-2030


INTRODUCTION

Adobe Shockwave Player is the Adobe plugin to many different browsers
to view rich-media content on the web including animations,
interactive presentations, and online entertainment.

Adobe Shockwave Player does not properly parse .dir media file, which
causes a corruption in module DPLib by opening a malformed file with
an invalid value located in PoC repro02.dir at offset 0x36A4.

This problem was confirmed in the following versions of Adobe
Shockwave Player and MacOS X, other versions may be also affected.

Shockwave Player version 11.6.3r633, Module DPLib.framework on MacOS X
10.7.2 (11C74)


CVSS Scoring System

The CVSS score is: 9
        Base Score: 10
        Temporal Score: 9
We used the following values to calculate the scores:
        Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C
        Temporal score is: E:POC/RL:U/RC:C


TRIGGERING THE PROBLEM

To trigger the problem a PoC file (repro02.dir) is available to
interested parties.  Use Firefox or Safari to open the file and
reproduce the vulnerability.


DETAILS


Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x90000004
0x0714b9db in MovieMemoryDispose ()
(gdb) bt
#0  0x0714b9db in MovieMemoryDispose ()
#1  0x0714d329 in MovieMemoryDispose ()
#2  0x0715b778 in MovieMemoryDispose ()
#3  0x0715be15 in MovieMemoryDispose ()
#4  0x0706964a in TELscriptRef_GetPropertyInitsAsHandle ()
#5  0x070697e8 in TELscriptRef_GetPropertyInitsAsHandle ()
#6  0x0706a579 in TELscriptRef_GetPropertyInitsAsHandle ()
#7  0x0706b82d in TELscriptRef_GetPropertyInitsAsHandle ()
#8  0x07065691 in TETourGetCpuHogTicks ()
#9  0x0700c684 in MovieInstAnimIdle ()
#10 0x01f524f4 in main ()
#11 0x01f526fa in main ()
#12 0x055e8a64 in imNPMessageHandleMacEvent ()
#13 0x01f507cf in main ()
#14 0x01f535d0 in main ()
#15 0x01f48bcc in dyld_stub_Gestalt ()
#16 0x996bedd9 in CAOpenGLLayerDraw ()
#17 0x996be842 in -[CAOpenGLLayer _display] ()
#18 0x9968dff5 in CA::Layer::display ()
#19 0x9968df11 in -[CALayer display] ()
#20 0x99685aec in CA::Layer::display_if_needed ()
#21 0x99684883 in CA::Context::commit_transaction ()
#22 0x99684594 in CA::Transaction::commit ()
#23 0x99683b29 in CA::Transaction::observer_callback ()
#24 0x96f697be in
__CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ ()
#25 0x96f696fd in __CFRunLoopDoObservers ()
#26 0x96f3b917 in CFRunLoopRunSpecific ()
#27 0x96f3b798 in CFRunLoopRunInMode ()
#28 0x95638a7f in RunCurrentEventLoopInMode ()
#29 0x9563fd9b in ReceiveNextEventCommon ()
#30 0x9563fc0a in BlockUntilNextEventMatchingListInMode ()
#31 0x95c8c040 in _DPSNextEvent ()
#32 0x95c8b8ab in -[NSApplication
nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#33 0x95c87c22 in -[NSApplication run] ()
#34 0x01036dd9 in nsXPTCStubBase::Stub249 ()
(gdb) x/i $pc
0x714b9db <MovieMemoryDispose+445486>:  incl   0x4(%eax)
(gdb) i r $eax
eax            0x90000000       -1879048192


CREDITS

This vulnerability was discovered by Rodrigo Rubira Branco
(http://twitter.com/bsdaemon) from the Qualys Vulnerability & Malware
Research Labs (VMRL).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+qncsACgkQRpuC3B/O3qEWNwCfQQcZjDDOTzZTu3W1DrfMs7eN
/NYAnjXnpMpH/hgaAQRGa1huDADRERDI
=UIh/
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • Adobe Shockwave Player Remote Code Execution (CVE-2012-2030) Rodrigo Rubira Branco (BSDaemon) (May 09)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]