- #Adobe shockwave player memory corruption vulnerability movie
- #Adobe shockwave player memory corruption vulnerability update
- #Adobe shockwave player memory corruption vulnerability windows
By leveraging this flaw, an attacker can execute arbitrary code in the context of the current process.Īdobe has issued an update to correct this vulnerability. The version of Adobe Shockwave Player installed on the remote host is equal or prior to 12.2.9.199.
The specific flaw exists within processing of certain AVM2 instructions, allowing direct memory access outside of the domain memory. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Flash.
#Adobe shockwave player memory corruption vulnerability windows
The sample + exploit are tested on patched windows XP service pack 3.December 15th, 2013 Adobe Flash Player Memory Corruption Remote Code Execution Vulnerability ZDI-13-275 In our test sample we used 0a0a0a0a as both base range of heap spray and nopslides because 0a0a opcode is an OR instruction on some unimportant registers. But we can use other opcodes as nopslides that doesn’t have any effect. As you know an EIP of 90909090 is invalid. To control the 4 bytes EAX register in our exploit we manipulated 4bytes at offset 4C4B of the file to value FFF00267.Īn important hint here is that because we call the indirect pointer the EIP is set to nops itself. So here by abusing javascript we can use old-school heap spray technic to fill memory with nops+shellcode and call to this range. Exploitation :įor exploitation purpose because we don’t have a fixed address in our call we cannot control the execution flow to an exact value but we can jump to a specific range because we have control on first bytes of the pointer of indirect call. The host is installed with Adobe Shockwave Player before 11.5.9.620 and is prone to denial of service (memory corruption) vulnerability. Because result of EAX*24 is a large value and we have complete control on EAX register we can almost control first byte of our indirect call pointer without the need of ECX register. Value of offset 28h of the structure that is unknown is set in ECX register and finally an indirect call to the ‘ECX+EAX*24+20h’ is done. EAX register is set with second argument that we have control on it and ESI is first argument of the function and is a pointer to a dynamic allocated structure in heap. HKCERT is the centre for coordinating computer security incident response for local enterprises and Internet Users. By manipulating the argument in rcsL chunk we reach to an indirect call that is based on our arguments. In the above function we have direct control on the second argument of the function. The 4bytes so called value can be manipulated to reach the vulnerable part of function 68122990.
#Adobe shockwave player memory corruption vulnerability movie
There is a 4bytes value in the undocumented rcsL chunk in our sample director movie and it may be possible to find similar rcsL chunks in other director samples. Some of the chunk identifiers are tSAC, pami, rcsL.īy help of our simple fuzzer we have manipulated a director movie file and found a vulnerability in part of an existing rcsL chunk. And subsequently chunks come together with format of 4byte chunk identifier + size of chunk + data. RIFF formats start with a 4byte RIFX identifier and length of the file. The manipulation with an unknown input leads to a memory corruption vulnerability.
DIR file format is based on RIFF based formats. A vulnerability was found in Adobe Shockwave Player 12.0.7.148 (Multimedia Player Software). This problem was confirmed in the following versions of Adobe Shockwave Player and Windows, other versions may be also affected. Duplicated references to the same KEY chunk causes problems in Chrome. It also contains references to other records. Director movies have DIR or compressed format of DCR. mmap records contains offsets and lengths of all other records. Shockwave player is a plug in for loading Adobe Director video files in to the browser. Note: Adobe Shockwave Player has reached EOL. A remote attacker can exploit these vulnerabilities to execute arbitrary code. It is, therefore, affected by multiple memory corruption vulnerabilities. Successfully exploiting this issue allows remote attackers to execute arbitrary code or cause denial-of-service conditions. Description The remote Windows host contains a version of Adobe Shockwave Player that is prior or equal to 12.3.4.204. 1) Advisory information Title : Adobe Shockwave player rcsL chunk memory corruptionĬontact : shahin, info Ģ) Vulnerable version Shockwave Player 11.5.8.612 last versionġ- Memory corruption allow command execute
0 kommentar(er)
