ID

VAR-201005-0101


CVE

CVE-2010-1281


TITLE

Adobe Shockwave Player of iml32.dll Vulnerable to arbitrary code execution

Trust: 0.8

sources: JVNDB: JVNDB-2010-001480

DESCRIPTION

iml32.dll in Adobe Shockwave Player before 11.5.7.609 does not validate a certain value from a file before using it in file-pointer calculations, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted .dir (aka Director) file. User interaction is required in that a target visit a malicious website.The specific flaw exists within the code responsible for parsing Director files. The vulnerable function is exported as an ordinal from the iml32.dll module. Ordinal 1409 trusts a value from the file as an offset and updates pointers accordingly. By crafting a large enough value and seeking the file pointer past the end of a buffer this can be abused to corrupt heap memory. An attacker can abuse this to execute arbitrary code under the context of the user running the browser. Failed exploit attempts may cause a denial-of-service condition. Versions prior to Shockwave Player 11.5.7.609 are vulnerable. Note: This issue was previously covered in BID 40066 (Adobe Shockwave Player APSB10-12 Multiple Remote Vulnerabilities); it has been given its own record to better document it. Over 450 million Internet-enabled desktops have installed Adobe Shockwave Player. These people now have access to some of the best the Web has to offer - including dazzling 3D games and entertainment, interactive product demonstrations, and online learning applications. The vulnerable software fails to sanitize user input when processing .dir files resulting in a crash and overwrite of a few memory registers.<br/><br/> --------------------------------------------------------------------------------<br/><br/><code> (f94.ae4): Access violation - code c0000005 (first chance)<br/> First chance exceptions are reported before any exception handling.<br/> This exception may be expected and handled.<br/> eax=20a0a0a0 ebx=207d004c ecx=00000400 edx=41414140 esi=00000000 edi=a80487d8<br/> eip=68008bd6 esp=0012de4c ebp=00000400 iopl=0 nv up ei pl nz na pe nc<br/> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050206<br/> *** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Adobe Director 11\DIRAPI.dll<br/> *** ERROR: Symbol file could not be found. Defaulted to export symbols for DIRAPI.dll - <br/> DIRAPI!Ordinal14+0x3b16:<br/> 68008bd6 2b4f04 sub ecx,dword ptr [edi+4] ds:0023:a80487dc=????????<br/><br/>-----------------------<br/><br/>EAX FFFFFFFF<br/>ECX 41414141<br/>EDX FFFFFFFF<br/>EBX 00000018<br/>ESP 0012F3B4<br/>EBP 02793578<br/>ESI 0012F3C4<br/>EDI 02793578<br/>EIP 69009F1F IML32.69009F1F<br/></code><br/>--------------------------------------------------------------------------------<br/><br/>Tested on: Microsoft Windows XP Professional SP3 (English). ---------------------------------------------------------------------- Looking for a job? Secunia is hiring skilled researchers and talented developers. 1) A boundary error while processing FFFFFF45h Shockwave 3D blocks can be exploited to corrupt memory. 2) A signedness error in the processing of Director files can be exploited to corrupt memory. 3) An array indexing error when processing Director files can be exploited to corrupt memory. 4) An integer overflow error when processing Director files can be exploited to corrupt memory. 5) An error when processing asset entries contained in Director files can be exploited to corrupt memory. 6) A boundary error when processing embedded fonts can be exploited to cause a heap-based buffer overflow via a specially crafted Director file. 7) An error when processing Director files can be exploited to overwrite 4 bytes of memory. 9) An error when processing a 4-byte field inside FFFFFF49h Shockwave 3D blocks can be exploited to corrupt heap memory. 10) An unspecified error can be exploited to corrupt memory. 11) A second unspecified error can be exploited to corrupt memory. 12) A third unspecified error can be exploited to corrupt memory. 13) A fourth unspecified error can be exploited to cause a buffer overflow. 14) A fifth unspecified error can be exploited to corrupt memory. 15) A sixth unspecified error can be exploited to corrupt memory. 16) A seventh unspecified error can be exploited to corrupt memory. 17) An error when processing signed values encountered while parsing "pami" RIFF chunks can be exploited to corrupt memory. Successful exploitation of the vulnerabilities may allow execution of arbitrary code. SOLUTION: Update to version 11.5.7.609. http://get.adobe.com/shockwave/ PROVIDED AND/OR DISCOVERED BY: 1-6) Alin Rad Pop, Secunia Research The vendor also credits: 2) Nahuel Riva of Core Security Technologies. 3) Chaouki Bekrar of Vupen, Code Audit Labs, and an anonymous person working with iDefense. 7) Chaouki Bekrar and Sebastien Renaud of Vupen, Code Audit Labs, Gjoko Krstic of Zero Science Lab, and Chro HD of Fortinet's FortiGuard Labs. 8, 17) an anonymous person working with ZDI. 9) Chaouki Bekrar of Vupen and an anonymous person working with ZDI. 10) Chaouki Bekrar of Vupen. 11-16) Chro HD of Fortinet's FortiGuard Labs. CHANGELOG: 2010-05-12: Updated "Extended Description" and added PoCs for vulnerabilities #2, #3, #4, and #6. ORIGINAL ADVISORY: Adobe: http://www.adobe.com/support/security/bulletins/apsb10-12.html Secunia Research: http://secunia.com/secunia_research/2010-17/ http://secunia.com/secunia_research/2010-19/ http://secunia.com/secunia_research/2010-20/ http://secunia.com/secunia_research/2010-22/ http://secunia.com/secunia_research/2010-34/ http://secunia.com/secunia_research/2010-50/ ZDI: http://www.zerodayinitiative.com/advisories/ZDI-10-087/ http://www.zerodayinitiative.com/advisories/ZDI-10-088/ http://www.zerodayinitiative.com/advisories/ZDI-10-089/ iDefense: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=869 Code Audit Labs: http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0137.html http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0138.html http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0139.html Zero Science Lab: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php Core Security Technologies: http://www.coresecurity.com/content/adobe-director-invalid-read ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -- Vendor Response: Adobe has issued an update to correct this vulnerability. More details can be found at: http://www.adobe.com/support/security/bulletins/apsb10-12.html -- Disclosure Timeline: 2010-02-02 - Vulnerability reported to vendor 2010-05-11 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Trust: 2.88

sources: NVD: CVE-2010-1281 // JVNDB: JVNDB-2010-001480 // ZDI: ZDI-10-087 // BID: 40078 // ZSL: ZSL-2010-4937 // VULHUB: VHN-43886 // PACKETSTORM: 89462 // PACKETSTORM: 89422

AFFECTED PRODUCTS

vendor:adobemodel:shockwave playerscope:ltversion:11.5.7.609

Trust: 1.0

vendor:adobemodel:shockwave playerscope:lteversion:11.5.6.606

Trust: 0.8

vendor:adobemodel:shockwave playerscope: - version: -

Trust: 0.7

vendor:adobemodel:shockwave playerscope:eqversion:2.0

Trust: 0.6

vendor:adobemodel:shockwave playerscope:eqversion:9

Trust: 0.6

vendor:adobemodel:shockwave playerscope:eqversion:5.0

Trust: 0.6

vendor:adobemodel:shockwave playerscope:eqversion:6.0

Trust: 0.6

vendor:adobemodel:shockwave playerscope:eqversion:1.0

Trust: 0.6

vendor:adobemodel:shockwave playerscope:eqversion:8.5.1

Trust: 0.6

vendor:adobemodel:shockwave playerscope:eqversion:3.0

Trust: 0.6

vendor:adobemodel:shockwave playerscope:eqversion:4.0

Trust: 0.6

vendor:adobemodel:shockwave playerscope:eqversion:8.0

Trust: 0.6

vendor:adobemodel:shockwave playerscope:eqversion:10.1.0.11

Trust: 0.6

vendor:adobemodel:shockwave playerscope:eqversion:11.5.6.606

Trust: 0.3

vendor:adobemodel:shockwave playerscope:eqversion:11.5.2.606

Trust: 0.3

vendor:adobemodel:shockwave playerscope:eqversion:11.5.2.602

Trust: 0.3

vendor:adobemodel:shockwave playerscope:eqversion:11.5.1.601

Trust: 0.3

vendor:adobemodel:shockwave playerscope:eqversion:11.5.601

Trust: 0.3

vendor:adobemodel:shockwave playerscope:eqversion:11.5.600

Trust: 0.3

vendor:adobemodel:shockwave playerscope:eqversion:11.5.596

Trust: 0.3

vendor:adobemodel:shockwave playerscope:neversion:11.5.7.609

Trust: 0.3

vendor:adobe incorporatedmodel:shockwave playerscope:eqversion:11.5.6.606

Trust: 0.1

sources: ZSL: ZSL-2010-4937 // ZDI: ZDI-10-087 // BID: 40078 // JVNDB: JVNDB-2010-001480 // CNNVD: CNNVD-201005-196 // NVD: CVE-2010-1281

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2010-1281
value: HIGH

Trust: 1.0

NVD: CVE-2010-1281
value: HIGH

Trust: 0.8

ZDI: CVE-2010-1281
value: HIGH

Trust: 0.7

CNNVD: CNNVD-201005-196
value: HIGH

Trust: 0.6

ZSL: ZSL-2010-4937
value: (4/5)

Trust: 0.1

VULHUB: VHN-43886
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2010-1281
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

ZDI: CVE-2010-1281
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.7

VULHUB: VHN-43886
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2010-1281
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

sources: ZSL: ZSL-2010-4937 // ZDI: ZDI-10-087 // VULHUB: VHN-43886 // JVNDB: JVNDB-2010-001480 // CNNVD: CNNVD-201005-196 // NVD: CVE-2010-1281

PROBLEMTYPE DATA

problemtype:CWE-787

Trust: 1.0

problemtype:CWE-119

Trust: 0.9

sources: VULHUB: VHN-43886 // JVNDB: JVNDB-2010-001480 // NVD: CVE-2010-1281

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 89422 // CNNVD: CNNVD-201005-196

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-201005-196

CONFIGURATIONS

[
  {
    "CVE_data_version": "4.0",
    "nodes": [
      {
        "operator": "OR",
        "cpe_match": [
          {
            "vulnerable": true,
            "cpe22Uri": "cpe:/a:adobe:shockwave_player"
          }
        ]
      }
    ]
  }
]

sources: JVNDB: JVNDB-2010-001480

EXPLOIT AVAILABILITY

sources: ZSL: ZSL-2010-4937 // VULHUB: VHN-43886

PATCH

title:APSB10-12url:http://www.adobe.com/support/security/bulletins/apsb10-12.html

Trust: 1.5

title:APSB10-12url:http://www.adobe.com/jp/support/security/bulletins/apsb10-12.html

Trust: 0.8

title:Adobe Shockwave Player version 11.5.7.609url:http://123.124.177.30/web/xxk/bdxqById.tag?id=4081

Trust: 0.6

title:Adobe Shockwave Player version 11.5.7.609url:http://123.124.177.30/web/xxk/bdxqById.tag?id=4080

Trust: 0.6

title:Shockwave 11.5.7.609 for Mac Slimurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=3595

Trust: 0.6

title:Adobe Shockwave Player version 11.5.7.609url:http://123.124.177.30/web/xxk/bdxqById.tag?id=3594

Trust: 0.6

title:Adobe Shockwave Player version 11.5.7.609url:http://123.124.177.30/web/xxk/bdxqById.tag?id=4082

Trust: 0.6

sources: ZDI: ZDI-10-087 // JVNDB: JVNDB-2010-001480 // CNNVD: CNNVD-201005-196

EXTERNAL IDS

db:NVDid:CVE-2010-1281

Trust: 3.6

db:SECUNIAid:38751

Trust: 2.9

db:ZDIid:ZDI-10-087

Trust: 2.9

db:VUPENid:ADV-2010-1128

Trust: 2.6

db:JVNDBid:JVNDB-2010-001480

Trust: 0.8

db:ZDI_CANid:ZDI-CAN-675

Trust: 0.7

db:CNNVDid:CNNVD-201005-196

Trust: 0.7

db:BIDid:40078

Trust: 0.4

db:ZSLid:ZSL-2010-4937

Trust: 0.3

db:PACKETSTORMid:89422

Trust: 0.2

db:XFid:58447

Trust: 0.1

db:EXPLOIT-DBid:12578

Trust: 0.1

db:BIDid:40081

Trust: 0.1

db:OSVDBid:64646

Trust: 0.1

db:AUSCERTid:ESB-2010.0436

Trust: 0.1

db:SECTRACKid:1023980

Trust: 0.1

db:VULHUBid:VHN-43886

Trust: 0.1

db:ZDIid:ZDI-10-089

Trust: 0.1

db:ZDIid:ZDI-10-088

Trust: 0.1

db:PACKETSTORMid:89462

Trust: 0.1

sources: ZSL: ZSL-2010-4937 // ZDI: ZDI-10-087 // VULHUB: VHN-43886 // BID: 40078 // JVNDB: JVNDB-2010-001480 // PACKETSTORM: 89462 // PACKETSTORM: 89422 // CNNVD: CNNVD-201005-196 // NVD: CVE-2010-1281

REFERENCES

url:http://www.adobe.com/support/security/bulletins/apsb10-12.html

Trust: 3.0

url:http://www.vupen.com/english/advisories/2010/1128

Trust: 2.6

url:http://secunia.com/advisories/38751

Trust: 2.5

url:http://www.zerodayinitiative.com/advisories/zdi-10-087/

Trust: 2.1

url:http://www.securityfocus.com/archive/1/511252/100/0/threaded

Trust: 1.7

url:https://oval.cisecurity.org/repository/search/definition/oval%3aorg.mitre.oval%3adef%3a7268

Trust: 1.7

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-1281

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-1281

Trust: 0.8

url:http://www.adobe.com/products/shockwaveplayer/

Trust: 0.3

url:/archive/1/511252

Trust: 0.3

url:http://secunia.com/advisories/38751/

Trust: 0.2

url:http://packetstormsecurity.org/filedesc/zsl-2010-4937.txt.html

Trust: 0.1

url:http://www.qualys.com/research/alerts/view.php/2010-05-11-2

Trust: 0.1

url:http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1280

Trust: 0.1

url:http://www.exploit-db.com/exploits/12578

Trust: 0.1

url:http://www.securityfocus.com/bid/40081

Trust: 0.1

url:http://www.0daynet.com/2010/0512/335.html

Trust: 0.1

url:http://securityreason.com/exploitalert/8249

Trust: 0.1

url:http://forums.cnet.com/5208-6132_102-0.html?messageid=3303052

Trust: 0.1

url:http://news.dreamings.org/?p=1050

Trust: 0.1

url:http://securitytracker.com/alerts/2010/may/1023980.html

Trust: 0.1

url:http://www.auscert.org.au/render.html?it=12789

Trust: 0.1

url:http://securityvulns.ru/xdocument830.html

Trust: 0.1

url:http://xforce.iss.net/xforce/xfdb/58447

Trust: 0.1

url:http://osvdb.org/show/osvdb/64646

Trust: 0.1

url:http://www.nessus.org/plugins/index.php?view=single&amp;id=46329

Trust: 0.1

url:http://secunia.com/secunia_research/2010-19/

Trust: 0.1

url:http://www.zerodayinitiative.com/advisories/zdi-10-089/

Trust: 0.1

url:http://secunia.com/company/jobs/

Trust: 0.1

url:http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0138.html

Trust: 0.1

url:http://secunia.com/secunia_research/2010-17/

Trust: 0.1

url:http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=869

Trust: 0.1

url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org

Trust: 0.1

url:http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0139.html

Trust: 0.1

url:http://secunia.com/advisories/about_secunia_advisories/

Trust: 0.1

url:http://secunia.com/secunia_research/2010-34/

Trust: 0.1

url:http://secunia.com/advisories/secunia_security_advisories/

Trust: 0.1

url:http://www.zerodayinitiative.com/advisories/zdi-10-088/

Trust: 0.1

url:http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0137.html

Trust: 0.1

url:http://secunia.com/secunia_research/2010-22/

Trust: 0.1

url:http://secunia.com/secunia_research/2010-50/

Trust: 0.1

url:http://get.adobe.com/shockwave/

Trust: 0.1

url:http://www.coresecurity.com/content/adobe-director-invalid-read

Trust: 0.1

url:http://secunia.com/secunia_research/2010-20/

Trust: 0.1

url:http://www.zeroscience.mk/en/vulnerabilities/zsl-2010-4937.php

Trust: 0.1

url:http://www.zerodayinitiative.com/advisories/zdi-10-087

Trust: 0.1

url:http://www.zerodayinitiative.com/advisories/disclosure_policy/

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2010-1281

Trust: 0.1

url:http://secunia.com/

Trust: 0.1

url:http://twitter.com/thezdi

Trust: 0.1

url:http://www.zerodayinitiative.com

Trust: 0.1

url:http://lists.grok.org.uk/full-disclosure-charter.html

Trust: 0.1

sources: ZSL: ZSL-2010-4937 // ZDI: ZDI-10-087 // VULHUB: VHN-43886 // BID: 40078 // JVNDB: JVNDB-2010-001480 // PACKETSTORM: 89462 // PACKETSTORM: 89422 // CNNVD: CNNVD-201005-196 // NVD: CVE-2010-1281

CREDITS

Anonymous

Trust: 0.7

sources: ZDI: ZDI-10-087

SOURCES

db:ZSLid:ZSL-2010-4937
db:ZDIid:ZDI-10-087
db:VULHUBid:VHN-43886
db:BIDid:40078
db:JVNDBid:JVNDB-2010-001480
db:PACKETSTORMid:89462
db:PACKETSTORMid:89422
db:CNNVDid:CNNVD-201005-196
db:NVDid:CVE-2010-1281

LAST UPDATE DATE

2024-11-23T21:47:30.839000+00:00


SOURCES UPDATE DATE

db:ZSLid:ZSL-2010-4937date:2011-03-06T00:00:00
db:ZDIid:ZDI-10-087date:2010-05-11T00:00:00
db:VULHUBid:VHN-43886date:2018-10-10T00:00:00
db:BIDid:40078date:2010-05-11T00:00:00
db:JVNDBid:JVNDB-2010-001480date:2010-05-31T00:00:00
db:CNNVDid:CNNVD-201005-196date:2022-09-30T00:00:00
db:NVDid:CVE-2010-1281date:2024-11-21T01:14:02.653

SOURCES RELEASE DATE

db:ZSLid:ZSL-2010-4937date:2010-05-11T00:00:00
db:ZDIid:ZDI-10-087date:2010-05-11T00:00:00
db:VULHUBid:VHN-43886date:2010-05-13T00:00:00
db:BIDid:40078date:2010-05-11T00:00:00
db:JVNDBid:JVNDB-2010-001480date:2010-05-31T00:00:00
db:PACKETSTORMid:89462date:2010-05-13T07:29:48
db:PACKETSTORMid:89422date:2010-05-12T02:48:48
db:CNNVDid:CNNVD-201005-196date:2010-05-13T00:00:00
db:NVDid:CVE-2010-1281date:2010-05-13T17:30:02.030