ID

VAR-201005-0102

CVE

CVE-2010-1282

TITLE

Adobe Shockwave Player Service disruption in (DoS) Vulnerabilities

DESCRIPTION

Adobe Shockwave Player before 11.5.7.609 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted ATOM size in a .dir (aka Director) file. Adobe Shockwave Player is prone to a denial-of-service vulnerability. Attackers can exploit this issue to cause the affected application to consume excessive resources, resulting in a denial-of-service condition. Adobe Shockwave Player 11.5.6.606 and prior are vulnerable. NOTE: This issue was previously discussed in BID 40066 (Adobe Shockwave Player APSB10-12 Multiple Remote Vulnerabilities) but has been given its own record to better document it. These people now have access to some of the best the Web has to offer - including dazzling 3D games and entertainment, interactive product demonstrations, and online learning applications. Shockwave Player displays Web content that has been created by Adobe Director.Shockwave Player version 11.5.6.606 and earlier from Adobe suffers from a memory consumption / corruption and buffer overflow vulnerabilities that can aid the attacker to cause denial of service scenarios and arbitrary code execution. The vulnerable software fails to sanitize user input when processing .dir files resulting in a crash and overwrite of a few memory registers.<br/><br/> --------------------------------------------------------------------------------<br/><br/><code> (f94.ae4): Access violation - code c0000005 (first chance)<br/> First chance exceptions are reported before any exception handling.<br/> This exception may be expected and handled.<br/> eax=20a0a0a0 ebx=207d004c ecx=00000400 edx=41414140 esi=00000000 edi=a80487d8<br/> eip=68008bd6 esp=0012de4c ebp=00000400 iopl=0 nv up ei pl nz na pe nc<br/> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050206<br/> *** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Adobe Director 11\DIRAPI.dll<br/> *** ERROR: Symbol file could not be found. Defaulted to export symbols for DIRAPI.dll - <br/> DIRAPI!Ordinal14+0x3b16:<br/> 68008bd6 2b4f04 sub ecx,dword ptr [edi+4] ds:0023:a80487dc=????????<br/><br/>-----------------------<br/><br/>EAX FFFFFFFF<br/>ECX 41414141<br/>EDX FFFFFFFF<br/>EBX 00000018<br/>ESP 0012F3B4<br/>EBP 02793578<br/>ESI 0012F3C4<br/>EDI 02793578<br/>EIP 69009F1F IML32.69009F1F<br/></code><br/>--------------------------------------------------------------------------------<br/><br/>Tested on: Microsoft Windows XP Professional SP3 (English). ---------------------------------------------------------------------- Looking for a job? Secunia is hiring skilled researchers and talented developers. 1) A boundary error while processing FFFFFF45h Shockwave 3D blocks can be exploited to corrupt memory. 2) A signedness error in the processing of Director files can be exploited to corrupt memory. 3) An array indexing error when processing Director files can be exploited to corrupt memory. 4) An integer overflow error when processing Director files can be exploited to corrupt memory. 5) An error when processing asset entries contained in Director files can be exploited to corrupt memory. 6) A boundary error when processing embedded fonts can be exploited to cause a heap-based buffer overflow via a specially crafted Director file. 7) An error when processing Director files can be exploited to overwrite 4 bytes of memory. 8) An error in the implementation of ordinal function 1409 in iml32.dll can be exploited to corrupt heap memory via a specially crafted Director file. 9) An error when processing a 4-byte field inside FFFFFF49h Shockwave 3D blocks can be exploited to corrupt heap memory. 10) An unspecified error can be exploited to corrupt memory. 11) A second unspecified error can be exploited to corrupt memory. 12) A third unspecified error can be exploited to corrupt memory. 13) A fourth unspecified error can be exploited to cause a buffer overflow. 14) A fifth unspecified error can be exploited to corrupt memory. 15) A sixth unspecified error can be exploited to corrupt memory. 16) A seventh unspecified error can be exploited to corrupt memory. 17) An error when processing signed values encountered while parsing "pami" RIFF chunks can be exploited to corrupt memory. Successful exploitation of the vulnerabilities may allow execution of arbitrary code. The vulnerabilities are reported in versions 11.5.6.606 and prior on Windows and Macintosh. SOLUTION: Update to version 11.5.7.609. http://get.adobe.com/shockwave/ PROVIDED AND/OR DISCOVERED BY: 1-6) Alin Rad Pop, Secunia Research The vendor also credits: 2) Nahuel Riva of Core Security Technologies. 3) Chaouki Bekrar of Vupen, Code Audit Labs, and an anonymous person working with iDefense. 7) Chaouki Bekrar and Sebastien Renaud of Vupen, Code Audit Labs, Gjoko Krstic of Zero Science Lab, and Chro HD of Fortinet's FortiGuard Labs. 8, 17) an anonymous person working with ZDI. 9) Chaouki Bekrar of Vupen and an anonymous person working with ZDI. 10) Chaouki Bekrar of Vupen. 11-16) Chro HD of Fortinet's FortiGuard Labs. CHANGELOG: 2010-05-12: Updated "Extended Description" and added PoCs for vulnerabilities #2, #3, #4, and #6. ORIGINAL ADVISORY: Adobe: http://www.adobe.com/support/security/bulletins/apsb10-12.html Secunia Research: http://secunia.com/secunia_research/2010-17/ http://secunia.com/secunia_research/2010-19/ http://secunia.com/secunia_research/2010-20/ http://secunia.com/secunia_research/2010-22/ http://secunia.com/secunia_research/2010-34/ http://secunia.com/secunia_research/2010-50/ ZDI: http://www.zerodayinitiative.com/advisories/ZDI-10-087/ http://www.zerodayinitiative.com/advisories/ZDI-10-088/ http://www.zerodayinitiative.com/advisories/ZDI-10-089/ iDefense: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=869 Code Audit Labs: http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0137.html http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0138.html http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0139.html Zero Science Lab: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php Core Security Technologies: http://www.coresecurity.com/content/adobe-director-invalid-read ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . User interaction is required in that a user must visit a malicious web site. Exploitation can lead to remote system high cpu load ( infinite loop). ref http://hi.baidu.com/fs_fx/blog/item/f8de1d18ba8c9b76dbb4bd56.html http://www.adobe.com/support/security/bulletins/apsb10-12.html Disclosure Timeline =================== 2010-2-6 report to vendor 2010-2-7 vendor ask poc file 2010-2-7 we sent the poc file. 2010-2-8 vendor comfirm the issue. 2010-5-11 Coordinated public release of advisory. About Code Audit Labs: ===================== Code Audit Labs is department of VulnHunt company which provide a professional security testing products / services / security consulting and training ,we sincerely hope we can help your procudes to improve code quality and safety. WebSite http://www.VulnHunt.com ( online soon)

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

resource management error

CONFIGURATIONS

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Code Audit Labs

SOURCES

LAST UPDATE DATE

2024-11-23T21:47:30.421000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE