Details of VAR-201005-0107

ID

VAR-201005-0107

CVE

CVE-2010-1288

TITLE

Adobe Shockwave Player Vulnerable to buffer overflow

Trust: 0.8

sources: JVNDB: JVNDB-2010-001486

DESCRIPTION

Buffer overflow in Adobe Shockwave Player before 11.5.7.609 might allow attackers to execute arbitrary code via unspecified vectors. Adobe Shockwave Player 11.5.6.606 and prior are vulnerable. NOTE: This issue was previously discussed in BID 40066 (Adobe Shockwave Player APSB10-12 Multiple Remote Vulnerabilities) but has been given its own record to better document it. These people now have access to some of the best the Web has to offer - including dazzling 3D games and entertainment, interactive product demonstrations, and online learning applications. The vulnerable software fails to sanitize user input when processing .dir files resulting in a crash and overwrite of a few memory registers. -------------------------------------------------------------------------------- <code> (f94.ae4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=20a0a0a0 ebx=207d004c ecx=00000400 edx=41414140 esi=00000000 edi=a80487d8 eip=68008bd6 esp=0012de4c ebp=00000400 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050206 *** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Adobe Director 11\DIRAPI.dll *** ERROR: Symbol file could not be found. Defaulted to export symbols for DIRAPI.dll - DIRAPI!Ordinal14+0x3b16: 68008bd6 2b4f04 sub ecx,dword ptr [edi+4] ds:0023:a80487dc=???????? ----------------------- EAX FFFFFFFF ECX 41414141 EDX FFFFFFFF EBX 00000018 ESP 0012F3B4 EBP 02793578 ESI 0012F3C4 EDI 02793578 EIP 69009F1F IML32.69009F1F </code> -------------------------------------------------------------------------------- Tested on: Microsoft Windows XP Professional SP3 (English). ---------------------------------------------------------------------- Looking for a job? Secunia is hiring skilled researchers and talented developers. 1) A boundary error while processing FFFFFF45h Shockwave 3D blocks can be exploited to corrupt memory. 2) A signedness error in the processing of Director files can be exploited to corrupt memory. 3) An array indexing error when processing Director files can be exploited to corrupt memory. 4) An integer overflow error when processing Director files can be exploited to corrupt memory. 5) An error when processing asset entries contained in Director files can be exploited to corrupt memory. 6) A boundary error when processing embedded fonts can be exploited to cause a heap-based buffer overflow via a specially crafted Director file. 7) An error when processing Director files can be exploited to overwrite 4 bytes of memory. 8) An error in the implementation of ordinal function 1409 in iml32.dll can be exploited to corrupt heap memory via a specially crafted Director file. 9) An error when processing a 4-byte field inside FFFFFF49h Shockwave 3D blocks can be exploited to corrupt heap memory. 10) An unspecified error can be exploited to corrupt memory. 11) A second unspecified error can be exploited to corrupt memory. 12) A third unspecified error can be exploited to corrupt memory. 13) A fourth unspecified error can be exploited to cause a buffer overflow. 14) A fifth unspecified error can be exploited to corrupt memory. 15) A sixth unspecified error can be exploited to corrupt memory. 16) A seventh unspecified error can be exploited to corrupt memory. 17) An error when processing signed values encountered while parsing "pami" RIFF chunks can be exploited to corrupt memory. Successful exploitation of the vulnerabilities may allow execution of arbitrary code. The vulnerabilities are reported in versions 11.5.6.606 and prior on Windows and Macintosh. SOLUTION: Update to version 11.5.7.609. http://get.adobe.com/shockwave/ PROVIDED AND/OR DISCOVERED BY: 1-6) Alin Rad Pop, Secunia Research The vendor also credits: 2) Nahuel Riva of Core Security Technologies. 3) Chaouki Bekrar of Vupen, Code Audit Labs, and an anonymous person working with iDefense. 7) Chaouki Bekrar and Sebastien Renaud of Vupen, Code Audit Labs, Gjoko Krstic of Zero Science Lab, and Chro HD of Fortinet's FortiGuard Labs. 8, 17) an anonymous person working with ZDI. 9) Chaouki Bekrar of Vupen and an anonymous person working with ZDI. 10) Chaouki Bekrar of Vupen. 11-16) Chro HD of Fortinet's FortiGuard Labs. CHANGELOG: 2010-05-12: Updated "Extended Description" and added PoCs for vulnerabilities #2, #3, #4, and #6. ORIGINAL ADVISORY: Adobe: http://www.adobe.com/support/security/bulletins/apsb10-12.html Secunia Research: http://secunia.com/secunia_research/2010-17/ http://secunia.com/secunia_research/2010-19/ http://secunia.com/secunia_research/2010-20/ http://secunia.com/secunia_research/2010-22/ http://secunia.com/secunia_research/2010-34/ http://secunia.com/secunia_research/2010-50/ ZDI: http://www.zerodayinitiative.com/advisories/ZDI-10-087/ http://www.zerodayinitiative.com/advisories/ZDI-10-088/ http://www.zerodayinitiative.com/advisories/ZDI-10-089/ iDefense: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=869 Code Audit Labs: http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0137.html http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0138.html http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0139.html Zero Science Lab: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php Core Security Technologies: http://www.coresecurity.com/content/adobe-director-invalid-read ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.16

sources: NVD: CVE-2010-1288 // JVNDB: JVNDB-2010-001486 // BID: 40096 // ZSL: ZSL-2010-4937 // VULHUB: VHN-43893 // PACKETSTORM: 89462

AFFECTED PRODUCTS

vendor:	adobe	model:	shockwave player	scope:	lte	version:	11.5.6.606	Trust: 1.8
vendor:	adobe	model:	shockwave player	scope:	eq	version:	6.0	Trust: 1.6
vendor:	adobe	model:	shockwave player	scope:	eq	version:	4.0	Trust: 1.6
vendor:	adobe	model:	shockwave player	scope:	eq	version:	2.0	Trust: 1.6
vendor:	adobe	model:	shockwave player	scope:	eq	version:	3.0	Trust: 1.6
vendor:	adobe	model:	shockwave player	scope:	eq	version:	5.0	Trust: 1.6
vendor:	adobe	model:	shockwave player	scope:	eq	version:	1.0	Trust: 1.6
vendor:	adobe	model:	shockwave player	scope:	eq	version:	8.5.1	Trust: 1.6
vendor:	adobe	model:	shockwave player	scope:	eq	version:	10.1.0.11	Trust: 1.6
vendor:	adobe	model:	shockwave player	scope:	eq	version:	9	Trust: 1.6
vendor:	adobe	model:	shockwave player	scope:	eq	version:	8.0	Trust: 1.6
vendor:	adobe	model:	shockwave player	scope:	eq	version:	11.5.2.602	Trust: 1.3
vendor:	adobe	model:	shockwave player	scope:	eq	version:	11.5.1.601	Trust: 1.3
vendor:	adobe	model:	shockwave player	scope:	eq	version:	11.5.0.595	Trust: 1.0
vendor:	adobe	model:	shockwave player	scope:	eq	version:	11.5.0.596	Trust: 1.0
vendor:	adobe	model:	shockwave player	scope:	eq	version:	-	Trust: 1.0
vendor:	adobe	model:	shockwave player	scope:	eq	version:	11.0.0.456	Trust: 1.0
vendor:	adobe	model:	shockwave player	scope:	eq	version:	11.5.6.606	Trust: 0.3
vendor:	adobe	model:	shockwave player	scope:	eq	version:	11.5.2.606	Trust: 0.3
vendor:	adobe	model:	shockwave player	scope:	eq	version:	11.5.601	Trust: 0.3
vendor:	adobe	model:	shockwave player	scope:	eq	version:	11.5.600	Trust: 0.3
vendor:	adobe	model:	shockwave player	scope:	eq	version:	11.5.596	Trust: 0.3
vendor:	adobe	model:	shockwave player	scope:	ne	version:	11.5.7.609	Trust: 0.3
vendor:	adobe incorporated	model:	shockwave player	scope:	eq	version:	11.5.6.606	Trust: 0.1

sources: ZSL: ZSL-2010-4937 // BID: 40096 // JVNDB: JVNDB-2010-001486 // CNNVD: CNNVD-201005-211 // NVD: CVE-2010-1288

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2010-1288
value:	HIGH
Trust: 1.0
NVD:	CVE-2010-1288
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201005-211
value:	CRITICAL
Trust: 0.6
ZSL:	ZSL-2010-4937
value:	(4/5)
Trust: 0.1
VULHUB:	VHN-43893
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2010-1288
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-43893
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: ZSL: ZSL-2010-4937 // VULHUB: VHN-43893 // JVNDB: JVNDB-2010-001486 // CNNVD: CNNVD-201005-211 // NVD: CVE-2010-1288

PROBLEMTYPE DATA

problemtype:

CWE-119

Trust: 1.9

sources: VULHUB: VHN-43893 // JVNDB: JVNDB-2010-001486 // NVD: CVE-2010-1288

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201005-211

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-201005-211

CONFIGURATIONS

sources: JVNDB: JVNDB-2010-001486

EXPLOIT AVAILABILITY

sources: ZSL: ZSL-2010-4937

PATCH

title:	APSB10-12	url:	http://www.adobe.com/support/security/bulletins/apsb10-12.html	Trust: 0.8
title:	APSB10-12	url:	http://www.adobe.com/jp/support/security/bulletins/apsb10-12.html	Trust: 0.8
title:	Adobe Shockwave Player version 11.5.7.609	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=4081	Trust: 0.6
title:	Adobe Shockwave Player version 11.5.7.609	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=4080	Trust: 0.6
title:	Shockwave 11.5.7.609 for Mac Slim	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=3595	Trust: 0.6
title:	Adobe Shockwave Player version 11.5.7.609	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=3594	Trust: 0.6
title:	Adobe Shockwave Player version 11.5.7.609	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=4082	Trust: 0.6

sources: JVNDB: JVNDB-2010-001486 // CNNVD: CNNVD-201005-211

EXTERNAL IDS

db:	SECUNIA	id:	38751	Trust: 2.9
db:	NVD	id:	CVE-2010-1288	Trust: 2.8
db:	VUPEN	id:	ADV-2010-1128	Trust: 2.6
db:	JVNDB	id:	JVNDB-2010-001486	Trust: 0.8
db:	CNNVD	id:	CNNVD-201005-211	Trust: 0.7
db:	BID	id:	40096	Trust: 0.4
db:	ZSL	id:	ZSL-2010-4937	Trust: 0.3
db:	XF	id:	58447	Trust: 0.1
db:	EXPLOIT-DB	id:	12578	Trust: 0.1
db:	BID	id:	40081	Trust: 0.1
db:	OSVDB	id:	64646	Trust: 0.1
db:	AUSCERT	id:	ESB-2010.0436	Trust: 0.1
db:	SECTRACK	id:	1023980	Trust: 0.1
db:	VULHUB	id:	VHN-43893	Trust: 0.1
db:	ZDI	id:	ZDI-10-087	Trust: 0.1
db:	ZDI	id:	ZDI-10-089	Trust: 0.1
db:	ZDI	id:	ZDI-10-088	Trust: 0.1
db:	PACKETSTORM	id:	89462	Trust: 0.1

sources: ZSL: ZSL-2010-4937 // VULHUB: VHN-43893 // BID: 40096 // JVNDB: JVNDB-2010-001486 // PACKETSTORM: 89462 // CNNVD: CNNVD-201005-211 // NVD: CVE-2010-1288

REFERENCES

url:	http://www.vupen.com/english/advisories/2010/1128	Trust: 2.6
url:	http://secunia.com/advisories/38751	Trust: 2.5
url:	http://www.adobe.com/support/security/bulletins/apsb10-12.html	Trust: 2.2
url:	https://oval.cisecurity.org/repository/search/definition/oval%3aorg.mitre.oval%3adef%3a7543	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-1288	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-1288	Trust: 0.8
url:	http://www.adobe.com	Trust: 0.3
url:	http://secunia.com/advisories/38751/	Trust: 0.2
url:	http://packetstormsecurity.org/filedesc/zsl-2010-4937.txt.html	Trust: 0.1
url:	http://www.qualys.com/research/alerts/view.php/2010-05-11-2	Trust: 0.1
url:	http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1280	Trust: 0.1
url:	http://www.exploit-db.com/exploits/12578	Trust: 0.1
url:	http://www.securityfocus.com/bid/40081	Trust: 0.1
url:	http://www.0daynet.com/2010/0512/335.html	Trust: 0.1
url:	http://securityreason.com/exploitalert/8249	Trust: 0.1
url:	http://forums.cnet.com/5208-6132_102-0.html?messageid=3303052	Trust: 0.1
url:	http://news.dreamings.org/?p=1050	Trust: 0.1
url:	http://securitytracker.com/alerts/2010/may/1023980.html	Trust: 0.1
url:	http://www.auscert.org.au/render.html?it=12789	Trust: 0.1
url:	http://securityvulns.ru/xdocument830.html	Trust: 0.1
url:	http://xforce.iss.net/xforce/xfdb/58447	Trust: 0.1
url:	http://osvdb.org/show/osvdb/64646	Trust: 0.1
url:	http://www.nessus.org/plugins/index.php?view=single&id=46329	Trust: 0.1
url:	http://secunia.com/secunia_research/2010-19/	Trust: 0.1
url:	http://www.zerodayinitiative.com/advisories/zdi-10-089/	Trust: 0.1
url:	http://secunia.com/company/jobs/	Trust: 0.1
url:	http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0138.html	Trust: 0.1
url:	http://secunia.com/secunia_research/2010-17/	Trust: 0.1
url:	http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=869	Trust: 0.1
url:	http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org	Trust: 0.1
url:	http://www.zerodayinitiative.com/advisories/zdi-10-087/	Trust: 0.1
url:	http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0139.html	Trust: 0.1
url:	http://secunia.com/advisories/about_secunia_advisories/	Trust: 0.1
url:	http://secunia.com/secunia_research/2010-34/	Trust: 0.1
url:	http://secunia.com/advisories/secunia_security_advisories/	Trust: 0.1
url:	http://www.zerodayinitiative.com/advisories/zdi-10-088/	Trust: 0.1
url:	http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0137.html	Trust: 0.1
url:	http://secunia.com/secunia_research/2010-22/	Trust: 0.1
url:	http://secunia.com/secunia_research/2010-50/	Trust: 0.1
url:	http://get.adobe.com/shockwave/	Trust: 0.1
url:	http://www.coresecurity.com/content/adobe-director-invalid-read	Trust: 0.1
url:	http://secunia.com/secunia_research/2010-20/	Trust: 0.1
url:	http://www.zeroscience.mk/en/vulnerabilities/zsl-2010-4937.php	Trust: 0.1

sources: ZSL: ZSL-2010-4937 // VULHUB: VHN-43893 // BID: 40096 // JVNDB: JVNDB-2010-001486 // PACKETSTORM: 89462 // CNNVD: CNNVD-201005-211 // NVD: CVE-2010-1288

CREDITS

Chro HD of Fortinet's FortiGuard Labs

Trust: 0.3

sources: BID: 40096

SOURCES

db:	ZSL	id:	ZSL-2010-4937
db:	VULHUB	id:	VHN-43893
db:	BID	id:	40096
db:	JVNDB	id:	JVNDB-2010-001486
db:	PACKETSTORM	id:	89462
db:	CNNVD	id:	CNNVD-201005-211
db:	NVD	id:	CVE-2010-1288

LAST UPDATE DATE

2024-11-23T21:47:30.578000+00:00

SOURCES UPDATE DATE

db:	ZSL	id:	ZSL-2010-4937	date:	2011-03-06T00:00:00
db:	VULHUB	id:	VHN-43893	date:	2017-09-19T00:00:00
db:	BID	id:	40096	date:	2010-05-11T00:00:00
db:	JVNDB	id:	JVNDB-2010-001486	date:	2010-06-01T00:00:00
db:	CNNVD	id:	CNNVD-201005-211	date:	2021-09-23T00:00:00
db:	NVD	id:	CVE-2010-1288	date:	2024-11-21T01:14:03.493

SOURCES RELEASE DATE

db:	ZSL	id:	ZSL-2010-4937	date:	2010-05-11T00:00:00
db:	VULHUB	id:	VHN-43893	date:	2010-05-13T00:00:00
db:	BID	id:	40096	date:	2010-05-11T00:00:00
db:	JVNDB	id:	JVNDB-2010-001486	date:	2010-06-01T00:00:00
db:	PACKETSTORM	id:	89462	date:	2010-05-13T07:29:48
db:	CNNVD	id:	CNNVD-201005-211	date:	2010-05-13T00:00:00
db:	NVD	id:	CVE-2010-1288	date:	2010-05-13T21:30:01.593