← Advisories

Adobe Shockwave Player 11.5.6.606 (DIR) Multiple Memory Vulnerabilities

High
Advisory ID
ZSL-2010-4937
Release Date
11 May 2010
Vendor
Adobe Systems Incorporated - http://www.adobe.com
Affected Version
11.5.6.606
CVE
CVE-2010-1280
Tested On
Microsoft Windows XP Professional SP3 (English)
Summary

Over 450 million Internet-enabled desktops have installed Adobe Shockwave Player. These people now have access to some of the best the Web has to offer - including dazzling 3D games and entertainment, interactive product demonstrations, and online learning applications. Shockwave Player displays Web content that has been created by Adobe Director.

Description

Shockwave Player version 11.5.6.606 and earlier from Adobe suffers from a memory consumption / corruption and buffer overflow vulnerabilities that can aid the attacker to cause denial of service scenarios and arbitrary code execution. The vulnerable software fails to sanitize user input when processing .dir files resulting in a crash and overwrite of a few memory registers.

(f94.ae4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=20a0a0a0 ebx=207d004c ecx=00000400 edx=41414140 esi=00000000 edi=a80487d8 eip=68008bd6 esp=0012de4c ebp=00000400 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050206 *** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Adobe Director 11\DIRAPI.dll *** ERROR: Symbol file could not be found. Defaulted to export symbols for DIRAPI.dll - DIRAPI!Ordinal14+0x3b16: 68008bd6 2b4f04 sub ecx,dword ptr [edi+4] ds:0023:a80487dc=???????? ----------------------- EAX FFFFFFFF ECX 41414141 EDX FFFFFFFF EBX 00000018 ESP 0012F3B4 EBP 02793578 ESI 0012F3C4 EDI 02793578 EIP 69009F1F IML32.69009F1F
Proof of Concept
shockwave_mem.cTXT
Disclosure Timeline
19.09.2009Vulnerability discovered.
09.03.2010Vendor contacted with sent PoC files.
09.03.2010Vendor replied.
21.03.2010Asked vendor for confirmation.
21.03.2010Vendor verifies the weakness.
06.05.2010Vendor reveals patch release date.
11.05.2010Coordinated public advisory.
Credits
Vulnerability discovered by Gjoko Krstic
High five to Wendy and David
References
[1]http://www.adobe.com/support/security/bulletins/apsb10-12.html
[2]http://packetstormsecurity.org/filedesc/ZSL-2010-4937.txt.html
[3]http://www.qualys.com/research/alerts/view.php/2010-05-11-2
[4]http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1280
[5]http://secunia.com/advisories/38751/
[6]http://www.exploit-db.com/exploits/12578
[7]http://www.securityfocus.com/bid/40081
[8]http://www.vupen.com/english/advisories/2010/1128
[9]http://www.0daynet.com/2010/0512/335.html
[10]http://securityreason.com/exploitalert/8249
[11]http://forums.cnet.com/5208-6132_102-0.html?messageID=3303052
[12]http://news.dreamings.org/?p=1050
[13]http://securitytracker.com/alerts/2010/May/1023980.html
[14]http://www.auscert.org.au/render.html?it=12789
[15]http://securityvulns.ru/Xdocument830.html
[16]http://xforce.iss.net/xforce/xfdb/58447
[17]http://osvdb.org/show/osvdb/64646
[18]http://www.nessus.org/plugins/index.php?view=single&id=46329
Changelog
11.05.2010Initial release
12.05.2010Added reference [2], [3], [4], [5], [6], [7], [8] and [9]
13.05.2010Added reference [10], [11], [12], [13], [14] and [15]
17.05.2010Added reference [16]
18.05.2010Added reference [17]
06.03.2011Added reference [18]