Adobe Shockwave Player 11.5.6.606 (DIR) Multiple Memory Vulnerabilities

Title: Adobe Shockwave Player 11.5.6.606 (DIR) Multiple Memory Vulnerabilities
Advisory ID: ZSL-2010-4937
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 11.05.2010
Summary
Over 450 million Internet-enabled desktops have installed Adobe Shockwave Player. These people now have access to some of the best the Web has to offer - including dazzling 3D games and entertainment, interactive product demonstrations, and online learning applications. Shockwave Player displays Web content that has been created by Adobe Director.
Description
Shockwave Player version 11.5.6.606 and earlier from Adobe suffers from a memory consumption / corruption and buffer overflow vulnerabilities that can aid the attacker to cause denial of service scenarios and arbitrary code execution. The vulnerable software fails to sanitize user input when processing .dir files resulting in a crash and overwrite of a few memory registers.

--------------------------------------------------------------------------------

(f94.ae4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=20a0a0a0 ebx=207d004c ecx=00000400 edx=41414140 esi=00000000 edi=a80487d8
eip=68008bd6 esp=0012de4c ebp=00000400 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050206
*** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Adobe Director 11\DIRAPI.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for DIRAPI.dll -
DIRAPI!Ordinal14+0x3b16:
68008bd6 2b4f04 sub ecx,dword ptr [edi+4] ds:0023:a80487dc=????????

-----------------------

EAX FFFFFFFF
ECX 41414141
EDX FFFFFFFF
EBX 00000018
ESP 0012F3B4
EBP 02793578
ESI 0012F3C4
EDI 02793578
EIP 69009F1F IML32.69009F1F

--------------------------------------------------------------------------------

Vendor
Adobe Systems Incorporated - http://www.adobe.com
Affected Version
11.5.6.606
Tested On
Microsoft Windows XP Professional SP3 (English)
Vendor Status
[19.09.2009] Vulnerability discovered.
[09.03.2010] Vendor contacted with sent PoC files.
[09.03.2010] Vendor replied.
[21.03.2010] Asked vendor for confirmation.
[21.03.2010] Vendor verifies the weakness.
[06.05.2010] Vendor reveals patch release date.
[11.05.2010] Coordinated public advisory.
PoC
shockwave_mem.c
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
High five to Wendy and David
References
[1] http://www.adobe.com/support/security/bulletins/apsb10-12.html
[2] http://packetstormsecurity.org/filedesc/ZSL-2010-4937.txt.html
[3] http://www.qualys.com/research/alerts/view.php/2010-05-11-2
[4] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1280
[5] http://secunia.com/advisories/38751/
[6] http://www.exploit-db.com/exploits/12578
[7] http://www.securityfocus.com/bid/40081
[8] http://www.vupen.com/english/advisories/2010/1128
[9] http://www.0daynet.com/2010/0512/335.html
[10] http://securityreason.com/exploitalert/8249
[11] http://forums.cnet.com/5208-6132_102-0.html?messageID=3303052
[12] http://news.dreamings.org/?p=1050
[13] http://securitytracker.com/alerts/2010/May/1023980.html
[14] http://www.auscert.org.au/render.html?it=12789
[15] http://securityvulns.ru/Xdocument830.html
[16] http://xforce.iss.net/xforce/xfdb/58447
[17] http://osvdb.org/show/osvdb/64646
[18] http://www.nessus.org/plugins/index.php?view=single&id=46329
Changelog
[11.05.2010] - Initial release
[12.05.2010] - Added reference [2], [3], [4], [5], [6], [7], [8] and [9]
[13.05.2010] - Added reference [10], [11], [12], [13], [14] and [15]
[17.05.2010] - Added reference [16]
[18.05.2010] - Added reference [17]
[06.03.2011] - Added reference [18]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk