ZDI-10-089: Adobe Shockwave Director PAMI Chunk Remote Code Execution Vulnerability
2010-05-12T00:00:00
ID SECURITYVULNS:DOC:23828 Type securityvulns Reporter Securityvulns Modified 2010-05-12T00:00:00
Description
ZDI-10-089: Adobe Shockwave Director PAMI Chunk Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-089
May 11, 2010
-- CVE ID:
CVE-2010-1292
-- Affected Vendors:
Adobe
-- Affected Products:
Adobe Shockwave Player
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 9689.
For further product information on the TippingPoint IPS, visit:
http://www.tippingpoint.com
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Adobe Shockwave. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The specific flaw exists within the code responsible for parsing
Director files. When the application parses the pami RIFF chunk, it
trusts an offset value and seeks into the file data. If provided with
signed values in the data at the given offset, the process can be made
to incorrectly calculate a pointer and operate on the data at it's
location. This can be abused by an attacker to execute arbitrary code
under the context of the user running the browser.
-- Vendor Response:
Adobe has issued an update to correct this vulnerability. More
details can be found at:
-- Disclosure Timeline:
2010-04-08 - Vulnerability reported to vendor
2010-05-11 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Anonymous
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
{"id": "SECURITYVULNS:DOC:23828", "bulletinFamily": "software", "title": "ZDI-10-089: Adobe Shockwave Director PAMI Chunk Remote Code Execution Vulnerability", "description": "ZDI-10-089: Adobe Shockwave Director PAMI Chunk Remote Code Execution Vulnerability\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-10-089\r\nMay 11, 2010\r\n\r\n-- CVE ID:\r\nCVE-2010-1292\r\n\r\n-- Affected Vendors:\r\nAdobe\r\n\r\n-- Affected Products:\r\nAdobe Shockwave Player\r\n\r\n-- TippingPoint(TM) IPS Customer Protection:\r\nTippingPoint IPS customers have been protected against this\r\nvulnerability by Digital Vaccine protection filter ID 9689. \r\nFor further product information on the TippingPoint IPS, visit:\r\n\r\n http://www.tippingpoint.com\r\n\r\n-- Vulnerability Details:\r\nThis vulnerability allows remote attackers to execute arbitrary code on\r\nvulnerable installations of Adobe Shockwave. User interaction is\r\nrequired to exploit this vulnerability in that the target must visit a\r\nmalicious page or open a malicious file.\r\n\r\nThe specific flaw exists within the code responsible for parsing\r\nDirector files. When the application parses the pami RIFF chunk, it\r\ntrusts an offset value and seeks into the file data. If provided with\r\nsigned values in the data at the given offset, the process can be made\r\nto incorrectly calculate a pointer and operate on the data at it's\r\nlocation. This can be abused by an attacker to execute arbitrary code\r\nunder the context of the user running the browser.\r\n\r\n-- Vendor Response:\r\nAdobe has issued an update to correct this vulnerability. More\r\ndetails can be found at:\r\n\r\nhttp://www.adobe.com/support/security/bulletins/apsb10-12.html\r\n\r\n-- Disclosure Timeline:\r\n2010-04-08 - Vulnerability reported to vendor\r\n2010-05-11 - Coordinated public release of advisory\r\n\r\n-- Credit:\r\nThis vulnerability was discovered by:\r\n * Anonymous\r\n\r\n-- About the Zero Day Initiative (ZDI):\r\nEstablished by TippingPoint, The Zero Day Initiative (ZDI) represents \r\na best-of-breed model for rewarding security researchers for responsibly\r\ndisclosing discovered vulnerabilities.\r\n\r\nResearchers interested in getting paid for their security research\r\nthrough the ZDI can find more information and sign-up at:\r\n\r\n http://www.zerodayinitiative.com\r\n\r\nThe ZDI is unique in how the acquired vulnerability information is\r\nused. TippingPoint does not re-sell the vulnerability details or any\r\nexploit code. Instead, upon notifying the affected product vendor,\r\nTippingPoint provides its customers with zero day protection through\r\nits intrusion prevention technology. Explicit details regarding the\r\nspecifics of the vulnerability are not exposed to any parties until\r\nan official vendor patch is publicly available. Furthermore, with the\r\naltruistic aim of helping to secure a broader user base, TippingPoint\r\nprovides this vulnerability information confidentially to security\r\nvendors (including competitors) who have a vulnerability protection or\r\nmitigation product.\r\n\r\nOur vulnerability disclosure policy is available online at:\r\n\r\n http://www.zerodayinitiative.com/advisories/disclosure_policy/\r\n\r\nFollow the ZDI on Twitter:\r\n\r\n http://twitter.com/thezdi", "published": "2010-05-12T00:00:00", "modified": "2010-05-12T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:23828", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2010-1292"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:34", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "2a2611e4c637255530cea92d3f04a80b"}, {"key": "cvss", "hash": "2076413bdcb42307d016f5286cbae795"}, {"key": "description", "hash": "36e7b8dafdbf6a1776950c9328f4c4c0"}, {"key": "href", "hash": "0050f8eed30b0931f52b362a66031dc5"}, {"key": "modified", "hash": "8a00ba0e38fa9989bca8d69602eac8a9"}, {"key": "published", "hash": "8a00ba0e38fa9989bca8d69602eac8a9"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "a49ebb2e1a771348dfa0039e0d589df6"}, {"key": "title", "hash": "76bc9e5357dca58048e78e74a658009b"}, {"key": "type", "hash": "d54751dd75af2ea0147b462b3e001cd0"}], "hash": "fdaafbaf481da2e64d2521ab378898fc0e4022ae74ef2a014447879a034a3d8d", "viewCount": 3, "enchantments": {"score": {"value": 8.2, "vector": "NONE", "modified": "2018-08-31T11:10:34", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2010-1292"]}, {"type": "zdi", "idList": ["ZDI-10-089"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310801335", "OPENVAS:801335"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:23830", "SECURITYVULNS:VULN:10828"]}, {"type": "nessus", "idList": ["SHOCKWAVE_PLAYER_APSB10-12.NASL", "MACOSX_SHOCKWAVE_PLAYER_APSB10-12.NASL"]}], "modified": "2018-08-31T11:10:34", "rev": 2}, "vulnersScore": 8.2}, "objectVersion": "1.3", "affectedSoftware": []}
{"cve": [{"lastseen": "2019-05-29T18:10:27", "bulletinFamily": "NVD", "description": "The implementation of pami RIFF chunk parsing in Adobe Shockwave Player before 11.5.7.609 does not validate a certain value from a file before using it in file-pointer calculations, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted .dir (aka Director) file.\nPer: http://www.adobe.com/support/security/bulletins/apsb10-12.html\r\n\r\n'Adobe recommends users of Adobe Shockwave Player 11.5.6.606 and earlier versions update to Adobe Shockwave Player 11.5.7.609'", "modified": "2018-10-10T19:56:00", "id": "CVE-2010-1292", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1292", "published": "2010-05-13T17:30:00", "title": "CVE-2010-1292", "type": "cve", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "zdi": [{"lastseen": "2020-06-22T11:41:26", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Shockwave. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the code responsible for parsing Director files. When the application parses the pami RIFF chunk, it trusts an offset value and seeks into the file data. If provided with signed values in the data at the given offset, the process can be made to incorrectly calculate a pointer and operate on the data at it's location. This can be abused by an attacker to execute arbitrary code under the context of the user running the browser.", "modified": "2010-06-22T00:00:00", "published": "2010-05-11T00:00:00", "href": "https://www.zerodayinitiative.com/advisories/ZDI-10-089/", "id": "ZDI-10-089", "title": "Adobe Shockwave Director PAMI Chunk Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-04-27T19:23:06", "bulletinFamily": "scanner", "description": "This host is installed with Adobe Shockwave Player and is prone\n to multiple remote code execution vulnerabilities.", "modified": "2020-04-23T00:00:00", "published": "2010-05-19T00:00:00", "id": "OPENVAS:1361412562310801335", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310801335", "title": "Adobe Shockwave Player Multiple Remote Code Execution Vulnerabilities May-10", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe Shockwave Player Multiple Remote Code Execution Vulnerabilities May-10\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.801335\");\n script_version(\"2020-04-23T12:22:09+0000\");\n script_tag(name:\"last_modification\", value:\"2020-04-23 12:22:09 +0000 (Thu, 23 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2010-05-19 14:50:39 +0200 (Wed, 19 May 2010)\");\n script_cve_id(\"CVE-2010-0127\", \"CVE-2010-0128\", \"CVE-2010-0129\", \"CVE-2010-0130\",\n \"CVE-2010-1280\", \"CVE-2010-1281\", \"CVE-2010-1282\", \"CVE-2010-1283\",\n \"CVE-2010-1284\", \"CVE-2010-1286\", \"CVE-2010-1287\", \"CVE-2010-1288\",\n \"CVE-2010-1289\", \"CVE-2010-1290\", \"CVE-2010-1291\", \"CVE-2010-1292\",\n \"CVE-2010-0987\", \"CVE-2010-0986\");\n script_bugtraq_id(40083, 40076, 40082, 40084, 40081, 40078, 40077, 40088, 40091,\n 40085, 40089, 40096, 40094, 40087, 40090, 40079, 40093, 40086);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Adobe Shockwave Player Multiple Remote Code Execution Vulnerabilities May-10\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/38751\");\n script_xref(name:\"URL\", value:\"http://www.zeroscience.mk/codes/shockwave_mem.txt\");\n script_xref(name:\"URL\", value:\"http://www.vupen.com/english/advisories/2010/1128\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/support/security/bulletins/apsb10-12.html\");\n script_xref(name:\"URL\", value:\"http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php\");\n script_xref(name:\"URL\", value:\"http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0139.html\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2010 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_adobe_shockwave_player_detect.nasl\");\n script_mandatory_keys(\"Adobe/ShockwavePlayer/Ver\");\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker to execute arbitrary code in\n the context of the affected application by tricking a user into visiting a\n specially crafted web page.\");\n script_tag(name:\"affected\", value:\"Adobe Shockwave Player prior to 11.5.7.609 on Windows.\");\n script_tag(name:\"insight\", value:\"Multiple flaws are caused by memory corruption errors, integer and buffer\n overflows, array indexing, and signedness errors when processing malformed\n 'Shockwave' or 'Director' files, which could be exploited by attackers to\n execute arbitrary code by tricking a user into visiting a specially crafted\n web page.\");\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Shockwave Player 11.5.7.609.\");\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Shockwave Player and is prone\n to multiple remote code execution vulnerabilities.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\nshockVer = get_kb_item(\"Adobe/ShockwavePlayer/Ver\");\nif(!shockVer){\n exit(0);\n}\n\nif(version_is_less(version:shockVer, test_version:\"11.5.7.609\")){\n report = report_fixed_ver(installed_version:shockVer, fixed_version:\"11.5.7.609\");\n security_message(port: 0, data: report);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-02T21:09:50", "bulletinFamily": "scanner", "description": "This host is installed with Adobe Shockwave Player and is prone\n to multiple remote code execution vulnerabilities.", "modified": "2017-02-10T00:00:00", "published": "2010-05-19T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=801335", "id": "OPENVAS:801335", "title": "Adobe Shockwave Player Multiple Remote Code Execution Vulnerabilities May-10", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_shockwave_player_mult_code_exe_vuln_may10.nasl 5263 2017-02-10 13:45:51Z teissa $\n#\n# Adobe Shockwave Player Multiple Remote Code Execution Vulnerabilities May-10\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation will allow attacker to execute arbitrary code in\n the context of the affected application by tricking a user into visiting a\n specially crafted web page.\n Impact Level: Application.\";\ntag_affected = \"Adobe Shockwave Player prior to 11.5.7.609 on Windows.\";\ntag_insight = \"Multiple flaws are caused by memory corruption errors, integer and buffer\n overflows, array indexing, and signedness errors when processing malformed\n 'Shockwave' or 'Director' files, which could be exploited by attackers to\n execute arbitrary code by tricking a user into visiting a specially crafted\n web page.\";\ntag_solution = \"Upgrade to Adobe Shockwave Player 11.5.7.609\n http://get.adobe.com/shockwave/otherversions/\";\ntag_summary = \"This host is installed with Adobe Shockwave Player and is prone\n to multiple remote code execution vulnerabilities.\";\n\nif(description)\n{\n script_id(801335);\n script_version(\"$Revision: 5263 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-10 14:45:51 +0100 (Fri, 10 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-05-19 14:50:39 +0200 (Wed, 19 May 2010)\");\n script_cve_id(\"CVE-2010-0127\", \"CVE-2010-0128\", \"CVE-2010-0129\", \"CVE-2010-0130\",\n \"CVE-2010-1280\", \"CVE-2010-1281\", \"CVE-2010-1282\", \"CVE-2010-1283\",\n \"CVE-2010-1284\", \"CVE-2010-1286\", \"CVE-2010-1287\", \"CVE-2010-1288\",\n \"CVE-2010-1289\", \"CVE-2010-1290\", \"CVE-2010-1291\", \"CVE-2010-1292\",\n \"CVE-2010-0987\", \"CVE-2010-0986\");\n script_bugtraq_id(40083, 40076, 40082, 40084, 40081, 40078, 40077, 40088, 40091,\n 40085, 40089, 40096, 40094, 40087, 40090, 40079, 40093, 40086);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Adobe Shockwave Player Multiple Remote Code Execution Vulnerabilities May-10\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/38751\");\n script_xref(name : \"URL\" , value : \"http://www.zeroscience.mk/codes/shockwave_mem.txt\");\n script_xref(name : \"URL\" , value : \"http://www.vupen.com/english/advisories/2010/1128\");\n script_xref(name : \"URL\" , value : \"http://www.adobe.com/support/security/bulletins/apsb10-12.html\");\n script_xref(name : \"URL\" , value : \"http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php\");\n script_xref(name : \"URL\" , value : \"http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0139.html\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2010 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_adobe_shockwave_player_detect.nasl\");\n script_require_keys(\"Adobe/ShockwavePlayer/Ver\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\nshockVer = get_kb_item(\"Adobe/ShockwavePlayer/Ver\");\nif(!shockVer){\n exit(0);\n}\n\n# Check for versions prior to 11.5.7.609\nif(version_is_less(version:shockVer, test_version:\"11.5.7.609\")){\n security_message(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:34", "bulletinFamily": "software", "description": "Security update available for Shockwave Player\r\n\r\nRelease date: May 11, 2010\r\n\r\nVulnerability identifier: APSB10-12\r\n\r\nCVE number: CVE-2010-0127, CVE-2010-0128, CVE-2010-0129, CVE-2010-0130, CVE-2010-0986, CVE-2010-0987, CVE-2010-1280, CVE-2010-1281, CVE-2010-1282, CVE-2010-1283, CVE-2010-1284, CVE-2010-1286, CVE-2010-1287, CVE-2010-1288, CVE-2010-1289, CVE-2010-1290, CVE-2010-1291, CVE-2010-1292\r\n\r\nPlatform: Windows and Macintosh\r\nSummary\r\n\r\nCritical vulnerabilities have been identified in Adobe Shockwave Player 11.5.6.606 and earlier versions on the Windows and Macintosh operating systems. The vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system. Adobe recommends users of Adobe Shockwave Player 11.5.6.606 and earlier versions update to Adobe Shockwave Player 11.5.7.609, using the instructions provided below.\r\nAffected software versions\r\n\r\nShockwave Player 11.5.6.606 and earlier versions for Windows and Macintosh\r\nSolution\r\n\r\nAdobe recommends users of Adobe Shockwave Player 11.5.6.606 and earlier versions upgrade to the newest version 11.5.7.609, available here: http://get.adobe.com/shockwave/.\r\nSeverity rating\r\n\r\nAdobe categorizes this as a critical update and recommends that users apply the update for their product installations.\r\nDetails\r\n\r\nCritical vulnerabilities have been identified in Adobe Shockwave Player 11.5.6.606 and earlier versions on the Windows and Macintosh operating systems. The vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system. Adobe recommends users of Adobe Shockwave Player 11.5.6.606 and earlier versions update to Adobe Shockwave Player 11.5.7.609, using the instructions provided above.\r\n\r\nThis update resolves a boundary error vulnerability that if exploited, could lead to memory corruption and possible code execution (CVE-2010-0127).\r\n\r\nThis update resolves a signedness error vulnerability that could lead to code execution (CVE-2010-0128).\r\n\r\nThis update resolves multiple memory corruption vulnerabilities due to integer overflow that could lead to code execution (CVE-2010-0129).\r\n\r\nThis update resolves an integer overflow vulnerability that could lead to code execution (CVE-2010-0130).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-0986).\r\n\r\nThis update resolves a buffer overflow vulnerability that could lead to code execution (CVE-2010-0987).\r\n\r\nThis update resolves multiple memory corruption vulnerabilities that could lead to code execution (CVE-2010-1280).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1281).\r\n\r\nThis update resolves an infinite loop vulnerability that could lead to a denial of service (CVE-2010-1282).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1283).\r\n\r\nThis update resolves multiple memory corruption vulnerabilities that could lead to code execution (CVE-2010-1284).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1286).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1287).\r\n\r\nThis update resolves a buffer overflow vulnerability that could lead to code execution (CVE-2010-1288).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1289).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1290).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1291).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1292).\r\nAcknowledgments\r\n\r\nAdobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:\r\n\r\n * Chaouki Bekrar of VUPEN Vulnerability Research Team (CVE-2010-1280, CVE-2010-1283, CVE-2010-0129, CVE-2010-1284)\r\n * Sebastien Renaud of VUPEN Vulnerability Research Team (CVE-2010-1280)\r\n * Code Audit Labs (CVE-2010-0129, CVE-2010-1280, CVE-2010-1282)\r\n * Nahuel Riva of Core Security Technologies (CVE-2010-0128)\r\n * Gjoko Krstic of Zero Science Lab (CVE-2010-1280)\r\n * Chro HD of Fortinet's FortiGuard Labs (CVE-2010-1280, CVE-2010-1286, CVE-2010-1287, CVE-2010-1288, CVE-2010-1289, CVE-2010-1290, CVE-2010-1291)\r\n * An Anonymous Researcher reported through iDefense's Vulnerability Contributor Program (CVE-2010-0129)\r\n * Alin Rad Pop of Secunia Research (CVE-2010-0127, CVE-2010-0128, CVE-2010-0129, CVE-2010-0130, CVE-2010-0986, CVE-2010-0987)\r\n * An Anonymous Researcher reported through TippingPoint's Zero Day Initiative (CVE-2010-1281, CVE-2010-1283, CVE-2010-1292)\r\n", "modified": "2010-05-12T00:00:00", "published": "2010-05-12T00:00:00", "id": "SECURITYVULNS:DOC:23830", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:23830", "title": "Security update available for Shockwave Player", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:36", "bulletinFamily": "software", "description": "Multiple buffer overflows, integer overflows, memory corruptions, code executions.", "modified": "2010-05-21T00:00:00", "published": "2010-05-21T00:00:00", "id": "SECURITYVULNS:VULN:10828", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:10828", "title": "Adobe Shockwave multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2020-07-01T04:18:26", "bulletinFamily": "scanner", "description": "The remote Windows host contains a version of Adobe", "modified": "2020-07-02T00:00:00", "id": "SHOCKWAVE_PLAYER_APSB10-12.NASL", "href": "https://www.tenable.com/plugins/nessus/46329", "published": "2010-05-12T00:00:00", "title": "Shockwave Player < 11.5.7.609 Multiple Vulnerabilities (APSB10-12)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(46329);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2018/11/15 20:50:28\");\n\n script_cve_id(\n \"CVE-2010-0127\",\n \"CVE-2010-0128\",\n \"CVE-2010-0129\",\n \"CVE-2010-0130\",\n \"CVE-2010-0986\",\n \"CVE-2010-0987\",\n \"CVE-2010-1280\",\n \"CVE-2010-1281\",\n \"CVE-2010-1282\",\n \"CVE-2010-1283\",\n \"CVE-2010-1284\",\n \"CVE-2010-1286\",\n \"CVE-2010-1287\",\n \"CVE-2010-1288\",\n \"CVE-2010-1289\",\n \"CVE-2010-1290\",\n \"CVE-2010-1291\",\n \"CVE-2010-1292\"\n );\n script_bugtraq_id(\n 40076,\n 40077,\n 40078,\n 40079,\n 40081,\n 40082,\n 40083,\n 40084,\n 40085,\n 40086,\n 40087,\n 40088,\n 40089,\n 40090,\n 40091,\n 40093,\n 40094,\n 40096\n );\n script_xref(name:\"Secunia\", value:\"38751\");\n\n script_name(english:\"Shockwave Player < 11.5.7.609 Multiple Vulnerabilities (APSB10-12)\");\n script_summary(english:\"Checks version of Shockwave Player\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Windows host contains a web browser plugin that is\naffected by multiple vulnerabilities.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote Windows host contains a version of Adobe's Shockwave Player\nthat is earlier than 11.5.7.609. Such versions are affected by the\nfollowing issues :\n\n - Processing specially crafted FFFFFF45h Shockwave\n 3D blocks can result in memory corruption.\n (CVE-2010-0127, CVE-2010-1283)\n\n - A signedness error that can lead to memory corruption\n when processing specially crafted Director files.\n (CVE-2010-0128)\n\n - An array indexing error that can lead to memory\n corruption when processing specially crafted\n Director files. (CVE-2010-0129)\n\n - An integer overflow vulnerability that can lead to\n memory corruption when processing specially\n crafted Director files. (CVE-2010-0130)\n\n - An unspecified error when processing asset entries\n in Director files can lead to memory corruption.\n (CVE-2010-0986)\n\n - A boundary error when processing embedded fonts\n from a Directory file can lead to memory corruption.\n (CVE-2010-0987)\n\n - An unspecified error when processing Director files\n can result in memory corruption. (CVE-2010-1280)\n\n - Several unspecified memory corruption vulnerabilities.\n (CVE-2010-1281, CVE-2010-1282, CVE-2010-1284,\n CVE-2010-1286, CVE-2010-1287, CVE-2010-1288,\n CVE-2010-1289, CVE-2010-1290, CVE-2010-1291,\n CVE-2010-1292)\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://secuniaresearch.flexerasoftware.com/secunia_research/2010-17/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://secuniaresearch.flexerasoftware.com/secunia_research/2010-19/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://secuniaresearch.flexerasoftware.com/secunia_research/2010-20/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://secuniaresearch.flexerasoftware.com/secunia_research/2010-22/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://secuniaresearch.flexerasoftware.com/secunia_research/2010-34/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://secuniaresearch.flexerasoftware.com/secunia_research/2010-50/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-10-087/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-10-088/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-10-089/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?19865c37\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2010/May/136\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2010/May/137\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2010/May/138\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.coresecurity.com/content/adobe-director-invalid-read\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.adobe.com/support/security/bulletins/apsb10-12.html\");\n script_set_attribute(\n attribute:\"solution\",\n value:\"Upgrade to Adobe Shockwave 11.5.7.609 or later.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/05/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/05/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/05/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:shockwave_player\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"shockwave_player_apsb09_08.nasl\");\n script_require_keys(\"SMB/shockwave_player\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"smb_func.inc\");\n\n\nport = kb_smb_transport();\ninstalls = get_kb_list('SMB/shockwave_player/*/path');\nif (isnull(installs))\n exit(0, 'Shockwave Player was not detected on the remote host.');\n\ninfo = NULL;\npattern = 'SMB/shockwave_player/([^/]+)/([^/]+)/path';\n\nforeach install (keys(installs))\n{\n match = eregmatch(string:install, pattern:pattern);\n if (!match) exit(1, 'Unexpected format of KB key \"'+install+'\".');\n\n file = installs[install];\n variant = match[1];\n version = match[2];\n ver = split(version, sep:'.', keep:FALSE);\n for (i = 0; i < max_index(ver); i++)\n ver[i] = int(ver[i]);\n\n if (\n ver[0] < 11 ||\n (\n ver[0] == 11 &&\n (\n ver[1] < 5 ||\n (\n ver[1] == 5 &&\n (\n ver[2] < 7 ||\n (ver[2] == 7 && ver[3] < 609)\n )\n )\n )\n )\n )\n {\n if (variant == \"Plugin\")\n {\n info += '\\n - Browser Plugin (for Firefox / Netscape / Opera) :\\n';\n }\n else if (variant == \"ActiveX\")\n {\n info += '\\n - ActiveX control (for Internet Explorer) :\\n';\n }\n info += ' ' + file + ', ' + version + '\\n';\n }\n}\n\nif (!info) exit(0, \"No vulnerable installs of Shockwave Player were found.\");\n\nif (report_verbosity > 0)\n{\n if (max_index(split(info)) > 2) s = \"s\";\n else s = \"\";\n\n report =\n '\\nNessus has identified the following vulnerable instance'+s+' of Shockwave'+\n '\\nPlayer installed on the remote host :\\n'+\n info;\n security_hole(port:port, extra:report);\n}\nelse security_hole(port:port);\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-01T02:58:47", "bulletinFamily": "scanner", "description": "The remote Mac OS X host contains a version of Adobe Shockwave Player\nthat is 11.5.6.606 or earlier. It is, therefore, affected by multiple\nvulnerabilities :\n\n - Processing specially crafted FFFFFF45h Shockwave\n 3D blocks results in memory corruption. (CVE-2010-0127,\n CVE-2010-1283)\n\n - A signedness error leads to memory corruption when\n processing specially crafted Director files.\n (CVE-2010-0128)\n\n - An array indexing error leads to memory corruption when\n processing specially crafted Director files.\n (CVE-2010-0129)\n\n - An integer overflow vulnerability leads to memory\n corruption when processing specially crafted Director\n files. (CVE-2010-0130)\n\n - An unspecified error when processing asset entries\n in Director files leads to memory corruption.\n (CVE-2010-0986)\n\n - A boundary error when processing embedded fonts from a\n Directory file leads to memory corruption.\n (CVE-2010-0987)\n\n - An unspecified error when processing Director files\n results in memory corruption. (CVE-2010-1280)\n\n - Several unspecified memory corruption vulnerabilities.\n (CVE-2010-1281, CVE-2010-1282, CVE-2010-1284,\n CVE-2010-1286, CVE-2010-1287, CVE-2010-1288,\n CVE-2010-1289, CVE-2010-1290, CVE-2010-1291,\n CVE-2010-1292)", "modified": "2020-07-02T00:00:00", "id": "MACOSX_SHOCKWAVE_PLAYER_APSB10-12.NASL", "href": "https://www.tenable.com/plugins/nessus/80172", "published": "2014-12-22T00:00:00", "title": "Adobe Shockwave Player <= 11.5.6.606 Multiple Vulnerabilities (APSB10-12) (Mac OS X)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(80172);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/07/14 1:59:35\");\n\n script_cve_id(\n \"CVE-2010-0127\",\n \"CVE-2010-0128\",\n \"CVE-2010-0129\",\n \"CVE-2010-0130\",\n \"CVE-2010-0986\",\n \"CVE-2010-0987\",\n \"CVE-2010-1280\",\n \"CVE-2010-1281\",\n \"CVE-2010-1282\",\n \"CVE-2010-1283\",\n \"CVE-2010-1284\",\n \"CVE-2010-1286\",\n \"CVE-2010-1287\",\n \"CVE-2010-1288\",\n \"CVE-2010-1289\",\n \"CVE-2010-1290\",\n \"CVE-2010-1291\",\n \"CVE-2010-1292\"\n );\n script_bugtraq_id(\n 40076,\n 40077,\n 40078,\n 40079,\n 40081,\n 40082,\n 40083,\n 40084,\n 40085,\n 40086,\n 40087,\n 40088,\n 40089,\n 40090,\n 40091,\n 40093,\n 40094,\n 40096\n );\n\n script_name(english:\"Adobe Shockwave Player <= 11.5.6.606 Multiple Vulnerabilities (APSB10-12) (Mac OS X)\");\n script_summary(english:\"Checks the version of Shockwave Player.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Mac OS X host contains a web browser plugin that is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Mac OS X host contains a version of Adobe Shockwave Player\nthat is 11.5.6.606 or earlier. It is, therefore, affected by multiple\nvulnerabilities :\n\n - Processing specially crafted FFFFFF45h Shockwave\n 3D blocks results in memory corruption. (CVE-2010-0127,\n CVE-2010-1283)\n\n - A signedness error leads to memory corruption when\n processing specially crafted Director files.\n (CVE-2010-0128)\n\n - An array indexing error leads to memory corruption when\n processing specially crafted Director files.\n (CVE-2010-0129)\n\n - An integer overflow vulnerability leads to memory\n corruption when processing specially crafted Director\n files. (CVE-2010-0130)\n\n - An unspecified error when processing asset entries\n in Director files leads to memory corruption.\n (CVE-2010-0986)\n\n - A boundary error when processing embedded fonts from a\n Directory file leads to memory corruption.\n (CVE-2010-0987)\n\n - An unspecified error when processing Director files\n results in memory corruption. (CVE-2010-1280)\n\n - Several unspecified memory corruption vulnerabilities.\n (CVE-2010-1281, CVE-2010-1282, CVE-2010-1284,\n CVE-2010-1286, CVE-2010-1287, CVE-2010-1288,\n CVE-2010-1289, CVE-2010-1290, CVE-2010-1291,\n CVE-2010-1292)\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-10-087/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-10-088/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-10-089/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?19865c37\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/fulldisclosure/2010/May/130\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/fulldisclosure/2010/May/131\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/fulldisclosure/2010/May/132\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.coresecurity.com/content/adobe-director-invalid-read\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.adobe.com/support/security/bulletins/apsb10-12.html\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Adobe Shockwave 11.5.7.609 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/05/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/05/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/12/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:shockwave_player\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"shockwave_player_detect_macosx.nbin\");\n script_require_keys(\"installed_sw/Shockwave Player\", \"Host/MacOSX/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\n\nos = get_kb_item(\"Host/MacOSX/Version\");\nif (!os) audit(AUDIT_OS_NOT, \"Mac OS X\");\n\napp = 'Shockwave Player';\n\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\ninstall = get_single_install(app_name:app, exit_if_unknown_ver:TRUE);\n\nver = install['version'];\npath = install['path'];\n\nif (ver_compare(ver:ver, fix:'11.5.6.606', strict:FALSE) <= 0)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + ver +\n '\\n Fixed versions : 11.5.7.609' +\n '\\n';\n security_hole(port:0, extra:report);\n }\n else security_hole(port:0);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, app, ver, path);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}
