[CORE-2010-0405] Adobe Director Invalid Read

2010-05-12T00:00:00
ID SECURITYVULNS:DOC:23829
Type securityvulns
Reporter Securityvulns
Modified 2010-05-12T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

  Core Security Technologies - CoreLabs Advisory
       http://corelabs.coresecurity.com/

Adobe Director DIRAPI.DLL Invalid Read Vulnerability

  1. Advisory Information

Title: Adobe Director DIRAPI.DLL Invalid Read Vulnerability Advisory Id: CORE-2010-0405 Advisory URL: [http://www.coresecurity.com/content/adobe-director-invalid-read] Date published: 2010-05-11 Date of last update: 2010-05-11 Vendors contacted: Adobe Release mode: Coordinated release

  1. Vulnerability Information

Class: Input validation error [CWE-20] Impact: Denial of service Remotely Exploitable: Yes (client-side) Locally Exploitable: No CVE Name: CVE-2010-0128 Bugtraq ID: N/A

  1. Vulnerability Description

Adobe Director is prone to a vulnerability due to an invalid read in 'DIRAPI.DLL', when opening a malformed .dir file. This vulnerability could be used by a remote attacker to execute arbitrary code, by enticing the user of Adobe Director to open a specially crafted file.

  1. Vulnerable packages

. Adobe Director 11.5 . Adobe Director 11 (Version: 11.0.0.426)

  1. Non-vulnerable packages

. Adobe Director 11.5 (Version: 11.5.7.609)

  1. Solutions and Workarounds

    See the Adobe Security Bulletin [1] available at [http://www.adobe.com/go/apsb10-12/].

  2. Credits

This vulnerability was discovered and researched by Nahuel Riva, from Core Security Technologies. Publication was coordinated by Jorge Lucangeli Obes.

  1. Technical Description

The vulnerability occurs at offset '0x68174813' of the 'dirapi.dll' module of Adobe Director. Improper validation of input data leads to a crash in the memory read instruction. This vulnerability could result in arbitrary code execution, although it was not verified.

/----- App: Adobe Director 11 Version: 11.0.0.426 Module crash: Dirapi.dll Version: 11.0.0.426

Crash: 68174813 |. 8906 |MOV DWORD PTR DS:[ESI],EAX 68174815 |> 8B4C24 14 |MOV ECX,DWORD PTR SS:[ESP+14] 68174819 |. 51 |PUSH ECX 6817481A |. E8 3197F5FF |CALL <JMP.&IML32.#1414> 6817481F |. 8946 04 |MOV DWORD PTR DS:[ESI+4],EAX 68174822 |. 83C6 08 |ADD ESI,8 68174825 |. 4D |DEC EBP 68174826 |.^ 75 C8 \JNZ SHORT DIRAPI.681747F0

EAX=00000000 DS:[02889B20]=???

Registers: EAX 00000000 ECX 00000068 EDX 00000001 EBX FFE4B4D4 ESP 0012DFB8 EBP 0000373D ESI 02889B20 EDI 01BC9964 EIP 68174813 DIRAPI.68174813 C 0 ES 0023 32bit 0(FFFFFFFF) P 1 CS 001B 32bit 0(FFFFFFFF) A 0 SS 0023 32bit 0(FFFFFFFF) Z 1 DS 0023 32bit 0(FFFFFFFF) S 0 FS 003B 32bit 7FFDD000(FFF) T 0 GS 0000 NULL D 0 O 0 LastErr ERROR_NEGATIVE_SEEK (00000083) EFL 00250246 (NO,NB,E,BE,NS,PE,GE,LE) ST0 empty -??? FFFF 00000000 00000000 ST1 empty -??? FFFF 00000000 00000000 ST2 empty -??? FFFF 00000000 00000000 ST3 empty -??? FFFF 00000000 00000000 ST4 empty 0.0000106994366433355 ST5 empty 0.6322773098945617676 ST6 empty -0.0034003453329205513 ST7 empty 1041416.9375000000000 3 2 1 0 E S P U O Z D I FST 4220 Cond 1 0 1 0 Err 0 0 1 0 0 0 0 0 (EQ) FCW 007F Prec NEAR,24 Mask 1 1 1 1 1 1

Stack Trace: Call stack of main thread Address Stack Procedure / arguments Called from Frame 0012DFC4 68175563 DIRAPI.681747A0 DIRAPI.6817555E 0012DFE4 6817003B DIRAPI.68175290 DIRAPI.68170036 0012E018 6817020D DIRAPI.6816FF40 DIRAPI.68170208 0012E01C 00A923C8 Arg1 = 00A923C8 0012E020 00000011 Arg2 = 00000011 0012E024 00000003 Arg3 = 00000003 0012E028 0012E050 Arg4 = 0012E050 0012E02C 00001100 Arg5 = 00001100 0012E048 680F6D50 DIRAPI.681701A0 DIRAPI.680F6D4B 0012E04C 00000000 Arg1 = 00000000 0012E050 00000003 Arg2 = 00000003 0012E054 00000091 Arg3 = 00000091 0012E058 0012E07C Arg4 = 0012E07C 0012E05C 00001100 Arg5 = 00001100 0012E068 6800CFC0 DIRAPI.680F6D30 DIRAPI.6800CFBB 0012E088 680817EC DIRAPI.6800CF80 DIRAPI.680817E7 0012E0B4 680823E3 DIRAPI.68081760 DIRAPI.680823DE 0012E0C8 680836A7 DIRAPI.68082380 DIRAPI.680836A2 0012E638 680839E2 DIRAPI.68082EA0 DIRAPI.680839DD 0012E634 0012E63C 00A86E8C Arg1 = 00A86E8C 0012E640 0012F5EC Arg2 = 0012F5EC 0012E644 00000000 Arg3 = 00000000 0012E648 00000000 Arg4 = 00000000 0012E64C 0000001A Arg5 = 0000001A 0012E674 68042D8C DIRAPI.68083970 DIRAPI.68042D87 0012F5EC 0012E678 00A86E8C Arg1 = 00A86E8C 0012E67C 0012F5EC Arg2 = 0012F5EC 0012E680 00000000 Arg3 = 00000000 0012E684 00000000 Arg4 = 00000000 0012E688 0000001A Arg5 = 0000001A 0012E6B0 6800A111 DIRAPI.68042C90 DIRAPI.#88+7C 0012E6B4 00A92588 Arg1 = 00A92588 0012E6B8 0012F5EC Arg2 = 0012F5EC 0012E6BC 00000000 Arg3 = 00000000 0012E6C0 0000001A Arg4 = 0000001A 0012E6DC 2018BB23 <JMP.&DIRAPI.#88> Director.2018BB1E 0012E83C 2027E776 ? Director.2018BAB0 Director.2027E771 - -----/

  1. Report Timeline

. 2010-04-14: Vendor contacted.

. 2010-04-14: Vendor requests PoC file.

. 2010-04-14: Core replies with the PoC file and the draft advisory.

. 2010-04-14: Adobe replies that will investigate the issue and sets a preliminary release date for June/July.

. 2010-04-15: Core agrees with the preliminary release date.

. 2010-04-28: Core requests an update on the situation, and asks whether Adobe was able to confirm if the bug is exploitable.

. 2010-04-28: Adobe replies that the issue was investigated and is scheduled to be fixed in the next release of Adobe Shockwave Player, planned for May; they did not carry out further exploitability research.

. 2010-04-28: Core requests a specific publication date for the fix.

. 2010-05-06: Adobe informs Core that the release date for the fix has been set to May 11th.

. 2010-05-07: Core asks Adobe if they want to provide the text for the "Solutions and Workarounds" section of the advisory.

. 2010-05-07: Adobe replies with the text for the "Solutions and Workarounds" section of the advisory.

. 2010-05-11: Advisory published.

  1. References

[1] Adobe Security Bulletin [http://www.adobe.com/go/apsb10-12/].

  1. About CoreLabs

CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: [http://www.coresecurity.com/corelabs].

  1. About Core Security Technologies

Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at [http://www.coresecurity.com].

  1. Disclaimer

The contents of this advisory are copyright (c) 2010 Core Security Technologies and (c) 2010 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.

  1. PGP/GPG Keys

This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at [http://www.coresecurity.com/files/attachments/core_security_advisories.asc].

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkvptp4ACgkQyNibggitWa2lwACgo9oRhMUsmUe+IH3jdK9d7B+m ebMAn1iAO1mYBqXGrm67F2oCxTd+OEe3 =s6Ek -----END PGP SIGNATURE-----