Adobe Director DIRAPI.DLL Invalid Read Vulnerability
Advisory Information
Title: Adobe Director DIRAPI.DLL Invalid Read Vulnerability
Advisory Id: CORE-2010-0405
Advisory URL:
[http://www.coresecurity.com/content/adobe-director-invalid-read]
Date published: 2010-05-11
Date of last update: 2010-05-11
Vendors contacted: Adobe
Release mode: Coordinated release
Vulnerability Information
Class: Input validation error [CWE-20]
Impact: Denial of service
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
CVE Name: CVE-2010-0128
Bugtraq ID: N/A
Vulnerability Description
Adobe Director is prone to a vulnerability due to an invalid read in
'DIRAPI.DLL', when opening a malformed .dir file. This vulnerability
could be used by a remote attacker to execute arbitrary code, by
enticing the user of Adobe Director to open a specially crafted file.
Vulnerable packages
. Adobe Director 11.5
. Adobe Director 11 (Version: 11.0.0.426)
Non-vulnerable packages
. Adobe Director 11.5 (Version: 11.5.7.609)
Solutions and Workarounds
See the Adobe Security Bulletin [1] available at
[http://www.adobe.com/go/apsb10-12/].
Credits
This vulnerability was discovered and researched by Nahuel Riva, from
Core Security Technologies. Publication was coordinated by Jorge
Lucangeli Obes.
Technical Description
The vulnerability occurs at offset '0x68174813' of the 'dirapi.dll'
module of Adobe Director. Improper validation of input data leads to a
crash in the memory read instruction. This vulnerability could result in
arbitrary code execution, although it was not verified.
. 2010-04-14:
Core replies with the PoC file and the draft advisory.
. 2010-04-14:
Adobe replies that will investigate the issue and sets a preliminary
release date for June/July.
. 2010-04-15:
Core agrees with the preliminary release date.
. 2010-04-28:
Core requests an update on the situation, and asks whether Adobe was
able to confirm if the bug is exploitable.
. 2010-04-28:
Adobe replies that the issue was investigated and is scheduled to be
fixed in the next release of Adobe Shockwave Player, planned for May;
they did not carry out further exploitability research.
. 2010-04-28:
Core requests a specific publication date for the fix.
. 2010-05-06:
Adobe informs Core that the release date for the fix has been set to May
11th.
. 2010-05-07:
Core asks Adobe if they want to provide the text for the "Solutions and
Workarounds" section of the advisory.
. 2010-05-07:
Adobe replies with the text for the "Solutions and Workarounds" section
of the advisory.
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
[http://www.coresecurity.com/corelabs].
About Core Security Technologies
Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
[http://www.coresecurity.com].
Disclaimer
The contents of this advisory are copyright (c) 2010 Core Security
Technologies and (c) 2010 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.
PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
[http://www.coresecurity.com/files/attachments/core_security_advisories.asc].
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
{"id": "SECURITYVULNS:DOC:23829", "bulletinFamily": "software", "title": "[CORE-2010-0405] Adobe Director Invalid Read", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n Core Security Technologies - CoreLabs Advisory\r\n http://corelabs.coresecurity.com/\r\n\r\nAdobe Director DIRAPI.DLL Invalid Read Vulnerability\r\n\r\n\r\n\r\n1. *Advisory Information*\r\n\r\nTitle: Adobe Director DIRAPI.DLL Invalid Read Vulnerability\r\nAdvisory Id: CORE-2010-0405\r\nAdvisory URL:\r\n[http://www.coresecurity.com/content/adobe-director-invalid-read]\r\nDate published: 2010-05-11\r\nDate of last update: 2010-05-11\r\nVendors contacted: Adobe\r\nRelease mode: Coordinated release\r\n\r\n\r\n\r\n2. *Vulnerability Information*\r\n\r\nClass: Input validation error [CWE-20]\r\nImpact: Denial of service\r\nRemotely Exploitable: Yes (client-side)\r\nLocally Exploitable: No\r\nCVE Name: CVE-2010-0128\r\nBugtraq ID: N/A\r\n\r\n\r\n\r\n3. *Vulnerability Description*\r\n\r\nAdobe Director is prone to a vulnerability due to an invalid read in\r\n'DIRAPI.DLL', when opening a malformed .dir file. This vulnerability\r\ncould be used by a remote attacker to execute arbitrary code, by\r\nenticing the user of Adobe Director to open a specially crafted file.\r\n\r\n\r\n4. *Vulnerable packages*\r\n\r\n . Adobe Director 11.5\r\n . Adobe Director 11 (Version: 11.0.0.426)\r\n\r\n\r\n5. *Non-vulnerable packages*\r\n\r\n . Adobe Director 11.5 (Version: 11.5.7.609)\r\n\r\n\r\n6. *Solutions and Workarounds*\r\n\r\n See the Adobe Security Bulletin [1] available at\r\n [http://www.adobe.com/go/apsb10-12/].\r\n\r\n\r\n7. *Credits*\r\n\r\nThis vulnerability was discovered and researched by Nahuel Riva, from\r\nCore Security Technologies. Publication was coordinated by Jorge\r\nLucangeli Obes.\r\n\r\n\r\n8. *Technical Description*\r\n\r\nThe vulnerability occurs at offset '0x68174813' of the 'dirapi.dll'\r\nmodule of Adobe Director. Improper validation of input data leads to a\r\ncrash in the memory read instruction. This vulnerability could result in\r\narbitrary code execution, although it was not verified.\r\n\r\n/-----\r\nApp: Adobe Director 11\r\nVersion: 11.0.0.426\r\nModule crash: Dirapi.dll Version: 11.0.0.426\r\n\r\nCrash:\r\n68174813 |. 8906 |MOV DWORD PTR DS:[ESI],EAX\r\n68174815 |> 8B4C24 14 |MOV ECX,DWORD PTR SS:[ESP+14]\r\n68174819 |. 51 |PUSH ECX\r\n6817481A |. E8 3197F5FF |CALL <JMP.&IML32.#1414>\r\n6817481F |. 8946 04 |MOV DWORD PTR DS:[ESI+4],EAX\r\n68174822 |. 83C6 08 |ADD ESI,8\r\n68174825 |. 4D |DEC EBP\r\n68174826 |.^ 75 C8 \JNZ SHORT DIRAPI.681747F0\r\n\r\nEAX=00000000\r\nDS:[02889B20]=???\r\n\r\nRegisters:\r\nEAX 00000000\r\nECX 00000068\r\nEDX 00000001\r\nEBX FFE4B4D4\r\nESP 0012DFB8\r\nEBP 0000373D\r\nESI 02889B20\r\nEDI 01BC9964\r\nEIP 68174813 DIRAPI.68174813\r\nC 0 ES 0023 32bit 0(FFFFFFFF)\r\nP 1 CS 001B 32bit 0(FFFFFFFF)\r\nA 0 SS 0023 32bit 0(FFFFFFFF)\r\nZ 1 DS 0023 32bit 0(FFFFFFFF)\r\nS 0 FS 003B 32bit 7FFDD000(FFF)\r\nT 0 GS 0000 NULL\r\nD 0\r\nO 0 LastErr ERROR_NEGATIVE_SEEK (00000083)\r\nEFL 00250246 (NO,NB,E,BE,NS,PE,GE,LE)\r\nST0 empty -??? FFFF 00000000 00000000\r\nST1 empty -??? FFFF 00000000 00000000\r\nST2 empty -??? FFFF 00000000 00000000\r\nST3 empty -??? FFFF 00000000 00000000\r\nST4 empty 0.0000106994366433355\r\nST5 empty 0.6322773098945617676\r\nST6 empty -0.0034003453329205513\r\nST7 empty 1041416.9375000000000\r\n 3 2 1 0 E S P U O Z D I\r\nFST 4220 Cond 1 0 1 0 Err 0 0 1 0 0 0 0 0 (EQ)\r\nFCW 007F Prec NEAR,24 Mask 1 1 1 1 1 1\r\n\r\nStack Trace:\r\nCall stack of main thread\r\nAddress Stack Procedure / arguments Called from\r\n Frame\r\n0012DFC4 68175563 DIRAPI.681747A0 DIRAPI.6817555E\r\n0012DFE4 6817003B DIRAPI.68175290 DIRAPI.68170036\r\n0012E018 6817020D DIRAPI.6816FF40 DIRAPI.68170208\r\n0012E01C 00A923C8 Arg1 = 00A923C8\r\n0012E020 00000011 Arg2 = 00000011\r\n0012E024 00000003 Arg3 = 00000003\r\n0012E028 0012E050 Arg4 = 0012E050\r\n0012E02C 00001100 Arg5 = 00001100\r\n0012E048 680F6D50 DIRAPI.681701A0 DIRAPI.680F6D4B\r\n0012E04C 00000000 Arg1 = 00000000\r\n0012E050 00000003 Arg2 = 00000003\r\n0012E054 00000091 Arg3 = 00000091\r\n0012E058 0012E07C Arg4 = 0012E07C\r\n0012E05C 00001100 Arg5 = 00001100\r\n0012E068 6800CFC0 DIRAPI.680F6D30 DIRAPI.6800CFBB\r\n0012E088 680817EC DIRAPI.6800CF80 DIRAPI.680817E7\r\n0012E0B4 680823E3 DIRAPI.68081760 DIRAPI.680823DE\r\n0012E0C8 680836A7 DIRAPI.68082380 DIRAPI.680836A2\r\n0012E638 680839E2 DIRAPI.68082EA0 DIRAPI.680839DD\r\n 0012E634\r\n0012E63C 00A86E8C Arg1 = 00A86E8C\r\n0012E640 0012F5EC Arg2 = 0012F5EC\r\n0012E644 00000000 Arg3 = 00000000\r\n0012E648 00000000 Arg4 = 00000000\r\n0012E64C 0000001A Arg5 = 0000001A\r\n0012E674 68042D8C DIRAPI.68083970 DIRAPI.68042D87\r\n 0012F5EC\r\n0012E678 00A86E8C Arg1 = 00A86E8C\r\n0012E67C 0012F5EC Arg2 = 0012F5EC\r\n0012E680 00000000 Arg3 = 00000000\r\n0012E684 00000000 Arg4 = 00000000\r\n0012E688 0000001A Arg5 = 0000001A\r\n0012E6B0 6800A111 DIRAPI.68042C90 DIRAPI.#88+7C\r\n0012E6B4 00A92588 Arg1 = 00A92588\r\n0012E6B8 0012F5EC Arg2 = 0012F5EC\r\n0012E6BC 00000000 Arg3 = 00000000\r\n0012E6C0 0000001A Arg4 = 0000001A\r\n0012E6DC 2018BB23 <JMP.&DIRAPI.#88> Director.2018BB1E\r\n0012E83C 2027E776 ? Director.2018BAB0 Director.2027E771\r\n- -----/\r\n\r\n\r\n\r\n9. *Report Timeline*\r\n\r\n. 2010-04-14:\r\nVendor contacted.\r\n\r\n. 2010-04-14:\r\nVendor requests PoC file.\r\n\r\n. 2010-04-14:\r\nCore replies with the PoC file and the draft advisory.\r\n\r\n. 2010-04-14:\r\nAdobe replies that will investigate the issue and sets a preliminary\r\nrelease date for June/July.\r\n\r\n. 2010-04-15:\r\nCore agrees with the preliminary release date.\r\n\r\n. 2010-04-28:\r\nCore requests an update on the situation, and asks whether Adobe was\r\nable to confirm if the bug is exploitable.\r\n\r\n. 2010-04-28:\r\nAdobe replies that the issue was investigated and is scheduled to be\r\nfixed in the next release of Adobe Shockwave Player, planned for May;\r\nthey did not carry out further exploitability research.\r\n\r\n. 2010-04-28:\r\nCore requests a specific publication date for the fix.\r\n\r\n. 2010-05-06:\r\nAdobe informs Core that the release date for the fix has been set to May\r\n11th.\r\n\r\n. 2010-05-07:\r\nCore asks Adobe if they want to provide the text for the "Solutions and\r\nWorkarounds" section of the advisory.\r\n\r\n. 2010-05-07:\r\nAdobe replies with the text for the "Solutions and Workarounds" section\r\nof the advisory.\r\n\r\n. 2010-05-11:\r\nAdvisory published.\r\n\r\n\r\n\r\n10. *References*\r\n\r\n[1] Adobe Security Bulletin [http://www.adobe.com/go/apsb10-12/].\r\n\r\n\r\n11. *About CoreLabs*\r\n\r\nCoreLabs, the research center of Core Security Technologies, is charged\r\nwith anticipating the future needs and requirements for information\r\nsecurity technologies. We conduct our research in several important\r\nareas of computer security including system vulnerabilities, cyber\r\nattack planning and simulation, source code auditing, and cryptography.\r\nOur results include problem formalization, identification of\r\nvulnerabilities, novel solutions and prototypes for new technologies.\r\nCoreLabs regularly publishes security advisories, technical papers,\r\nproject information and shared software tools for public use at:\r\n[http://www.coresecurity.com/corelabs].\r\n\r\n\r\n12. *About Core Security Technologies*\r\n\r\nCore Security Technologies develops strategic solutions that help\r\nsecurity-conscious organizations worldwide develop and maintain a\r\nproactive process for securing their networks. The company's flagship\r\nproduct, CORE IMPACT, is the most comprehensive product for performing\r\nenterprise security assurance testing. CORE IMPACT evaluates network,\r\nendpoint and end-user vulnerabilities and identifies what resources are\r\nexposed. It enables organizations to determine if current security\r\ninvestments are detecting and preventing attacks. Core Security\r\nTechnologies augments its leading technology solution with world-class\r\nsecurity consulting services, including penetration testing and software\r\nsecurity auditing. Based in Boston, MA and Buenos Aires, Argentina, Core\r\nSecurity Technologies can be reached at 617-399-6980 or on the Web at\r\n[http://www.coresecurity.com].\r\n\r\n\r\n13. *Disclaimer*\r\n\r\nThe contents of this advisory are copyright (c) 2010 Core Security\r\nTechnologies and (c) 2010 CoreLabs, and may be distributed freely\r\nprovided that no fee is charged for this distribution and proper credit\r\nis given.\r\n\r\n\r\n14. *PGP/GPG Keys*\r\n\r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\n[http://www.coresecurity.com/files/attachments/core_security_advisories.asc].\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.9 (GNU/Linux)\r\nComment: Using GnuPG with Mozilla - http://enigmail.mozdev.org\r\n\r\niEYEARECAAYFAkvptp4ACgkQyNibggitWa2lwACgo9oRhMUsmUe+IH3jdK9d7B+m\r\nebMAn1iAO1mYBqXGrm67F2oCxTd+OEe3\r\n=s6Ek\r\n-----END PGP SIGNATURE-----", "published": "2010-05-12T00:00:00", "modified": "2010-05-12T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:23829", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2010-0128"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:34", "edition": 1, "viewCount": 1, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "checkpoint_advisories", "idList": ["SBP-2010-19"]}, {"type": "coresecurity", "idList": ["CORE-2010-0405"]}, {"type": "cve", "idList": ["CVE-2010-0128"]}, {"type": "nessus", "idList": ["MACOSX_SHOCKWAVE_PLAYER_APSB10-12.NASL", "SHOCKWAVE_PLAYER_APSB10-12.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310801335", "OPENVAS:801335"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:23830", "SECURITYVULNS:DOC:23835", "SECURITYVULNS:VULN:10828"]}], "rev": 4}, "backreferences": {"references": [{"type": "coresecurity", "idList": ["CORE-2010-0405"]}, {"type": "cve", "idList": ["CVE-2010-0128"]}, {"type": "nessus", "idList": ["MACOSX_SHOCKWAVE_PLAYER_APSB10-12.NASL", "SHOCKWAVE_PLAYER_APSB10-12.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310801335"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:10828"]}]}, "exploitation": null, "vulnersScore": 7.5}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 0}}
{"coresecurity": [{"lastseen": "2022-02-22T17:31:47", "description": "### 1\\. Advisory Information\n\n**Title: **Adobe Director DIRAPI.DLL Memory Corruption Vulnerability \n**Advisory Id: **CORE-2010-0405 \n**Advisory URL: **[http://www.coresecurity.com/content/adobe-director-memory-corruption](<adobe-director-memory-corruption>) \n**Date published: **2010-05-11 \n**Date of last update: **2010-05-11 \n**Vendors contacted: **Adobe \n**Release mode: **Coordinated release\n\n### 2\\. Vulnerability Information\n\n**Class: **Input validation error [[CWE-20](<http://cwe.mitre.org/data/definitions/20.html>)] \n**Impact: **Denial of service \n**Remotely Exploitable: **Yes (client-side) \n**Locally Exploitable: **No \n**CVE Name: **[CVE-2010-0128](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-0128>) \n**Bugtraq ID: **N/A\n\n### 3\\. Vulnerability Description\n\nAdobe Director is prone to a memory corruption vulnerability due to an invalid write in `dirapi.dll`, when opening a malformed .dir file. This vulnerability could be used by a remote attacker to execute arbitrary code, by enticing the user of Adobe Director to open a specially crafted file.\n\n### 4\\. Vulnerable packages\n\n * Adobe Director 11.5\n * Adobe Director 11 (Version: 11.0.0.426)\n\n### 5\\. Non-vulnerable packages\n\n * Adobe Director 11.5 (Version: 11.5.7.609)\n\n### 6\\. Solutions and Workarounds\n\nSee the Adobe Security Bulletin [1].\n\n### 7\\. Credits\n\nThis vulnerability was discovered and researched by Nahuel Riva, from Core Security Technologies. Additional research was performed by Francisco Falcon. Publication was coordinated by Jorge Lucangeli Obes.\n\n### 8\\. Technical Description\n\nThe vulnerability occurs at offset `0x68174813` of the `dirapi.dll` module of Adobe Director. Improper validation of the input data leads to a crash in the memory write instruction. This vulnerability could result in arbitrary code execution, although it was not verified.\n \n \n App: Adobe Director 11 Version: 11.0.0.426 Module crash: Dirapi.dll Version: 11.0.0.426 Crash: 68174813 |. 8906 |MOV DWORD PTR DS:[ESI],EAX 68174815 |> 8B4C24 14 |MOV ECX,DWORD PTR SS:[ESP+14] 68174819 |. 51 |PUSH ECX 6817481A |. E8 3197F5FF |CALL <JMP.&IML32.#1414> 6817481F |. 8946 04 |MOV DWORD PTR DS:[ESI+4],EAX 68174822 |. 83C6 08 |ADD ESI,8 68174825 |. 4D |DEC EBP 68174826 |.^ 75 C8 \\JNZ SHORT DIRAPI.681747F0 EAX=00000000 DS:[02889B20]=??? Registers: EAX 00000000 ECX 00000068 EDX 00000001 EBX FFE4B4D4 ESP 0012DFB8 EBP 0000373D ESI 02889B20 EDI 01BC9964 EIP 68174813 DIRAPI.68174813 C 0 ES 0023 32bit 0(FFFFFFFF) P 1 CS 001B 32bit 0(FFFFFFFF) A 0 SS 0023 32bit 0(FFFFFFFF) Z 1 DS 0023 32bit 0(FFFFFFFF) S 0 FS 003B 32bit 7FFDD000(FFF) T 0 GS 0000 NULL D 0 O 0 LastErr ERROR_NEGATIVE_SEEK (00000083) EFL 00250246 (NO,NB,E,BE,NS,PE,GE,LE) ST0 empty -??? FFFF 00000000 00000000 ST1 empty -??? FFFF 00000000 00000000 ST2 empty -??? FFFF 00000000 00000000 ST3 empty -??? FFFF 00000000 00000000 ST4 empty 0.0000106994366433355 ST5 empty 0.6322773098945617676 ST6 empty -0.0034003453329205513 ST7 empty 1041416.9375000000000 3 2 1 0 E S P U O Z D I FST 4220 Cond 1 0 1 0 Err 0 0 1 0 0 0 0 0 (EQ) FCW 007F Prec NEAR,24 Mask 1 1 1 1 1 1 Stack Trace: Call stack of main thread Address Stack Procedure / arguments Called from Frame 0012DFC4 68175563 DIRAPI.681747A0 DIRAPI.6817555E 0012DFE4 6817003B DIRAPI.68175290 DIRAPI.68170036 0012E018 6817020D DIRAPI.6816FF40 DIRAPI.68170208 0012E01C 00A923C8 Arg1 = 00A923C8 0012E020 00000011 Arg2 = 00000011 0012E024 00000003 Arg3 = 00000003 0012E028 0012E050 Arg4 = 0012E050 0012E02C 00001100 Arg5 = 00001100 0012E048 680F6D50 DIRAPI.681701A0 DIRAPI.680F6D4B 0012E04C 00000000 Arg1 = 00000000 0012E050 00000003 Arg2 = 00000003 0012E054 00000091 Arg3 = 00000091 0012E058 0012E07C Arg4 = 0012E07C 0012E05C 00001100 Arg5 = 00001100 0012E068 6800CFC0 DIRAPI.680F6D30 DIRAPI.6800CFBB 0012E088 680817EC DIRAPI.6800CF80 DIRAPI.680817E7 0012E0B4 680823E3 DIRAPI.68081760 DIRAPI.680823DE 0012E0C8 680836A7 DIRAPI.68082380 DIRAPI.680836A2 0012E638 680839E2 DIRAPI.68082EA0 DIRAPI.680839DD 0012E634 0012E63C 00A86E8C Arg1 = 00A86E8C 0012E640 0012F5EC Arg2 = 0012F5EC 0012E644 00000000 Arg3 = 00000000 0012E648 00000000 Arg4 = 00000000 0012E64C 0000001A Arg5 = 0000001A 0012E674 68042D8C DIRAPI.68083970 DIRAPI.68042D87 0012F5EC 0012E678 00A86E8C Arg1 = 00A86E8C 0012E67C 0012F5EC Arg2 = 0012F5EC 0012E680 00000000 Arg3 = 00000000 0012E684 00000000 Arg4 = 00000000 0012E688 0000001A Arg5 = 0000001A 0012E6B0 6800A111 DIRAPI.68042C90 DIRAPI.#88+7C 0012E6B4 00A92588 Arg1 = 00A92588 0012E6B8 0012F5EC Arg2 = 0012F5EC 0012E6BC 00000000 Arg3 = 00000000 0012E6C0 0000001A Arg4 = 0000001A 0012E6DC 2018BB23 <JMP.&DIRAPI.#88> Director.2018BB1E 0012E83C 2027E776 ? Director.2018BAB0 Director.2027E771 \n\nThe vulnerable module `dirapi.dll` takes the two-byte word at offset `0x41B82` of the .dir file, and uses it as a counter for a loop that performs memory writes. The value is used without being verified:\n \n \n 68177D86 |. 85ED TEST EBP,EBP ; EBP is the loop counter = word at offset 0x41B82 68177D88 |. 7E 3E JLE SHORT DIRAPI.68177DC8 68177D8A |. 8D9B 00000000 LEA EBX,DWORD PTR DS:[EBX] 68177D90 |> 8B4424 10 /MOV EAX,DWORD PTR SS:[ESP+10] 68177D94 |. 85C0 |TEST EAX,EAX 68177D96 |. 74 11 |JE SHORT DIRAPI.68177DA9 68177D98 |. 8B4C24 14 |MOV ECX,DWORD PTR SS:[ESP+14] 68177D9C |. 51 |PUSH ECX 68177D9D |. E8 786EF5FF |CALL <JMP.&IML32.#1412> 68177DA2 |. 0FBFD0 |MOVSX EDX,AX 68177DA5 |. 8916 |MOV DWORD PTR DS:[ESI],EDX 68177DA7 |. EB 0C |JMP SHORT DIRAPI.68177DB5 68177DA9 |> 8B4424 14 |MOV EAX,DWORD PTR SS:[ESP+14] 68177DAD |. 50 |PUSH EAX 68177DAE |. E8 796EF5FF |CALL <JMP.&IML32.#1414> 68177DB3 |. 8906 |MOV DWORD PTR DS:[ESI],EAX ; memory write 68177DB5 |> 8B4C24 14 |MOV ECX,DWORD PTR SS:[ESP+14] 68177DB9 |. 51 |PUSH ECX 68177DBA |. E8 6D6EF5FF |CALL <JMP.&IML32.#1414> 68177DBF |. 8946 04 |MOV DWORD PTR DS:[ESI+4],EAX ; memory write 68177DC2 |. 83C6 08 |ADD ESI,8 ; update the write destination address 68177DC5 |. 4D |DEC EBP ; decrement the counter 68177DC6 |.^ 75 C8 \\JNZ SHORT DIRAPI.68177D90 ; loop until the counter is 0 \n\n \nIf the word at offset `0x41B82` has a sufficiently high value, the application will loop more times than it should, thus corrupting memory beyond limits. Moreover, after reading said word, this value is sign-extended into a four-byte dword, using the `MOVSX` instruction. If the most significant bit of the word is set, the resulting dword will be of the form 0xFFFFXXXX, thus being a negative number if interpreted as a signed integer, and a very large number if interpreted as an unsigned integer:\n \n \n 68178A3E |. E8 D761F5FF CALL <JMP.&IML32.#1412> 68178A43 |. 0FBFC0 MOVSX EAX,AX ; Move with sign extension. AX = dword @ offset 0x41B82 68178A46 |. 8986 88000000 MOV DWORD PTR DS:[ESI+88],EAX \n\n \nWhen the dword is negative, the application does not enter the loop. However, the application does calculate a value using this dword, which can be controlled by the attacker.\n \n \n 68177D72 |> 8D04EB LEA EAX,DWORD PTR DS:[EBX+EBP*8] ; EBP= word @ offset 14B82 converted to dword with MOVSX \n\n \nThis value is stored and later, after stepping over the loop, added to a pointer. This pointer is subsequently used as a destination operand for a memory write instruction inside another loop, thus making the attacker able to partially control the destination instruction of the memory copy, allowing for memory corruption.\n \n \n 68178104 |> 8B3B MOV EDI,DWORD PTR DS:[EBX] ; load a pointer into EDI 68178106 |. 037C24 78 ADD EDI,DWORD PTR SS:[ESP+78] ; add a value that partially depends on user-controlled data to that pointer 6817810A |. 33F6 XOR ESI,ESI 6817810C |. 85ED TEST EBP,EBP 6817810E |. 7E 15 JLE SHORT DIRAPI.68178125 68178110 |> 8B5424 7C /MOV EDX,DWORD PTR SS:[ESP+7C] 68178114 |. 52 |PUSH EDX 68178115 |. E8 006BF5FF |CALL <JMP.&IML32.#1412> 6817811A |. 0FBFC0 |MOVSX EAX,AX 6817811D |. 8904B7 |MOV DWORD PTR DS:[EDI+ESI*4],EAX ; memory write 68178120 |. 46 |INC ESI ; update the destination address 68178121 |. 3BF5 |CMP ESI,EBP 68178123 |.^ 7C EB \\JL SHORT DIRAPI.68178110 \n\n### 9\\. Report Timeline\n\n * **2010-04-14: **Vendor contacted.\n * **2010-04-14: **Vendor requests PoC file.\n * **2010-04-14: **Core replies with the PoC file and the draft advisory.\n * **2010-04-14: **Adobe replies that will investigate the issue and sets a preliminary release date for June/July.\n * **2010-04-15: **Core agrees with the preliminary release date.\n * **2010-04-28: **Core requests an update on the situation, and asks whether Adobe was able to confirm if the bug is exploitable.\n * **2010-04-28: **Adobe replies that the issue was investigated and is scheduled to be fixed in the next release of Adobe Shockwave Player, planned for May; they did not carry out further exploitability research.\n * **2010-04-28: **Core requests a specific publication date for the fix.\n * **2010-05-06: **Adobe informs Core that the release date for the fix has been set to May 11th.\n * **2010-05-07: **Core asks Adobe if they want to provide the text for the \"Solutions and Workarounds\" section of the advisory.\n * **2010-05-07: **Adobe replies with the text for the \"Solutions and Workarounds\" section of the advisory.\n * **2010-05-11: **Advisory published.\n * **2010-07-01: **Additional research performed.\n\n### 10\\. References\n\n[1] Adobe Security Bulletin.\n\n### 11\\. About CoreLabs\n\nCoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs.\n\n### 12\\. About Core Security Technologies\n\nCore Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com.\n\n### 13\\. Disclaimer\n\nThe contents of this advisory are copyright (c) 2010 Core Security Technologies and (c) 2010 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) Licence: <http://creativecommons.org/licenses/by-nc-sa/3.0/us/>.\n\n### 14\\. PGP/GPG Keys\n\nThis advisory has been signed with the GPG key of Core Security Technologies advisories team.\n", "cvss3": {}, "published": "2010-05-11T00:00:00", "type": "coresecurity", "title": "Adobe Director DIRAPI.DLL Memory Corruption Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-0128"], "modified": "2010-05-11T00:00:00", "id": "CORE-2010-0405", "href": "https://www.coresecurity.com/core-labs/advisories/adobe-director-memory-corruption", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:34", "bulletinFamily": "software", "cvelist": ["CVE-2010-0128"], "description": "====================================================================== \r\n\r\n Secunia Research 12/05/2010\r\n\r\n - Adobe Shockwave Player Signedness Error Vulnerability -\r\n\r\n====================================================================== \r\nTable of Contents\r\n\r\nAffected Software....................................................1\r\nSeverity.............................................................2\r\nVendor's Description of Software.....................................3\r\nDescription of Vulnerability.........................................4\r\nSolution.............................................................5\r\nTime Table...........................................................6\r\nCredits..............................................................7\r\nReferences...........................................................8\r\nAbout Secunia........................................................9\r\nVerification........................................................10\r\n\r\n====================================================================== \r\n1) Affected Software \r\n\r\n* Adobe Shockwave Player 11.5.6.606\r\n\r\nNOTE: Prior versions may also be affected.\r\n\r\n====================================================================== \r\n2) Severity \r\n\r\nRating: Highly critical\r\nImpact: System access\r\nWhere: From remote\r\n\r\n====================================================================== \r\n3) Vendor's Description of Software \r\n\r\n"Over 450 million Internet-enabled desktops have installed Adobe \r\nShockwave Player. These people now have access to some of the best the\r\nWeb has to offer - including dazzling 3D games and entertainment, \r\ninteractive product demonstrations, and online learning applications."\r\n\r\nProduct Link:\r\nhttp://www.adobe.com/products/shockwaveplayer/\r\n\r\n====================================================================== \r\n4) Description of Vulnerability\r\n\r\nSecunia Research has discovered a vulnerability in Adobe Shockwave \r\nPlayer, which can be exploited by malicious people to potentially \r\ncompromise a user's system.\r\n\r\nThe vulnerability is caused due to a signedness error when processing \r\nShockwave files. This can be exploited to corrupt memory when a \r\nspecially crafted Shockwave file (e.g. ".dir") is opened.\r\n\r\nSuccessful exploitation may allow execution of arbitrary code.\r\n\r\n====================================================================== \r\n5) Solution \r\n\r\nUpdate to version 11.5.7.609.\r\n\r\n====================================================================== \r\n6) Time Table \r\n\r\n03/03/2010 - Vendor notified.\r\n03/03/2010 - Vendor response.\r\n12/05/2010 - Public disclosure.\r\n\r\n====================================================================== \r\n7) Credits \r\n\r\nDiscovered by Alin Rad Pop, Secunia Research.\r\n\r\n====================================================================== \r\n8) References\r\n\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned\r\nCVE-2010-0128 for the vulnerability.\r\n\r\n====================================================================== \r\n9) About Secunia\r\n\r\nSecunia offers vulnerability management solutions to corporate\r\ncustomers with verified and reliable vulnerability intelligence\r\nrelevant to their specific system configuration:\r\n\r\nhttp://secunia.com/advisories/business_solutions/\r\n\r\nSecunia also provides a publicly accessible and comprehensive advisory\r\ndatabase as a service to the security community and private \r\nindividuals, who are interested in or concerned about IT-security.\r\n\r\nhttp://secunia.com/advisories/\r\n\r\nSecunia believes that it is important to support the community and to\r\ndo active vulnerability research in order to aid improving the \r\nsecurity and reliability of software in general:\r\n\r\nhttp://secunia.com/secunia_research/\r\n\r\nSecunia regularly hires new skilled team members. Check the URL below\r\nto see currently vacant positions:\r\n\r\nhttp://secunia.com/corporate/jobs/\r\n\r\nSecunia offers a FREE mailing list called Secunia Security Advisories:\r\n\r\nhttp://secunia.com/advisories/mailing_lists/\r\n\r\n====================================================================== \r\n10) Verification \r\n\r\nPlease verify this advisory by visiting the Secunia website:\r\nhttp://secunia.com/secunia_research/2010-19/\r\n\r\nComplete list of vulnerability reports published by Secunia Research:\r\nhttp://secunia.com/secunia_research/\r\n\r\n======================================================================", "edition": 1, "modified": "2010-05-13T00:00:00", "published": "2010-05-13T00:00:00", "id": "SECURITYVULNS:DOC:23835", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:23835", "title": "Secunia Research: Adobe Shockwave Player Signedness Error Vulnerability", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-06-08T19:12:17", "bulletinFamily": "software", "cvelist": ["CVE-2010-1283", "CVE-2010-1289", "CVE-2010-0130", "CVE-2010-1292", "CVE-2010-0987", "CVE-2010-1287", "CVE-2010-1288", "CVE-2010-0127", "CVE-2010-1281", "CVE-2010-0128", "CVE-2010-0129", "CVE-2010-1290", "CVE-2010-1286", "CVE-2010-1280", "CVE-2010-1282", "CVE-2010-0986", "CVE-2010-1291", "CVE-2010-1284"], "description": "Multiple buffer overflows, integer overflows, memory corruptions, code executions.", "edition": 2, "modified": "2010-05-21T00:00:00", "published": "2010-05-21T00:00:00", "id": "SECURITYVULNS:VULN:10828", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:10828", "title": "Adobe Shockwave multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:34", "bulletinFamily": "software", "cvelist": ["CVE-2010-1283", "CVE-2010-1289", "CVE-2010-0130", "CVE-2010-1292", "CVE-2010-0987", "CVE-2010-1287", "CVE-2010-1288", "CVE-2010-0127", "CVE-2010-1281", "CVE-2010-0128", "CVE-2010-0129", "CVE-2010-1290", "CVE-2010-1286", "CVE-2010-1280", "CVE-2010-1282", "CVE-2010-0986", "CVE-2010-1291", "CVE-2010-1284"], "description": "Security update available for Shockwave Player\r\n\r\nRelease date: May 11, 2010\r\n\r\nVulnerability identifier: APSB10-12\r\n\r\nCVE number: CVE-2010-0127, CVE-2010-0128, CVE-2010-0129, CVE-2010-0130, CVE-2010-0986, CVE-2010-0987, CVE-2010-1280, CVE-2010-1281, CVE-2010-1282, CVE-2010-1283, CVE-2010-1284, CVE-2010-1286, CVE-2010-1287, CVE-2010-1288, CVE-2010-1289, CVE-2010-1290, CVE-2010-1291, CVE-2010-1292\r\n\r\nPlatform: Windows and Macintosh\r\nSummary\r\n\r\nCritical vulnerabilities have been identified in Adobe Shockwave Player 11.5.6.606 and earlier versions on the Windows and Macintosh operating systems. The vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system. Adobe recommends users of Adobe Shockwave Player 11.5.6.606 and earlier versions update to Adobe Shockwave Player 11.5.7.609, using the instructions provided below.\r\nAffected software versions\r\n\r\nShockwave Player 11.5.6.606 and earlier versions for Windows and Macintosh\r\nSolution\r\n\r\nAdobe recommends users of Adobe Shockwave Player 11.5.6.606 and earlier versions upgrade to the newest version 11.5.7.609, available here: http://get.adobe.com/shockwave/.\r\nSeverity rating\r\n\r\nAdobe categorizes this as a critical update and recommends that users apply the update for their product installations.\r\nDetails\r\n\r\nCritical vulnerabilities have been identified in Adobe Shockwave Player 11.5.6.606 and earlier versions on the Windows and Macintosh operating systems. The vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system. Adobe recommends users of Adobe Shockwave Player 11.5.6.606 and earlier versions update to Adobe Shockwave Player 11.5.7.609, using the instructions provided above.\r\n\r\nThis update resolves a boundary error vulnerability that if exploited, could lead to memory corruption and possible code execution (CVE-2010-0127).\r\n\r\nThis update resolves a signedness error vulnerability that could lead to code execution (CVE-2010-0128).\r\n\r\nThis update resolves multiple memory corruption vulnerabilities due to integer overflow that could lead to code execution (CVE-2010-0129).\r\n\r\nThis update resolves an integer overflow vulnerability that could lead to code execution (CVE-2010-0130).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-0986).\r\n\r\nThis update resolves a buffer overflow vulnerability that could lead to code execution (CVE-2010-0987).\r\n\r\nThis update resolves multiple memory corruption vulnerabilities that could lead to code execution (CVE-2010-1280).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1281).\r\n\r\nThis update resolves an infinite loop vulnerability that could lead to a denial of service (CVE-2010-1282).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1283).\r\n\r\nThis update resolves multiple memory corruption vulnerabilities that could lead to code execution (CVE-2010-1284).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1286).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1287).\r\n\r\nThis update resolves a buffer overflow vulnerability that could lead to code execution (CVE-2010-1288).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1289).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1290).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1291).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1292).\r\nAcknowledgments\r\n\r\nAdobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:\r\n\r\n * Chaouki Bekrar of VUPEN Vulnerability Research Team (CVE-2010-1280, CVE-2010-1283, CVE-2010-0129, CVE-2010-1284)\r\n * Sebastien Renaud of VUPEN Vulnerability Research Team (CVE-2010-1280)\r\n * Code Audit Labs (CVE-2010-0129, CVE-2010-1280, CVE-2010-1282)\r\n * Nahuel Riva of Core Security Technologies (CVE-2010-0128)\r\n * Gjoko Krstic of Zero Science Lab (CVE-2010-1280)\r\n * Chro HD of Fortinet's FortiGuard Labs (CVE-2010-1280, CVE-2010-1286, CVE-2010-1287, CVE-2010-1288, CVE-2010-1289, CVE-2010-1290, CVE-2010-1291)\r\n * An Anonymous Researcher reported through iDefense's Vulnerability Contributor Program (CVE-2010-0129)\r\n * Alin Rad Pop of Secunia Research (CVE-2010-0127, CVE-2010-0128, CVE-2010-0129, CVE-2010-0130, CVE-2010-0986, CVE-2010-0987)\r\n * An Anonymous Researcher reported through TippingPoint's Zero Day Initiative (CVE-2010-1281, CVE-2010-1283, CVE-2010-1292)\r\n", "edition": 1, "modified": "2010-05-12T00:00:00", "published": "2010-05-12T00:00:00", "id": "SECURITYVULNS:DOC:23830", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:23830", "title": "Security update available for Shockwave Player", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cve": [{"lastseen": "2022-04-22T07:06:06", "description": "Integer signedness error in dirapi.dll in Adobe Shockwave Player before 11.5.7.609 and Adobe Director before 11.5.7.609 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted .dir file that triggers an invalid read operation.", "cvss3": {}, "published": "2010-05-13T17:30:00", "type": "cve", "title": "CVE-2010-0128", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-0128"], "modified": "2022-04-22T01:44:00", "cpe": ["cpe:/a:adobe:shockwave_player:11.5.6.606"], "id": "CVE-2010-0128", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0128", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:adobe:shockwave_player:11.5.6.606:*:*:*:*:*:*:*"]}], "nessus": [{"lastseen": "2022-04-16T14:12:52", "description": "The remote Mac OS X host contains a version of Adobe Shockwave Player that is 11.5.6.606 or earlier. It is, therefore, affected by multiple vulnerabilities :\n\n - Processing specially crafted FFFFFF45h Shockwave 3D blocks results in memory corruption. (CVE-2010-0127, CVE-2010-1283)\n\n - A signedness error leads to memory corruption when processing specially crafted Director files.\n (CVE-2010-0128)\n\n - An array indexing error leads to memory corruption when processing specially crafted Director files.\n (CVE-2010-0129)\n\n - An integer overflow vulnerability leads to memory corruption when processing specially crafted Director files. (CVE-2010-0130)\n\n - An unspecified error when processing asset entries in Director files leads to memory corruption.\n (CVE-2010-0986)\n\n - A boundary error when processing embedded fonts from a Directory file leads to memory corruption.\n (CVE-2010-0987)\n\n - An unspecified error when processing Director files results in memory corruption. (CVE-2010-1280)\n\n - Several unspecified memory corruption vulnerabilities.\n (CVE-2010-1281, CVE-2010-1282, CVE-2010-1284, CVE-2010-1286, CVE-2010-1287, CVE-2010-1288, CVE-2010-1289, CVE-2010-1290, CVE-2010-1291, CVE-2010-1292)", "cvss3": {"score": null, "vector": null}, "published": "2014-12-22T00:00:00", "type": "nessus", "title": "Adobe Shockwave Player <= 11.5.6.606 Multiple Vulnerabilities (APSB10-12) (Mac OS X)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-0127", "CVE-2010-0128", "CVE-2010-0129", "CVE-2010-0130", "CVE-2010-0986", "CVE-2010-0987", "CVE-2010-1280", "CVE-2010-1281", "CVE-2010-1282", "CVE-2010-1283", "CVE-2010-1284", "CVE-2010-1286", "CVE-2010-1287", "CVE-2010-1288", "CVE-2010-1289", "CVE-2010-1290", "CVE-2010-1291", "CVE-2010-1292"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:adobe:shockwave_player"], "id": "MACOSX_SHOCKWAVE_PLAYER_APSB10-12.NASL", "href": "https://www.tenable.com/plugins/nessus/80172", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(80172);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\n \"CVE-2010-0127\",\n \"CVE-2010-0128\",\n \"CVE-2010-0129\",\n \"CVE-2010-0130\",\n \"CVE-2010-0986\",\n \"CVE-2010-0987\",\n \"CVE-2010-1280\",\n \"CVE-2010-1281\",\n \"CVE-2010-1282\",\n \"CVE-2010-1283\",\n \"CVE-2010-1284\",\n \"CVE-2010-1286\",\n \"CVE-2010-1287\",\n \"CVE-2010-1288\",\n \"CVE-2010-1289\",\n \"CVE-2010-1290\",\n \"CVE-2010-1291\",\n \"CVE-2010-1292\"\n );\n script_bugtraq_id(\n 40076,\n 40077,\n 40078,\n 40079,\n 40081,\n 40082,\n 40083,\n 40084,\n 40085,\n 40086,\n 40087,\n 40088,\n 40089,\n 40090,\n 40091,\n 40093,\n 40094,\n 40096\n );\n\n script_name(english:\"Adobe Shockwave Player <= 11.5.6.606 Multiple Vulnerabilities (APSB10-12) (Mac OS X)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Mac OS X host contains a web browser plugin that is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Mac OS X host contains a version of Adobe Shockwave Player\nthat is 11.5.6.606 or earlier. It is, therefore, affected by multiple\nvulnerabilities :\n\n - Processing specially crafted FFFFFF45h Shockwave\n 3D blocks results in memory corruption. (CVE-2010-0127,\n CVE-2010-1283)\n\n - A signedness error leads to memory corruption when\n processing specially crafted Director files.\n (CVE-2010-0128)\n\n - An array indexing error leads to memory corruption when\n processing specially crafted Director files.\n (CVE-2010-0129)\n\n - An integer overflow vulnerability leads to memory\n corruption when processing specially crafted Director\n files. (CVE-2010-0130)\n\n - An unspecified error when processing asset entries\n in Director files leads to memory corruption.\n (CVE-2010-0986)\n\n - A boundary error when processing embedded fonts from a\n Directory file leads to memory corruption.\n (CVE-2010-0987)\n\n - An unspecified error when processing Director files\n results in memory corruption. (CVE-2010-1280)\n\n - Several unspecified memory corruption vulnerabilities.\n (CVE-2010-1281, CVE-2010-1282, CVE-2010-1284,\n CVE-2010-1286, CVE-2010-1287, CVE-2010-1288,\n CVE-2010-1289, CVE-2010-1290, CVE-2010-1291,\n CVE-2010-1292)\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-10-087/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-10-088/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-10-089/\");\n # https://labs.idefense.com/verisign/intelligence/2009/vulnerabilities/display.php?id=869\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?19865c37\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/fulldisclosure/2010/May/130\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/fulldisclosure/2010/May/131\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/fulldisclosure/2010/May/132\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.coresecurity.com/content/adobe-director-invalid-read\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.adobe.com/support/security/bulletins/apsb10-12.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Adobe Shockwave 11.5.7.609 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/05/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/05/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/12/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:shockwave_player\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"shockwave_player_detect_macosx.nbin\");\n script_require_keys(\"installed_sw/Shockwave Player\", \"Host/MacOSX/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\n\nos = get_kb_item(\"Host/MacOSX/Version\");\nif (!os) audit(AUDIT_OS_NOT, \"Mac OS X\");\n\napp = 'Shockwave Player';\n\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\ninstall = get_single_install(app_name:app, exit_if_unknown_ver:TRUE);\n\nver = install['version'];\npath = install['path'];\n\nif (ver_compare(ver:ver, fix:'11.5.6.606', strict:FALSE) <= 0)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + ver +\n '\\n Fixed versions : 11.5.7.609' +\n '\\n';\n security_hole(port:0, extra:report);\n }\n else security_hole(port:0);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, app, ver, path);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T13:04:22", "description": "The remote Windows host contains a version of Adobe's Shockwave Player that is earlier than 11.5.7.609. Such versions are affected by the following issues :\n\n - Processing specially crafted FFFFFF45h Shockwave 3D blocks can result in memory corruption.\n (CVE-2010-0127, CVE-2010-1283)\n\n - A signedness error that can lead to memory corruption when processing specially crafted Director files.\n (CVE-2010-0128)\n\n - An array indexing error that can lead to memory corruption when processing specially crafted Director files. (CVE-2010-0129)\n\n - An integer overflow vulnerability that can lead to memory corruption when processing specially crafted Director files. (CVE-2010-0130)\n\n - An unspecified error when processing asset entries in Director files can lead to memory corruption.\n (CVE-2010-0986)\n\n - A boundary error when processing embedded fonts from a Directory file can lead to memory corruption.\n (CVE-2010-0987)\n\n - An unspecified error when processing Director files can result in memory corruption. (CVE-2010-1280)\n\n - Several unspecified memory corruption vulnerabilities.\n (CVE-2010-1281, CVE-2010-1282, CVE-2010-1284, CVE-2010-1286, CVE-2010-1287, CVE-2010-1288, CVE-2010-1289, CVE-2010-1290, CVE-2010-1291, CVE-2010-1292)", "cvss3": {"score": null, "vector": null}, "published": "2010-05-12T00:00:00", "type": "nessus", "title": "Shockwave Player < 11.5.7.609 Multiple Vulnerabilities (APSB10-12)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-0127", "CVE-2010-0128", "CVE-2010-0129", "CVE-2010-0130", "CVE-2010-0986", "CVE-2010-0987", "CVE-2010-1280", "CVE-2010-1281", "CVE-2010-1282", "CVE-2010-1283", "CVE-2010-1284", "CVE-2010-1286", "CVE-2010-1287", "CVE-2010-1288", "CVE-2010-1289", "CVE-2010-1290", "CVE-2010-1291", "CVE-2010-1292"], "modified": "2018-11-15T00:00:00", "cpe": ["cpe:/a:adobe:shockwave_player"], "id": "SHOCKWAVE_PLAYER_APSB10-12.NASL", "href": "https://www.tenable.com/plugins/nessus/46329", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(46329);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2018/11/15 20:50:28\");\n\n script_cve_id(\n \"CVE-2010-0127\",\n \"CVE-2010-0128\",\n \"CVE-2010-0129\",\n \"CVE-2010-0130\",\n \"CVE-2010-0986\",\n \"CVE-2010-0987\",\n \"CVE-2010-1280\",\n \"CVE-2010-1281\",\n \"CVE-2010-1282\",\n \"CVE-2010-1283\",\n \"CVE-2010-1284\",\n \"CVE-2010-1286\",\n \"CVE-2010-1287\",\n \"CVE-2010-1288\",\n \"CVE-2010-1289\",\n \"CVE-2010-1290\",\n \"CVE-2010-1291\",\n \"CVE-2010-1292\"\n );\n script_bugtraq_id(\n 40076,\n 40077,\n 40078,\n 40079,\n 40081,\n 40082,\n 40083,\n 40084,\n 40085,\n 40086,\n 40087,\n 40088,\n 40089,\n 40090,\n 40091,\n 40093,\n 40094,\n 40096\n );\n script_xref(name:\"Secunia\", value:\"38751\");\n\n script_name(english:\"Shockwave Player < 11.5.7.609 Multiple Vulnerabilities (APSB10-12)\");\n script_summary(english:\"Checks version of Shockwave Player\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Windows host contains a web browser plugin that is\naffected by multiple vulnerabilities.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote Windows host contains a version of Adobe's Shockwave Player\nthat is earlier than 11.5.7.609. Such versions are affected by the\nfollowing issues :\n\n - Processing specially crafted FFFFFF45h Shockwave\n 3D blocks can result in memory corruption.\n (CVE-2010-0127, CVE-2010-1283)\n\n - A signedness error that can lead to memory corruption\n when processing specially crafted Director files.\n (CVE-2010-0128)\n\n - An array indexing error that can lead to memory\n corruption when processing specially crafted\n Director files. (CVE-2010-0129)\n\n - An integer overflow vulnerability that can lead to\n memory corruption when processing specially\n crafted Director files. (CVE-2010-0130)\n\n - An unspecified error when processing asset entries\n in Director files can lead to memory corruption.\n (CVE-2010-0986)\n\n - A boundary error when processing embedded fonts\n from a Directory file can lead to memory corruption.\n (CVE-2010-0987)\n\n - An unspecified error when processing Director files\n can result in memory corruption. (CVE-2010-1280)\n\n - Several unspecified memory corruption vulnerabilities.\n (CVE-2010-1281, CVE-2010-1282, CVE-2010-1284,\n CVE-2010-1286, CVE-2010-1287, CVE-2010-1288,\n CVE-2010-1289, CVE-2010-1290, CVE-2010-1291,\n CVE-2010-1292)\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://secuniaresearch.flexerasoftware.com/secunia_research/2010-17/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://secuniaresearch.flexerasoftware.com/secunia_research/2010-19/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://secuniaresearch.flexerasoftware.com/secunia_research/2010-20/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://secuniaresearch.flexerasoftware.com/secunia_research/2010-22/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://secuniaresearch.flexerasoftware.com/secunia_research/2010-34/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://secuniaresearch.flexerasoftware.com/secunia_research/2010-50/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-10-087/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-10-088/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-10-089/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?19865c37\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2010/May/136\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2010/May/137\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2010/May/138\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.coresecurity.com/content/adobe-director-invalid-read\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.adobe.com/support/security/bulletins/apsb10-12.html\");\n script_set_attribute(\n attribute:\"solution\",\n value:\"Upgrade to Adobe Shockwave 11.5.7.609 or later.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/05/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/05/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/05/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:shockwave_player\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"shockwave_player_apsb09_08.nasl\");\n script_require_keys(\"SMB/shockwave_player\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"smb_func.inc\");\n\n\nport = kb_smb_transport();\ninstalls = get_kb_list('SMB/shockwave_player/*/path');\nif (isnull(installs))\n exit(0, 'Shockwave Player was not detected on the remote host.');\n\ninfo = NULL;\npattern = 'SMB/shockwave_player/([^/]+)/([^/]+)/path';\n\nforeach install (keys(installs))\n{\n match = eregmatch(string:install, pattern:pattern);\n if (!match) exit(1, 'Unexpected format of KB key \"'+install+'\".');\n\n file = installs[install];\n variant = match[1];\n version = match[2];\n ver = split(version, sep:'.', keep:FALSE);\n for (i = 0; i < max_index(ver); i++)\n ver[i] = int(ver[i]);\n\n if (\n ver[0] < 11 ||\n (\n ver[0] == 11 &&\n (\n ver[1] < 5 ||\n (\n ver[1] == 5 &&\n (\n ver[2] < 7 ||\n (ver[2] == 7 && ver[3] < 609)\n )\n )\n )\n )\n )\n {\n if (variant == \"Plugin\")\n {\n info += '\\n - Browser Plugin (for Firefox / Netscape / Opera) :\\n';\n }\n else if (variant == \"ActiveX\")\n {\n info += '\\n - ActiveX control (for Internet Explorer) :\\n';\n }\n info += ' ' + file + ', ' + version + '\\n';\n }\n}\n\nif (!info) exit(0, \"No vulnerable installs of Shockwave Player were found.\");\n\nif (report_verbosity > 0)\n{\n if (max_index(split(info)) > 2) s = \"s\";\n else s = \"\";\n\n report =\n '\\nNessus has identified the following vulnerable instance'+s+' of Shockwave'+\n '\\nPlayer installed on the remote host :\\n'+\n info;\n security_hole(port:port, extra:report);\n}\nelse security_hole(port:port);\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2022-04-02T00:59:29", "description": "Adobe Shockwave is a multimedia player that allows Adobe Director applications to be published on the Internet and viewed in a web browser by anyone who has the Shockwave plug-in installed. Multiple vulnerabilities have been identified in Adobe Shockwave Player. The vulnerabilities are due to memory corruption, integer overflow, buffer overflow, and boundary errors in Adobe Shockwave Player that fails to properly handle Directory files. A remote attacker could trigger these flaws by convincing a victim to open a specially crafted Directory file. Successful exploitation of this issue may corrupt system memory, allowing execution of malicious code on the affected system. There are cases in which certain traffic, although not intended for malicious use, is very unsafe, since it may transfer shellcode which is undetectable by IPS.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2010-05-17T00:00:00", "type": "checkpoint_advisories", "title": "Adobe Director Files (CVE-2010-0127; CVE-2010-0128; CVE-2010-0129; CVE-2010-0130; CVE-2010-0986; CVE-2010-0987; CVE-2010-1280; CVE-2010-1281; CVE-2010-1282; CVE-2010-1283; CVE-2010-1284; CVE-2010-1286; CVE-2010-1287; CVE-2010-1288; CVE-2010-1289; CVE-2010-1290; CVE-2010-1291; CVE-2010-1292)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-0127", "CVE-2010-0128", "CVE-2010-0129", "CVE-2010-0130", "CVE-2010-0986", "CVE-2010-0987", "CVE-2010-1280", "CVE-2010-1281", "CVE-2010-1282", "CVE-2010-1283", "CVE-2010-1284", "CVE-2010-1286", "CVE-2010-1287", "CVE-2010-1288", "CVE-2010-1289", "CVE-2010-1290", "CVE-2010-1291", "CVE-2010-1292"], "modified": "2016-01-27T00:00:00", "id": "SBP-2010-19", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2017-07-02T21:09:50", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-1283", "CVE-2010-1289", "CVE-2010-0130", "CVE-2010-1292", "CVE-2010-0987", "CVE-2010-1287", "CVE-2010-1288", "CVE-2010-0127", "CVE-2010-1281", "CVE-2010-0128", "CVE-2010-0129", "CVE-2010-1290", "CVE-2010-1286", "CVE-2010-1280", "CVE-2010-1282", "CVE-2010-0986", "CVE-2010-1291", "CVE-2010-1284"], "description": "This host is installed with Adobe Shockwave Player and is prone\n to multiple remote code execution vulnerabilities.", "modified": "2017-02-10T00:00:00", "published": "2010-05-19T00:00:00", "id": "OPENVAS:801335", "href": "http://plugins.openvas.org/nasl.php?oid=801335", "type": "openvas", "title": "Adobe Shockwave Player Multiple Remote Code Execution Vulnerabilities May-10", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_shockwave_player_mult_code_exe_vuln_may10.nasl 5263 2017-02-10 13:45:51Z teissa $\n#\n# Adobe Shockwave Player Multiple Remote Code Execution Vulnerabilities May-10\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation will allow attacker to execute arbitrary code in\n the context of the affected application by tricking a user into visiting a\n specially crafted web page.\n Impact Level: Application.\";\ntag_affected = \"Adobe Shockwave Player prior to 11.5.7.609 on Windows.\";\ntag_insight = \"Multiple flaws are caused by memory corruption errors, integer and buffer\n overflows, array indexing, and signedness errors when processing malformed\n 'Shockwave' or 'Director' files, which could be exploited by attackers to\n execute arbitrary code by tricking a user into visiting a specially crafted\n web page.\";\ntag_solution = \"Upgrade to Adobe Shockwave Player 11.5.7.609\n http://get.adobe.com/shockwave/otherversions/\";\ntag_summary = \"This host is installed with Adobe Shockwave Player and is prone\n to multiple remote code execution vulnerabilities.\";\n\nif(description)\n{\n script_id(801335);\n script_version(\"$Revision: 5263 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-10 14:45:51 +0100 (Fri, 10 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-05-19 14:50:39 +0200 (Wed, 19 May 2010)\");\n script_cve_id(\"CVE-2010-0127\", \"CVE-2010-0128\", \"CVE-2010-0129\", \"CVE-2010-0130\",\n \"CVE-2010-1280\", \"CVE-2010-1281\", \"CVE-2010-1282\", \"CVE-2010-1283\",\n \"CVE-2010-1284\", \"CVE-2010-1286\", \"CVE-2010-1287\", \"CVE-2010-1288\",\n \"CVE-2010-1289\", \"CVE-2010-1290\", \"CVE-2010-1291\", \"CVE-2010-1292\",\n \"CVE-2010-0987\", \"CVE-2010-0986\");\n script_bugtraq_id(40083, 40076, 40082, 40084, 40081, 40078, 40077, 40088, 40091,\n 40085, 40089, 40096, 40094, 40087, 40090, 40079, 40093, 40086);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Adobe Shockwave Player Multiple Remote Code Execution Vulnerabilities May-10\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/38751\");\n script_xref(name : \"URL\" , value : \"http://www.zeroscience.mk/codes/shockwave_mem.txt\");\n script_xref(name : \"URL\" , value : \"http://www.vupen.com/english/advisories/2010/1128\");\n script_xref(name : \"URL\" , value : \"http://www.adobe.com/support/security/bulletins/apsb10-12.html\");\n script_xref(name : \"URL\" , value : \"http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php\");\n script_xref(name : \"URL\" , value : \"http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0139.html\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2010 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_adobe_shockwave_player_detect.nasl\");\n script_require_keys(\"Adobe/ShockwavePlayer/Ver\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\nshockVer = get_kb_item(\"Adobe/ShockwavePlayer/Ver\");\nif(!shockVer){\n exit(0);\n}\n\n# Check for versions prior to 11.5.7.609\nif(version_is_less(version:shockVer, test_version:\"11.5.7.609\")){\n security_message(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-04-27T19:23:06", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-1283", "CVE-2010-1289", "CVE-2010-0130", "CVE-2010-1292", "CVE-2010-0987", "CVE-2010-1287", "CVE-2010-1288", "CVE-2010-0127", "CVE-2010-1281", "CVE-2010-0128", "CVE-2010-0129", "CVE-2010-1290", "CVE-2010-1286", "CVE-2010-1280", "CVE-2010-1282", "CVE-2010-0986", "CVE-2010-1291", "CVE-2010-1284"], "description": "This host is installed with Adobe Shockwave Player and is prone\n to multiple remote code execution vulnerabilities.", "modified": "2020-04-23T00:00:00", "published": "2010-05-19T00:00:00", "id": "OPENVAS:1361412562310801335", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310801335", "type": "openvas", "title": "Adobe Shockwave Player Multiple Remote Code Execution Vulnerabilities May-10", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe Shockwave Player Multiple Remote Code Execution Vulnerabilities May-10\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.801335\");\n script_version(\"2020-04-23T12:22:09+0000\");\n script_tag(name:\"last_modification\", value:\"2020-04-23 12:22:09 +0000 (Thu, 23 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2010-05-19 14:50:39 +0200 (Wed, 19 May 2010)\");\n script_cve_id(\"CVE-2010-0127\", \"CVE-2010-0128\", \"CVE-2010-0129\", \"CVE-2010-0130\",\n \"CVE-2010-1280\", \"CVE-2010-1281\", \"CVE-2010-1282\", \"CVE-2010-1283\",\n \"CVE-2010-1284\", \"CVE-2010-1286\", \"CVE-2010-1287\", \"CVE-2010-1288\",\n \"CVE-2010-1289\", \"CVE-2010-1290\", \"CVE-2010-1291\", \"CVE-2010-1292\",\n \"CVE-2010-0987\", \"CVE-2010-0986\");\n script_bugtraq_id(40083, 40076, 40082, 40084, 40081, 40078, 40077, 40088, 40091,\n 40085, 40089, 40096, 40094, 40087, 40090, 40079, 40093, 40086);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Adobe Shockwave Player Multiple Remote Code Execution Vulnerabilities May-10\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/38751\");\n script_xref(name:\"URL\", value:\"http://www.zeroscience.mk/codes/shockwave_mem.txt\");\n script_xref(name:\"URL\", value:\"http://www.vupen.com/english/advisories/2010/1128\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/support/security/bulletins/apsb10-12.html\");\n script_xref(name:\"URL\", value:\"http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php\");\n script_xref(name:\"URL\", value:\"http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0139.html\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2010 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_adobe_shockwave_player_detect.nasl\");\n script_mandatory_keys(\"Adobe/ShockwavePlayer/Ver\");\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker to execute arbitrary code in\n the context of the affected application by tricking a user into visiting a\n specially crafted web page.\");\n script_tag(name:\"affected\", value:\"Adobe Shockwave Player prior to 11.5.7.609 on Windows.\");\n script_tag(name:\"insight\", value:\"Multiple flaws are caused by memory corruption errors, integer and buffer\n overflows, array indexing, and signedness errors when processing malformed\n 'Shockwave' or 'Director' files, which could be exploited by attackers to\n execute arbitrary code by tricking a user into visiting a specially crafted\n web page.\");\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Shockwave Player 11.5.7.609.\");\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Shockwave Player and is prone\n to multiple remote code execution vulnerabilities.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\nshockVer = get_kb_item(\"Adobe/ShockwavePlayer/Ver\");\nif(!shockVer){\n exit(0);\n}\n\nif(version_is_less(version:shockVer, test_version:\"11.5.7.609\")){\n report = report_fixed_ver(installed_version:shockVer, fixed_version:\"11.5.7.609\");\n security_message(port: 0, data: report);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}
