Secunia Research 12/05/2010
- Adobe Shockwave Player Font Processing Buffer Overflow -
======================================================================
Table of Contents
Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10
Rating: Highly critical
Impact: System access
Where: From remote
======================================================================
3) Vendor's Description of Software
"Over 450 million Internet-enabled desktops have installed Adobe
Shockwave Player. These people now have access to some of the best the
Web has to offer - including dazzling 3D games and entertainment,
interactive product demonstrations, and online learning applications."
======================================================================
4) Description of Vulnerability
Secunia Research has discovered a vulnerability in Adobe Shockwave
Player, which can be exploited by malicious people to potentially
compromise a user's system.
The vulnerability is caused by a boundary error when parsing embedded
fonts. This can be exploited to cause a heap-based buffer overflow via
a specially crafted Shockwave file.
Successful exploitation may allow execution of arbitrary code.
The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2010-0987 for the vulnerability.
======================================================================
9) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://secunia.com/advisories/business_solutions/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/advisories/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:
http://secunia.com/secunia_research/
Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:
http://secunia.com/corporate/jobs/
Secunia offers a FREE mailing list called Secunia Security Advisories:
{"id": "SECURITYVULNS:DOC:23842", "bulletinFamily": "software", "title": "Secunia Research: Adobe Shockwave Player Font Processing Buffer Overflow", "description": "====================================================================== \r\n\r\n Secunia Research 12/05/2010\r\n\r\n - Adobe Shockwave Player Font Processing Buffer Overflow -\r\n\r\n====================================================================== \r\nTable of Contents\r\n\r\nAffected Software....................................................1\r\nSeverity.............................................................2\r\nVendor's Description of Software.....................................3\r\nDescription of Vulnerability.........................................4\r\nSolution.............................................................5\r\nTime Table...........................................................6\r\nCredits..............................................................7\r\nReferences...........................................................8\r\nAbout Secunia........................................................9\r\nVerification........................................................10\r\n\r\n====================================================================== \r\n1) Affected Software \r\n\r\n* Adobe Shockwave Player 11.5.6.606\r\n\r\nNOTE: Prior versions may also be affected.\r\n\r\n====================================================================== \r\n2) Severity \r\n\r\nRating: Highly critical\r\nImpact: System access\r\nWhere: From remote\r\n\r\n====================================================================== \r\n3) Vendor's Description of Software \r\n\r\n"Over 450 million Internet-enabled desktops have installed Adobe \r\nShockwave Player. These people now have access to some of the best the\r\nWeb has to offer - including dazzling 3D games and entertainment, \r\ninteractive product demonstrations, and online learning applications."\r\n\r\nProduct Link:\r\nhttp://www.adobe.com/products/shockwaveplayer/\r\n\r\n====================================================================== \r\n4) Description of Vulnerability\r\n\r\nSecunia Research has discovered a vulnerability in Adobe Shockwave \r\nPlayer, which can be exploited by malicious people to potentially \r\ncompromise a user's system.\r\n\r\nThe vulnerability is caused by a boundary error when parsing embedded\r\nfonts. This can be exploited to cause a heap-based buffer overflow via\r\na specially crafted Shockwave file.\r\n\r\nSuccessful exploitation may allow execution of arbitrary code.\r\n\r\n====================================================================== \r\n5) Solution \r\n\r\nUpdate to version 11.5.7.609.\r\n\r\n====================================================================== \r\n6) Time Table \r\n\r\n23/03/2010 - Vendor notified.\r\n23/03/2010 - Vendor response.\r\n12/05/2010 - Public disclosure.\r\n\r\n====================================================================== \r\n7) Credits \r\n\r\nDiscovered by Alin Rad Pop, Secunia Research.\r\n\r\n====================================================================== \r\n8) References\r\n\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned \r\nCVE-2010-0987 for the vulnerability.\r\n\r\n====================================================================== \r\n9) About Secunia\r\n\r\nSecunia offers vulnerability management solutions to corporate\r\ncustomers with verified and reliable vulnerability intelligence\r\nrelevant to their specific system configuration:\r\n\r\nhttp://secunia.com/advisories/business_solutions/\r\n\r\nSecunia also provides a publicly accessible and comprehensive advisory\r\ndatabase as a service to the security community and private \r\nindividuals, who are interested in or concerned about IT-security.\r\n\r\nhttp://secunia.com/advisories/\r\n\r\nSecunia believes that it is important to support the community and to\r\ndo active vulnerability research in order to aid improving the \r\nsecurity and reliability of software in general:\r\n\r\nhttp://secunia.com/secunia_research/\r\n\r\nSecunia regularly hires new skilled team members. Check the URL below\r\nto see currently vacant positions:\r\n\r\nhttp://secunia.com/corporate/jobs/\r\n\r\nSecunia offers a FREE mailing list called Secunia Security Advisories:\r\n\r\nhttp://secunia.com/advisories/mailing_lists/\r\n\r\n====================================================================== \r\n10) Verification \r\n\r\nPlease verify this advisory by visiting the Secunia website:\r\nhttp://secunia.com/secunia_research/2010-50/\r\n\r\nComplete list of vulnerability reports published by Secunia Research:\r\nhttp://secunia.com/secunia_research/\r\n\r\n======================================================================", "published": "2010-05-13T00:00:00", "modified": "2010-05-13T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:23842", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2010-0987"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:34", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "86c530127dcbf49a9d087dab7f77f02d"}, {"key": "cvss", "hash": "2076413bdcb42307d016f5286cbae795"}, {"key": "description", "hash": "27fbf1e13346232798fd4adc4e0d4386"}, {"key": "href", "hash": "40842f939895b2ffe004c0e2d5e11868"}, {"key": "modified", "hash": "ba28662d481de7a7d4b4b225a676857e"}, {"key": "published", "hash": "ba28662d481de7a7d4b4b225a676857e"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "a49ebb2e1a771348dfa0039e0d589df6"}, {"key": "title", "hash": "dd5be3885298639a6aea60b8708dfcf5"}, {"key": "type", "hash": "d54751dd75af2ea0147b462b3e001cd0"}], "hash": "d57a801378c28c1bc812c1fdc6818d49f16945a9def887d92d2e1cdf3cef9f8c", "viewCount": 2, "enchantments": {"score": {"value": 6.8, "vector": "NONE", "modified": "2018-08-31T11:10:34"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2010-0987"]}, {"type": "nessus", "idList": ["MACOSX_SHOCKWAVE_PLAYER_APSB10-12.NASL", "SHOCKWAVE_PLAYER_APSB10-12.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310801335", "OPENVAS:801335"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:10828", "SECURITYVULNS:DOC:23830"]}], "modified": "2018-08-31T11:10:34"}, "vulnersScore": 6.8}, "objectVersion": "1.3", "affectedSoftware": []}
{"cve": [{"lastseen": "2018-10-11T11:34:15", "bulletinFamily": "NVD", "description": "Heap-based buffer overflow in Adobe Shockwave Player before 11.5.7.609 might allow remote attackers to execute arbitrary code via crafted embedded fonts in a Shockwave file.", "modified": "2018-10-10T15:55:12", "published": "2010-05-13T13:30:01", "id": "CVE-2010-0987", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0987", "title": "CVE-2010-0987", "type": "cve", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:36", "bulletinFamily": "software", "description": "Multiple buffer overflows, integer overflows, memory corruptions, code executions.", "modified": "2010-05-21T00:00:00", "published": "2010-05-21T00:00:00", "id": "SECURITYVULNS:VULN:10828", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:10828", "title": "Adobe Shockwave multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:34", "bulletinFamily": "software", "description": "Security update available for Shockwave Player\r\n\r\nRelease date: May 11, 2010\r\n\r\nVulnerability identifier: APSB10-12\r\n\r\nCVE number: CVE-2010-0127, CVE-2010-0128, CVE-2010-0129, CVE-2010-0130, CVE-2010-0986, CVE-2010-0987, CVE-2010-1280, CVE-2010-1281, CVE-2010-1282, CVE-2010-1283, CVE-2010-1284, CVE-2010-1286, CVE-2010-1287, CVE-2010-1288, CVE-2010-1289, CVE-2010-1290, CVE-2010-1291, CVE-2010-1292\r\n\r\nPlatform: Windows and Macintosh\r\nSummary\r\n\r\nCritical vulnerabilities have been identified in Adobe Shockwave Player 11.5.6.606 and earlier versions on the Windows and Macintosh operating systems. The vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system. Adobe recommends users of Adobe Shockwave Player 11.5.6.606 and earlier versions update to Adobe Shockwave Player 11.5.7.609, using the instructions provided below.\r\nAffected software versions\r\n\r\nShockwave Player 11.5.6.606 and earlier versions for Windows and Macintosh\r\nSolution\r\n\r\nAdobe recommends users of Adobe Shockwave Player 11.5.6.606 and earlier versions upgrade to the newest version 11.5.7.609, available here: http://get.adobe.com/shockwave/.\r\nSeverity rating\r\n\r\nAdobe categorizes this as a critical update and recommends that users apply the update for their product installations.\r\nDetails\r\n\r\nCritical vulnerabilities have been identified in Adobe Shockwave Player 11.5.6.606 and earlier versions on the Windows and Macintosh operating systems. The vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system. Adobe recommends users of Adobe Shockwave Player 11.5.6.606 and earlier versions update to Adobe Shockwave Player 11.5.7.609, using the instructions provided above.\r\n\r\nThis update resolves a boundary error vulnerability that if exploited, could lead to memory corruption and possible code execution (CVE-2010-0127).\r\n\r\nThis update resolves a signedness error vulnerability that could lead to code execution (CVE-2010-0128).\r\n\r\nThis update resolves multiple memory corruption vulnerabilities due to integer overflow that could lead to code execution (CVE-2010-0129).\r\n\r\nThis update resolves an integer overflow vulnerability that could lead to code execution (CVE-2010-0130).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-0986).\r\n\r\nThis update resolves a buffer overflow vulnerability that could lead to code execution (CVE-2010-0987).\r\n\r\nThis update resolves multiple memory corruption vulnerabilities that could lead to code execution (CVE-2010-1280).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1281).\r\n\r\nThis update resolves an infinite loop vulnerability that could lead to a denial of service (CVE-2010-1282).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1283).\r\n\r\nThis update resolves multiple memory corruption vulnerabilities that could lead to code execution (CVE-2010-1284).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1286).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1287).\r\n\r\nThis update resolves a buffer overflow vulnerability that could lead to code execution (CVE-2010-1288).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1289).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1290).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1291).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1292).\r\nAcknowledgments\r\n\r\nAdobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:\r\n\r\n * Chaouki Bekrar of VUPEN Vulnerability Research Team (CVE-2010-1280, CVE-2010-1283, CVE-2010-0129, CVE-2010-1284)\r\n * Sebastien Renaud of VUPEN Vulnerability Research Team (CVE-2010-1280)\r\n * Code Audit Labs (CVE-2010-0129, CVE-2010-1280, CVE-2010-1282)\r\n * Nahuel Riva of Core Security Technologies (CVE-2010-0128)\r\n * Gjoko Krstic of Zero Science Lab (CVE-2010-1280)\r\n * Chro HD of Fortinet's FortiGuard Labs (CVE-2010-1280, CVE-2010-1286, CVE-2010-1287, CVE-2010-1288, CVE-2010-1289, CVE-2010-1290, CVE-2010-1291)\r\n * An Anonymous Researcher reported through iDefense's Vulnerability Contributor Program (CVE-2010-0129)\r\n * Alin Rad Pop of Secunia Research (CVE-2010-0127, CVE-2010-0128, CVE-2010-0129, CVE-2010-0130, CVE-2010-0986, CVE-2010-0987)\r\n * An Anonymous Researcher reported through TippingPoint's Zero Day Initiative (CVE-2010-1281, CVE-2010-1283, CVE-2010-1292)\r\n", "modified": "2010-05-12T00:00:00", "published": "2010-05-12T00:00:00", "id": "SECURITYVULNS:DOC:23830", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:23830", "title": "Security update available for Shockwave Player", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2019-01-16T20:10:37", "bulletinFamily": "scanner", "description": "The remote Windows host contains a version of Adobe's Shockwave Player\nthat is earlier than 11.5.7.609. Such versions are affected by the\nfollowing issues :\n\n - Processing specially crafted FFFFFF45h Shockwave\n 3D blocks can result in memory corruption.\n (CVE-2010-0127, CVE-2010-1283)\n\n - A signedness error that can lead to memory corruption\n when processing specially crafted Director files.\n (CVE-2010-0128)\n\n - An array indexing error that can lead to memory\n corruption when processing specially crafted\n Director files. (CVE-2010-0129)\n\n - An integer overflow vulnerability that can lead to\n memory corruption when processing specially\n crafted Director files. (CVE-2010-0130)\n\n - An unspecified error when processing asset entries\n in Director files can lead to memory corruption.\n (CVE-2010-0986)\n\n - A boundary error when processing embedded fonts\n from a Directory file can lead to memory corruption.\n (CVE-2010-0987)\n\n - An unspecified error when processing Director files\n can result in memory corruption. (CVE-2010-1280)\n\n - Several unspecified memory corruption vulnerabilities.\n (CVE-2010-1281, CVE-2010-1282, CVE-2010-1284,\n CVE-2010-1286, CVE-2010-1287, CVE-2010-1288,\n CVE-2010-1289, CVE-2010-1290, CVE-2010-1291,\n CVE-2010-1292)", "modified": "2018-11-15T00:00:00", "published": "2010-05-12T00:00:00", "id": "SHOCKWAVE_PLAYER_APSB10-12.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=46329", "title": "Shockwave Player < 11.5.7.609 Multiple Vulnerabilities (APSB10-12)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(46329);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2018/11/15 20:50:28\");\n\n script_cve_id(\n \"CVE-2010-0127\",\n \"CVE-2010-0128\",\n \"CVE-2010-0129\",\n \"CVE-2010-0130\",\n \"CVE-2010-0986\",\n \"CVE-2010-0987\",\n \"CVE-2010-1280\",\n \"CVE-2010-1281\",\n \"CVE-2010-1282\",\n \"CVE-2010-1283\",\n \"CVE-2010-1284\",\n \"CVE-2010-1286\",\n \"CVE-2010-1287\",\n \"CVE-2010-1288\",\n \"CVE-2010-1289\",\n \"CVE-2010-1290\",\n \"CVE-2010-1291\",\n \"CVE-2010-1292\"\n );\n script_bugtraq_id(\n 40076,\n 40077,\n 40078,\n 40079,\n 40081,\n 40082,\n 40083,\n 40084,\n 40085,\n 40086,\n 40087,\n 40088,\n 40089,\n 40090,\n 40091,\n 40093,\n 40094,\n 40096\n );\n script_xref(name:\"Secunia\", value:\"38751\");\n\n script_name(english:\"Shockwave Player < 11.5.7.609 Multiple Vulnerabilities (APSB10-12)\");\n script_summary(english:\"Checks version of Shockwave Player\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Windows host contains a web browser plugin that is\naffected by multiple vulnerabilities.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote Windows host contains a version of Adobe's Shockwave Player\nthat is earlier than 11.5.7.609. Such versions are affected by the\nfollowing issues :\n\n - Processing specially crafted FFFFFF45h Shockwave\n 3D blocks can result in memory corruption.\n (CVE-2010-0127, CVE-2010-1283)\n\n - A signedness error that can lead to memory corruption\n when processing specially crafted Director files.\n (CVE-2010-0128)\n\n - An array indexing error that can lead to memory\n corruption when processing specially crafted\n Director files. (CVE-2010-0129)\n\n - An integer overflow vulnerability that can lead to\n memory corruption when processing specially\n crafted Director files. (CVE-2010-0130)\n\n - An unspecified error when processing asset entries\n in Director files can lead to memory corruption.\n (CVE-2010-0986)\n\n - A boundary error when processing embedded fonts\n from a Directory file can lead to memory corruption.\n (CVE-2010-0987)\n\n - An unspecified error when processing Director files\n can result in memory corruption. (CVE-2010-1280)\n\n - Several unspecified memory corruption vulnerabilities.\n (CVE-2010-1281, CVE-2010-1282, CVE-2010-1284,\n CVE-2010-1286, CVE-2010-1287, CVE-2010-1288,\n CVE-2010-1289, CVE-2010-1290, CVE-2010-1291,\n CVE-2010-1292)\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://secuniaresearch.flexerasoftware.com/secunia_research/2010-17/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://secuniaresearch.flexerasoftware.com/secunia_research/2010-19/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://secuniaresearch.flexerasoftware.com/secunia_research/2010-20/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://secuniaresearch.flexerasoftware.com/secunia_research/2010-22/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://secuniaresearch.flexerasoftware.com/secunia_research/2010-34/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://secuniaresearch.flexerasoftware.com/secunia_research/2010-50/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-10-087/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-10-088/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-10-089/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?19865c37\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2010/May/136\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2010/May/137\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2010/May/138\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.coresecurity.com/content/adobe-director-invalid-read\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.adobe.com/support/security/bulletins/apsb10-12.html\");\n script_set_attribute(\n attribute:\"solution\",\n value:\"Upgrade to Adobe Shockwave 11.5.7.609 or later.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/05/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/05/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/05/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:shockwave_player\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"shockwave_player_apsb09_08.nasl\");\n script_require_keys(\"SMB/shockwave_player\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"smb_func.inc\");\n\n\nport = kb_smb_transport();\ninstalls = get_kb_list('SMB/shockwave_player/*/path');\nif (isnull(installs))\n exit(0, 'Shockwave Player was not detected on the remote host.');\n\ninfo = NULL;\npattern = 'SMB/shockwave_player/([^/]+)/([^/]+)/path';\n\nforeach install (keys(installs))\n{\n match = eregmatch(string:install, pattern:pattern);\n if (!match) exit(1, 'Unexpected format of KB key \"'+install+'\".');\n\n file = installs[install];\n variant = match[1];\n version = match[2];\n ver = split(version, sep:'.', keep:FALSE);\n for (i = 0; i < max_index(ver); i++)\n ver[i] = int(ver[i]);\n\n if (\n ver[0] < 11 ||\n (\n ver[0] == 11 &&\n (\n ver[1] < 5 ||\n (\n ver[1] == 5 &&\n (\n ver[2] < 7 ||\n (ver[2] == 7 && ver[3] < 609)\n )\n )\n )\n )\n )\n {\n if (variant == \"Plugin\")\n {\n info += '\\n - Browser Plugin (for Firefox / Netscape / Opera) :\\n';\n }\n else if (variant == \"ActiveX\")\n {\n info += '\\n - ActiveX control (for Internet Explorer) :\\n';\n }\n info += ' ' + file + ', ' + version + '\\n';\n }\n}\n\nif (!info) exit(0, \"No vulnerable installs of Shockwave Player were found.\");\n\nif (report_verbosity > 0)\n{\n if (max_index(split(info)) > 2) s = \"s\";\n else s = \"\";\n\n report =\n '\\nNessus has identified the following vulnerable instance'+s+' of Shockwave'+\n '\\nPlayer installed on the remote host :\\n'+\n info;\n security_hole(port:port, extra:report);\n}\nelse security_hole(port:port);\n\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-16T20:20:30", "bulletinFamily": "scanner", "description": "The remote Mac OS X host contains a version of Adobe Shockwave Player\nthat is 11.5.6.606 or earlier. It is, therefore, affected by multiple\nvulnerabilities :\n\n - Processing specially crafted FFFFFF45h Shockwave\n 3D blocks results in memory corruption. (CVE-2010-0127,\n CVE-2010-1283)\n\n - A signedness error leads to memory corruption when\n processing specially crafted Director files.\n (CVE-2010-0128)\n\n - An array indexing error leads to memory corruption when\n processing specially crafted Director files.\n (CVE-2010-0129)\n\n - An integer overflow vulnerability leads to memory\n corruption when processing specially crafted Director\n files. (CVE-2010-0130)\n\n - An unspecified error when processing asset entries\n in Director files leads to memory corruption.\n (CVE-2010-0986)\n\n - A boundary error when processing embedded fonts from a\n Directory file leads to memory corruption.\n (CVE-2010-0987)\n\n - An unspecified error when processing Director files\n results in memory corruption. (CVE-2010-1280)\n\n - Several unspecified memory corruption vulnerabilities.\n (CVE-2010-1281, CVE-2010-1282, CVE-2010-1284,\n CVE-2010-1286, CVE-2010-1287, CVE-2010-1288,\n CVE-2010-1289, CVE-2010-1290, CVE-2010-1291,\n CVE-2010-1292)", "modified": "2018-07-14T00:00:00", "published": "2014-12-22T00:00:00", "id": "MACOSX_SHOCKWAVE_PLAYER_APSB10-12.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=80172", "title": "Adobe Shockwave Player <= 11.5.6.606 Multiple Vulnerabilities (APSB10-12) (Mac OS X)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(80172);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/07/14 1:59:35\");\n\n script_cve_id(\n \"CVE-2010-0127\",\n \"CVE-2010-0128\",\n \"CVE-2010-0129\",\n \"CVE-2010-0130\",\n \"CVE-2010-0986\",\n \"CVE-2010-0987\",\n \"CVE-2010-1280\",\n \"CVE-2010-1281\",\n \"CVE-2010-1282\",\n \"CVE-2010-1283\",\n \"CVE-2010-1284\",\n \"CVE-2010-1286\",\n \"CVE-2010-1287\",\n \"CVE-2010-1288\",\n \"CVE-2010-1289\",\n \"CVE-2010-1290\",\n \"CVE-2010-1291\",\n \"CVE-2010-1292\"\n );\n script_bugtraq_id(\n 40076,\n 40077,\n 40078,\n 40079,\n 40081,\n 40082,\n 40083,\n 40084,\n 40085,\n 40086,\n 40087,\n 40088,\n 40089,\n 40090,\n 40091,\n 40093,\n 40094,\n 40096\n );\n\n script_name(english:\"Adobe Shockwave Player <= 11.5.6.606 Multiple Vulnerabilities (APSB10-12) (Mac OS X)\");\n script_summary(english:\"Checks the version of Shockwave Player.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Mac OS X host contains a web browser plugin that is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Mac OS X host contains a version of Adobe Shockwave Player\nthat is 11.5.6.606 or earlier. It is, therefore, affected by multiple\nvulnerabilities :\n\n - Processing specially crafted FFFFFF45h Shockwave\n 3D blocks results in memory corruption. (CVE-2010-0127,\n CVE-2010-1283)\n\n - A signedness error leads to memory corruption when\n processing specially crafted Director files.\n (CVE-2010-0128)\n\n - An array indexing error leads to memory corruption when\n processing specially crafted Director files.\n (CVE-2010-0129)\n\n - An integer overflow vulnerability leads to memory\n corruption when processing specially crafted Director\n files. (CVE-2010-0130)\n\n - An unspecified error when processing asset entries\n in Director files leads to memory corruption.\n (CVE-2010-0986)\n\n - A boundary error when processing embedded fonts from a\n Directory file leads to memory corruption.\n (CVE-2010-0987)\n\n - An unspecified error when processing Director files\n results in memory corruption. (CVE-2010-1280)\n\n - Several unspecified memory corruption vulnerabilities.\n (CVE-2010-1281, CVE-2010-1282, CVE-2010-1284,\n CVE-2010-1286, CVE-2010-1287, CVE-2010-1288,\n CVE-2010-1289, CVE-2010-1290, CVE-2010-1291,\n CVE-2010-1292)\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-10-087/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-10-088/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-10-089/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?19865c37\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/fulldisclosure/2010/May/130\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/fulldisclosure/2010/May/131\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/fulldisclosure/2010/May/132\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.coresecurity.com/content/adobe-director-invalid-read\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.adobe.com/support/security/bulletins/apsb10-12.html\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Adobe Shockwave 11.5.7.609 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/05/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/05/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/12/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:shockwave_player\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"shockwave_player_detect_macosx.nbin\");\n script_require_keys(\"installed_sw/Shockwave Player\", \"Host/MacOSX/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\n\nos = get_kb_item(\"Host/MacOSX/Version\");\nif (!os) audit(AUDIT_OS_NOT, \"Mac OS X\");\n\napp = 'Shockwave Player';\n\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\ninstall = get_single_install(app_name:app, exit_if_unknown_ver:TRUE);\n\nver = install['version'];\npath = install['path'];\n\nif (ver_compare(ver:ver, fix:'11.5.6.606', strict:FALSE) <= 0)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + ver +\n '\\n Fixed versions : 11.5.7.609' +\n '\\n';\n security_hole(port:0, extra:report);\n }\n else security_hole(port:0);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, app, ver, path);\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2018-09-24T18:21:25", "bulletinFamily": "scanner", "description": "This host is installed with Adobe Shockwave Player and is prone\n to multiple remote code execution vulnerabilities.", "modified": "2018-09-22T00:00:00", "published": "2010-05-19T00:00:00", "id": "OPENVAS:1361412562310801335", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310801335", "title": "Adobe Shockwave Player Multiple Remote Code Execution Vulnerabilities May-10", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_shockwave_player_mult_code_exe_vuln_may10.nasl 11553 2018-09-22 14:22:01Z cfischer $\n#\n# Adobe Shockwave Player Multiple Remote Code Execution Vulnerabilities May-10\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.801335\");\n script_version(\"$Revision: 11553 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-22 16:22:01 +0200 (Sat, 22 Sep 2018) $\");\n script_tag(name:\"creation_date\", value:\"2010-05-19 14:50:39 +0200 (Wed, 19 May 2010)\");\n script_cve_id(\"CVE-2010-0127\", \"CVE-2010-0128\", \"CVE-2010-0129\", \"CVE-2010-0130\",\n \"CVE-2010-1280\", \"CVE-2010-1281\", \"CVE-2010-1282\", \"CVE-2010-1283\",\n \"CVE-2010-1284\", \"CVE-2010-1286\", \"CVE-2010-1287\", \"CVE-2010-1288\",\n \"CVE-2010-1289\", \"CVE-2010-1290\", \"CVE-2010-1291\", \"CVE-2010-1292\",\n \"CVE-2010-0987\", \"CVE-2010-0986\");\n script_bugtraq_id(40083, 40076, 40082, 40084, 40081, 40078, 40077, 40088, 40091,\n 40085, 40089, 40096, 40094, 40087, 40090, 40079, 40093, 40086);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Adobe Shockwave Player Multiple Remote Code Execution Vulnerabilities May-10\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/38751\");\n script_xref(name:\"URL\", value:\"http://www.zeroscience.mk/codes/shockwave_mem.txt\");\n script_xref(name:\"URL\", value:\"http://www.vupen.com/english/advisories/2010/1128\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/support/security/bulletins/apsb10-12.html\");\n script_xref(name:\"URL\", value:\"http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php\");\n script_xref(name:\"URL\", value:\"http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0139.html\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2010 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_adobe_shockwave_player_detect.nasl\");\n script_mandatory_keys(\"Adobe/ShockwavePlayer/Ver\");\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker to execute arbitrary code in\n the context of the affected application by tricking a user into visiting a\n specially crafted web page.\");\n script_tag(name:\"affected\", value:\"Adobe Shockwave Player prior to 11.5.7.609 on Windows.\");\n script_tag(name:\"insight\", value:\"Multiple flaws are caused by memory corruption errors, integer and buffer\n overflows, array indexing, and signedness errors when processing malformed\n 'Shockwave' or 'Director' files, which could be exploited by attackers to\n execute arbitrary code by tricking a user into visiting a specially crafted\n web page.\");\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Shockwave Player 11.5.7.609\n http://get.adobe.com/shockwave/otherversions/\");\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Shockwave Player and is prone\n to multiple remote code execution vulnerabilities.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\nshockVer = get_kb_item(\"Adobe/ShockwavePlayer/Ver\");\nif(!shockVer){\n exit(0);\n}\n\nif(version_is_less(version:shockVer, test_version:\"11.5.7.609\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-02T21:09:50", "bulletinFamily": "scanner", "description": "This host is installed with Adobe Shockwave Player and is prone\n to multiple remote code execution vulnerabilities.", "modified": "2017-02-10T00:00:00", "published": "2010-05-19T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=801335", "id": "OPENVAS:801335", "title": "Adobe Shockwave Player Multiple Remote Code Execution Vulnerabilities May-10", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_shockwave_player_mult_code_exe_vuln_may10.nasl 5263 2017-02-10 13:45:51Z teissa $\n#\n# Adobe Shockwave Player Multiple Remote Code Execution Vulnerabilities May-10\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation will allow attacker to execute arbitrary code in\n the context of the affected application by tricking a user into visiting a\n specially crafted web page.\n Impact Level: Application.\";\ntag_affected = \"Adobe Shockwave Player prior to 11.5.7.609 on Windows.\";\ntag_insight = \"Multiple flaws are caused by memory corruption errors, integer and buffer\n overflows, array indexing, and signedness errors when processing malformed\n 'Shockwave' or 'Director' files, which could be exploited by attackers to\n execute arbitrary code by tricking a user into visiting a specially crafted\n web page.\";\ntag_solution = \"Upgrade to Adobe Shockwave Player 11.5.7.609\n http://get.adobe.com/shockwave/otherversions/\";\ntag_summary = \"This host is installed with Adobe Shockwave Player and is prone\n to multiple remote code execution vulnerabilities.\";\n\nif(description)\n{\n script_id(801335);\n script_version(\"$Revision: 5263 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-10 14:45:51 +0100 (Fri, 10 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-05-19 14:50:39 +0200 (Wed, 19 May 2010)\");\n script_cve_id(\"CVE-2010-0127\", \"CVE-2010-0128\", \"CVE-2010-0129\", \"CVE-2010-0130\",\n \"CVE-2010-1280\", \"CVE-2010-1281\", \"CVE-2010-1282\", \"CVE-2010-1283\",\n \"CVE-2010-1284\", \"CVE-2010-1286\", \"CVE-2010-1287\", \"CVE-2010-1288\",\n \"CVE-2010-1289\", \"CVE-2010-1290\", \"CVE-2010-1291\", \"CVE-2010-1292\",\n \"CVE-2010-0987\", \"CVE-2010-0986\");\n script_bugtraq_id(40083, 40076, 40082, 40084, 40081, 40078, 40077, 40088, 40091,\n 40085, 40089, 40096, 40094, 40087, 40090, 40079, 40093, 40086);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Adobe Shockwave Player Multiple Remote Code Execution Vulnerabilities May-10\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/38751\");\n script_xref(name : \"URL\" , value : \"http://www.zeroscience.mk/codes/shockwave_mem.txt\");\n script_xref(name : \"URL\" , value : \"http://www.vupen.com/english/advisories/2010/1128\");\n script_xref(name : \"URL\" , value : \"http://www.adobe.com/support/security/bulletins/apsb10-12.html\");\n script_xref(name : \"URL\" , value : \"http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php\");\n script_xref(name : \"URL\" , value : \"http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0139.html\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2010 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_adobe_shockwave_player_detect.nasl\");\n script_require_keys(\"Adobe/ShockwavePlayer/Ver\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\nshockVer = get_kb_item(\"Adobe/ShockwavePlayer/Ver\");\nif(!shockVer){\n exit(0);\n}\n\n# Check for versions prior to 11.5.7.609\nif(version_is_less(version:shockVer, test_version:\"11.5.7.609\")){\n security_message(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}