ZDI-11-079: Adobe Shockwave Player 0xFFFFFF45 Record Count Element Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-11-079
February 8, 2011
-- CVE ID:
CVE-2011-0557
-- CVSS:
9, (AV:N/AC:L/Au:N/C:C/I:P/A:P)
-- Affected Vendors:
Adobe
-- Affected Products:
Adobe Shockwave Player
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 10816.
For further product information on the TippingPoint IPS, visit:
http://www.tippingpoint.com
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of the Adobe Shockwave Player. User interaction
is required to exploit this vulnerability in that the target must visit
a malicious page or open a malicious file.
The specific flaw exists within the parsing of 3D assets within a
director movie. The routine responsible for parsing 3D record type
0xFFFFFF45 does not properly validate a count field within the
structure. If this value is too large, the process can create a faulty
allocation. Later, when the rendering routine attempts to use this
buffer memory is corrupted. This can be abused by remote attackers to
execute arbitrary code under the context of the user running the
browser.
-- Vendor Response:
Adobe has issued an update to correct this vulnerability. More
details can be found at:
http://www.adobe.com/support/security/bulletins/apsb11-01.html
-- Disclosure Timeline:
2010-11-23 - Vulnerability reported to vendor
2011-02-08 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Anonymous
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
{"id": "SECURITYVULNS:DOC:25666", "bulletinFamily": "software", "title": "ZDI-11-079: Adobe Shockwave Player 0xFFFFFF45 Record Count Element Remote Code Execution Vulnerability", "description": "ZDI-11-079: Adobe Shockwave Player 0xFFFFFF45 Record Count Element Remote Code Execution Vulnerability\r\n\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-11-079\r\n\r\nFebruary 8, 2011\r\n\r\n-- CVE ID:\r\nCVE-2011-0557\r\n\r\n-- CVSS:\r\n9, (AV:N/AC:L/Au:N/C:C/I:P/A:P)\r\n\r\n-- Affected Vendors:\r\nAdobe\r\n\r\n-- Affected Products:\r\nAdobe Shockwave Player\r\n\r\n-- TippingPoint(TM) IPS Customer Protection:\r\nTippingPoint IPS customers have been protected against this\r\nvulnerability by Digital Vaccine protection filter ID 10816. \r\nFor further product information on the TippingPoint IPS, visit:\r\n\r\n http://www.tippingpoint.com\r\n\r\n-- Vulnerability Details:\r\nThis vulnerability allows remote attackers to execute arbitrary code on\r\nvulnerable installations of the Adobe Shockwave Player. User interaction\r\nis required to exploit this vulnerability in that the target must visit\r\na malicious page or open a malicious file.\r\n\r\nThe specific flaw exists within the parsing of 3D assets within a\r\ndirector movie. The routine responsible for parsing 3D record type\r\n0xFFFFFF45 does not properly validate a count field within the\r\nstructure. If this value is too large, the process can create a faulty\r\nallocation. Later, when the rendering routine attempts to use this\r\nbuffer memory is corrupted. This can be abused by remote attackers to\r\nexecute arbitrary code under the context of the user running the\r\nbrowser.\r\n\r\n-- Vendor Response:\r\nAdobe has issued an update to correct this vulnerability. More\r\ndetails can be found at:\r\n\r\nhttp://www.adobe.com/support/security/bulletins/apsb11-01.html\r\n\r\n-- Disclosure Timeline:\r\n2010-11-23 - Vulnerability reported to vendor\r\n2011-02-08 - Coordinated public release of advisory\r\n\r\n-- Credit:\r\nThis vulnerability was discovered by:\r\n * Anonymous\r\n\r\n-- About the Zero Day Initiative (ZDI):\r\nEstablished by TippingPoint, The Zero Day Initiative (ZDI) represents \r\na best-of-breed model for rewarding security researchers for responsibly\r\ndisclosing discovered vulnerabilities.\r\n\r\nResearchers interested in getting paid for their security research\r\nthrough the ZDI can find more information and sign-up at:\r\n\r\n http://www.zerodayinitiative.com\r\n\r\nThe ZDI is unique in how the acquired vulnerability information is\r\nused. TippingPoint does not re-sell the vulnerability details or any\r\nexploit code. Instead, upon notifying the affected product vendor,\r\nTippingPoint provides its customers with zero day protection through\r\nits intrusion prevention technology. Explicit details regarding the\r\nspecifics of the vulnerability are not exposed to any parties until\r\nan official vendor patch is publicly available. Furthermore, with the\r\naltruistic aim of helping to secure a broader user base, TippingPoint\r\nprovides this vulnerability information confidentially to security\r\nvendors (including competitors) who have a vulnerability protection or\r\nmitigation product.\r\n\r\nOur vulnerability disclosure policy is available online at:\r\n\r\n http://www.zerodayinitiative.com/advisories/disclosure_policy/\r\n\r\nFollow the ZDI on Twitter:\r\n\r\n http://twitter.com/thezdi", "published": "2011-02-11T00:00:00", "modified": "2011-02-11T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:25666", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2011-0557"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:38", "edition": 1, "viewCount": 5, "enchantments": {"score": {"value": 7.9, "vector": "NONE"}, "dependencies": {}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2011-0557"]}, {"type": "nessus", "idList": ["SHOCKWAVE_PLAYER_APSB11-01.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:11417"]}, {"type": "zdi", "idList": ["ZDI-11-079"]}]}, "exploitation": null, "vulnersScore": 7.9}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645390111}}
{"cve": [{"lastseen": "2022-03-23T11:38:57", "description": "Integer overflow in Adobe Shockwave Player before 11.5.9.620 allows remote attackers to execute arbitrary code via a Director movie with a large count value in 3D assets type 0xFFFFFF45 record, which triggers a \"faulty allocation\" and memory corruption.", "cvss3": {}, "published": "2011-02-10T16:00:00", "type": "cve", "title": "CVE-2011-0557", "cwe": ["CWE-189"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-0557"], "modified": "2018-10-09T19:29:00", "cpe": ["cpe:/a:adobe:shockwave_player:10.2.0.023", "cpe:/a:adobe:shockwave_player:10.0.0.210", "cpe:/a:adobe:shockwave_player:8.0.196", "cpe:/a:adobe:shockwave_player:8.5.325", "cpe:/a:adobe:shockwave_player:9.0.383", "cpe:/a:adobe:shockwave_player:11.0.3.471", "cpe:/a:adobe:shockwave_player:10.1.4.020", "cpe:/a:adobe:shockwave_player:11.5.2.602", "cpe:/a:adobe:shockwave_player:10.2.0.021", "cpe:/a:adobe:shockwave_player:8.0.196a", "cpe:/a:adobe:shockwave_player:10.1.0.11", "cpe:/a:adobe:shockwave_player:8.0", "cpe:/a:adobe:shockwave_player:8.5.1.103", "cpe:/a:adobe:shockwave_player:8.5.1.106", "cpe:/a:adobe:shockwave_player:8.5.1.105", "cpe:/a:adobe:shockwave_player:11.5.6.606", "cpe:/a:adobe:shockwave_player:11.0.0.456", "cpe:/a:adobe:shockwave_player:6.0", "cpe:/a:adobe:shockwave_player:8.5.321", "cpe:/a:adobe:shockwave_player:8.5.324", "cpe:/a:adobe:shockwave_player:4.0", "cpe:/a:adobe:shockwave_player:8.5.323", "cpe:/a:adobe:shockwave_player:11.5.9.615", "cpe:/a:adobe:shockwave_player:11.5.7.609", "cpe:/a:adobe:shockwave_player:11.5.0.595", "cpe:/a:adobe:shockwave_player:5.0", "cpe:/a:adobe:shockwave_player:8.0.205", "cpe:/a:adobe:shockwave_player:10.0.1.004", "cpe:/a:adobe:shockwave_player:11.5.1.601", "cpe:/a:adobe:shockwave_player:9.0.432", "cpe:/a:adobe:shockwave_player:8.5.1.100", "cpe:/a:adobe:shockwave_player:11.5.8.612", "cpe:/a:adobe:shockwave_player:9", "cpe:/a:adobe:shockwave_player:8.5.1", "cpe:/a:adobe:shockwave_player:2.0", "cpe:/a:adobe:shockwave_player:10.1.0.011", "cpe:/a:adobe:shockwave_player:10.2.0.022", "cpe:/a:adobe:shockwave_player:3.0", "cpe:/a:adobe:shockwave_player:1.0", "cpe:/a:adobe:shockwave_player:8.0.204", "cpe:/a:adobe:shockwave_player:11.5.0.596", "cpe:/a:adobe:shockwave_player:10.1.1.016"], "id": "CVE-2011-0557", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0557", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:adobe:shockwave_player:8.5.1.105:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:shockwave_player:10.2.0.022:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:shockwave_player:11.5.2.602:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:shockwave_player:8.5.321:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:shockwave_player:11.5.0.596:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:shockwave_player:11.5.0.595:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:shockwave_player:8.5.324:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:shockwave_player:3.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:shockwave_player:8.5.323:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:shockwave_player:11.5.7.609:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:shockwave_player:8.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:shockwave_player:9.0.383:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:shockwave_player:10.1.0.011:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:shockwave_player:10.0.1.004:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:shockwave_player:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:shockwave_player:8.0.196:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:shockwave_player:5.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:shockwave_player:10.1.4.020:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:shockwave_player:11.5.6.606:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:shockwave_player:9.0.432:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:shockwave_player:8.5.1.103:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:shockwave_player:11.5.9.615:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:shockwave_player:11.5.1.601:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:shockwave_player:11.0.3.471:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:shockwave_player:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:shockwave_player:10.1.1.016:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:shockwave_player:10.2.0.021:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:shockwave_player:8.5.1.106:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:shockwave_player:10.0.0.210:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:shockwave_player:8.5.1.100:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:shockwave_player:8.0.196a:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:shockwave_player:11.0.0.456:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:shockwave_player:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:shockwave_player:2.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:shockwave_player:8.0.204:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:shockwave_player:10.1.0.11:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:shockwave_player:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:shockwave_player:10.2.0.023:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:shockwave_player:9:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:shockwave_player:11.5.8.612:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:shockwave_player:8.5.325:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:shockwave_player:8.0.205:*:*:*:*:*:*:*"]}], "zdi": [{"lastseen": "2022-01-31T20:59:45", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of 3D assets within a director movie. The routine responsible for parsing 3D record type 0xFFFFFF45 does not properly validate a count field within the structure. If this value is too large, the process can create a faulty allocation. Later, when the rendering routine attempts to use this buffer memory is corrupted. This can be abused by remote attackers to execute arbitrary code under the context of the user running the browser.", "cvss3": {}, "published": "2011-02-08T00:00:00", "type": "zdi", "title": "Adobe Shockwave Player 0xFFFFFF45 Record Count Element Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-0557"], "modified": "2011-02-08T00:00:00", "id": "ZDI-11-079", "href": "https://www.zerodayinitiative.com/advisories/ZDI-11-079/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-04-27T19:22:34", "description": "This host is installed with Adobe Shockwave Player and is prone\n to multiple remote code execution vulnerabilities.", "cvss3": {}, "published": "2011-02-15T00:00:00", "type": "openvas", "title": "Adobe Shockwave Player Multiple Remote Code Execution Vulnerabilities - Feb 2011", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-4187", "CVE-2011-0555", "CVE-2010-4307", "CVE-2010-4192", "CVE-2010-4093", "CVE-2010-2589", "CVE-2011-0569", "CVE-2011-0556", "CVE-2010-4189", "CVE-2010-4190", "CVE-2010-4195", "CVE-2010-2588", "CVE-2011-0557", "CVE-2010-4196", "CVE-2010-4193", "CVE-2010-2587", "CVE-2010-4188", "CVE-2010-4191", "CVE-2010-4092", "CVE-2010-4194", "CVE-2010-4306"], "modified": "2020-04-23T00:00:00", "id": "OPENVAS:1361412562310801846", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310801846", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe Shockwave Player Multiple Remote Code Execution Vulnerabilities - Feb 2011\n#\n# Authors:\n# Sooraj KS <kssooraj@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.801846\");\n script_version(\"2020-04-23T08:43:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-04-23 08:43:39 +0000 (Thu, 23 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2011-02-15 08:14:35 +0100 (Tue, 15 Feb 2011)\");\n script_cve_id(\"CVE-2010-2587\", \"CVE-2010-2588\", \"CVE-2010-2589\",\n \"CVE-2010-4092\", \"CVE-2010-4093\", \"CVE-2010-4187\",\n \"CVE-2010-4188\", \"CVE-2010-4189\", \"CVE-2010-4190\",\n \"CVE-2010-4191\", \"CVE-2010-4192\", \"CVE-2010-4193\",\n \"CVE-2010-4194\", \"CVE-2010-4195\", \"CVE-2010-4196\",\n \"CVE-2010-4306\", \"CVE-2010-4307\", \"CVE-2011-0555\",\n \"CVE-2011-0556\", \"CVE-2011-0557\", \"CVE-2011-0569\");\n script_bugtraq_id(46146);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Adobe Shockwave Player Multiple Remote Code Execution Vulnerabilities - Feb 2011\");\n script_xref(name:\"URL\", value:\"http://www.vupen.com/english/advisories/2011/0335\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/support/security/bulletins/apsb11-01.html\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2011 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_adobe_shockwave_player_detect.nasl\");\n script_mandatory_keys(\"Adobe/ShockwavePlayer/Ver\");\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers to execute arbitrary code by\n tricking a user into visiting a specially crafted web page.\");\n script_tag(name:\"affected\", value:\"Adobe Shockwave Player Versions prior to 11.5.9.620 on Windows.\");\n script_tag(name:\"insight\", value:\"Multiple flaws are caused by input validation errors, memory corruptions,\n buffer and integer overflows, and use-after-free errors in the DIRAPI, IML32,\n TextXtra, 3d Asset, and Xtra.x32 modules when processing malformed Shockwave\n or Director files.\");\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Shockwave Player version 11.5.9.620 or later.\");\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Shockwave Player and is prone\n to multiple remote code execution vulnerabilities.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://get.adobe.com/shockwave/otherversions/\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\nshockVer = get_kb_item(\"Adobe/ShockwavePlayer/Ver\");\nif(!shockVer){\n exit(0);\n}\n\nif(version_is_less(version:shockVer, test_version:\"11.5.9.620\")){\n report = report_fixed_ver(installed_version:shockVer, fixed_version:\"11.5.9.620\");\n security_message(port: 0, data: report);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-02T21:13:34", "description": "This host is installed with Adobe Shockwave Player and is prone\n to multiple remote code execution vulnerabilities.", "cvss3": {}, "published": "2011-02-15T00:00:00", "type": "openvas", "title": "Adobe Shockwave Player Multiple Remote Code Execution Vulnerabilities - Feb 2011", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-4187", "CVE-2011-0555", "CVE-2010-4307", "CVE-2010-4192", "CVE-2010-4093", "CVE-2010-2589", "CVE-2011-0569", "CVE-2011-0556", "CVE-2010-4189", "CVE-2010-4190", "CVE-2010-4195", "CVE-2010-2588", "CVE-2011-0557", "CVE-2010-4196", "CVE-2010-4193", "CVE-2010-2587", "CVE-2010-4188", "CVE-2010-4191", "CVE-2010-4092", "CVE-2010-4194", "CVE-2010-4306"], "modified": "2017-02-25T00:00:00", "id": "OPENVAS:801846", "href": "http://plugins.openvas.org/nasl.php?oid=801846", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_shockwave_player_mult_code_exec_vuln_feb11.nasl 5424 2017-02-25 16:52:36Z teissa $\n#\n# Adobe Shockwave Player Multiple Remote Code Execution Vulnerabilities - Feb 2011\n#\n# Authors:\n# Sooraj KS <kssooraj@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation will allow attackers to execute arbitrary code by\n tricking a user into visiting a specially crafted web page.\n Impact Level: Application.\";\ntag_affected = \"Adobe Shockwave Player Versions prior to 11.5.9.620 on Windows.\";\ntag_insight = \"Multiple flaws are caused by input validation errors, memory corruptions,\n buffer and integer overflows, and use-after-free errors in the DIRAPI, IML32,\n TextXtra, 3d Asset, and Xtra.x32 modules when processing malformed Shockwave\n or Director files.\";\ntag_solution = \"Upgrade to Adobe Shockwave Player version 11.5.9.620 or later,\n For updates refer to http://get.adobe.com/shockwave/otherversions/\";\ntag_summary = \"This host is installed with Adobe Shockwave Player and is prone\n to multiple remote code execution vulnerabilities.\";\n\nif(description)\n{\n script_id(801846);\n script_version(\"$Revision: 5424 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-25 17:52:36 +0100 (Sat, 25 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-02-15 08:14:35 +0100 (Tue, 15 Feb 2011)\");\n script_cve_id(\"CVE-2010-2587\", \"CVE-2010-2588\", \"CVE-2010-2589\",\n \"CVE-2010-4092\", \"CVE-2010-4093\", \"CVE-2010-4187\",\n \"CVE-2010-4188\", \"CVE-2010-4189\", \"CVE-2010-4190\",\n \"CVE-2010-4191\", \"CVE-2010-4192\", \"CVE-2010-4193\",\n \"CVE-2010-4194\", \"CVE-2010-4195\", \"CVE-2010-4196\",\n \"CVE-2010-4306\", \"CVE-2010-4307\", \"CVE-2011-0555\",\n \"CVE-2011-0556\", \"CVE-2011-0557\", \"CVE-2011-0569\");\n script_bugtraq_id(46146);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Adobe Shockwave Player Multiple Remote Code Execution Vulnerabilities - Feb 2011\");\n script_xref(name : \"URL\" , value : \"http://www.vupen.com/english/advisories/2011/0335\");\n script_xref(name : \"URL\" , value : \"http://www.adobe.com/support/security/bulletins/apsb11-01.html\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2011 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_adobe_shockwave_player_detect.nasl\");\n script_require_keys(\"Adobe/ShockwavePlayer/Ver\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\nshockVer = get_kb_item(\"Adobe/ShockwavePlayer/Ver\");\nif(!shockVer){\n exit(0);\n}\n\n## Check for Adobe Shockwave Player versions prior to 11.5.9.620\nif(version_is_less(version:shockVer, test_version:\"11.5.9.620\")){\n security_message(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2021-06-08T19:12:17", "description": "Multiple memory corruptions.", "edition": 2, "cvss3": {}, "published": "2011-02-14T00:00:00", "title": "Adobe Shockwave Player multiple security vulnerabilities", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2010-4187", "CVE-2011-0555", "CVE-2010-4307", "CVE-2010-4192", "CVE-2010-4093", "CVE-2010-2589", "CVE-2011-0569", "CVE-2011-0556", "CVE-2010-4189", "CVE-2010-4190", "CVE-2010-4195", "CVE-2010-2588", "CVE-2011-0557", "CVE-2010-4196", "CVE-2010-4193", "CVE-2010-2587", "CVE-2010-4188", "CVE-2010-4191", "CVE-2010-4092", "CVE-2010-4194", "CVE-2010-4306"], "modified": "2011-02-14T00:00:00", "id": "SECURITYVULNS:VULN:11417", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:11417", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:38", "description": "Security update available for Shockwave Player\r\n\r\nRelease date: February 8, 2011\r\n\r\nVulnerability identifier: APSB11-01\r\n\r\nCVE number: CVE-2010-2587, CVE-2010-2588, CVE-2010-2589, CVE-2010-4092,\r\nCVE-2010-4093, CVE-2010-4187, CVE-2010-4188, CVE-2010-4189, CVE-2010-4190,\r\nCVE-2010-4191, CVE-2010-4192, CVE-2010-4193, CVE-2010-4194, CVE-2010-4195,\r\nCVE-2010-4196, CVE-2010-4306, CVE-2010-4307, CVE-2011-0555, CVE-2011-0556,\r\nCVE-2011-0557, CVE-2011-0569\r\n\r\nPlatform: Windows and Macintosh\r\nSummary\r\n\r\nCritical vulnerabilities have been identified in Adobe Shockwave Player 11.5.9.615 and earlier\r\nversions on the Windows and Macintosh operating systems. These vulnerabilities could allow an\r\nattacker, who successfully exploits these vulnerabilities, to run malicious code on the affected\r\nsystem. Adobe recommends users of Adobe Shockwave Player 11.5.9.615 and earlier versions\r\nupdate to Adobe Shockwave Player 11.5.9.620 using the instructions provided below.\r\nAffected software versions\r\n\r\nShockwave Player 11.5.9.615 and earlier versions for Windows and Macintosh\r\nSolution\r\n\r\nAdobe recommends users of Adobe Shockwave Player 11.5.9.615 and earlier versions upgrade to\r\nthe newest version 11.5.9.620, available here: http://get.adobe.com/shockwave/.\r\nSeverity rating\r\n\r\nAdobe categorizes this as a critical update and recommends that users apply the latest update for\r\ntheir product installation by following the instructions in the "Solution" section above.\r\nDetails\r\n\r\nCritical vulnerabilities have been identified in Adobe Shockwave Player 11.5.9.615 and earlier\r\nversions on the Windows and Macintosh operating systems. These vulnerabilities could allow an\r\nattacker, who successfully exploits these vulnerabilities, to run malicious code on the affected\r\nsystem. Adobe recommends users of Adobe Shockwave Player 11.5.9.615 and earlier versions\r\nupdate to Adobe Shockwave Player 11.5.9.620 using the instructions provided above.\r\n\r\nThis update resolves a memory corruption vulnerability in the dirapi.dll module that could lead\r\nto code execution (CVE-2010-2587).\r\n\r\nThis update resolves a memory corruption vulnerability in the dirapi.dll module that could lead\r\nto code execution (CVE-2010-2588).\r\n\r\nThis update resolves an integer overflow vulnerability in the dirapi.dll module that could lead to\r\ncode execution (CVE-2010-2589).\r\n\r\nThis update resolves a use-after-free vulnerability that could lead to code execution\r\n(CVE-2010-4092).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution\r\n(CVE-2010-4093).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution\r\n(CVE-2010-4187).\r\n\r\nThis update resolves a memory corruption vulnerability in the dirapi.dll module that could lead\r\nto code execution (CVE-2010-4188).\r\n\r\nThis update resolves a memory corruption vulnerability in the IML32 module that could lead to\r\ncode execution (CVE-2010-4189).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution\r\n(CVE-2010-4190).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution\r\n(CVE-2010-4191).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution\r\n(CVE-2010-4192).\r\n\r\nThis update resolves an input validation vulnerability that could lead to code execution\r\n(CVE-2010-4193).\r\n\r\nThis update resolves an input validation vulnerability in the dirapi.dll module that could lead to\r\ncode execution (CVE-2010-4194).\r\n\r\nThis update resolves an input validation vulnerability in the TextXtra module that could lead to\r\ncode execution (CVE-2010-4195).\r\n\r\nThis update resolves an input validation vulnerability in the Shockwave 3d Asset module that could\r\nlead to code execution (CVE-2010-4196).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution\r\n(CVE-2010-4306).\r\n\r\nThis update resolves a buffer overflow vulnerability that could lead to code execution\r\n(CVE-2010-4307).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution\r\n(CVE-2011-0555).\r\n\r\nThis update resolves a memory corruption vulnerability in the Font Xtra.x32 module that could\r\nlead to code execution (CVE-2011-0556).\r\n\r\nThis update resolves an integer overflow vulnerability that could lead to code execution\r\n(CVE-2011-0557).\r\n\r\nThis update resolves a memory corruption vulnerability in the Font Xtra.x32 module that could\r\nlead to code execution (CVE-2011-0569).\r\nAcknowledgments\r\n\r\nAdobe would like to thank the following individuals and organizations for reporting the relevant\r\nissues and for working with Adobe to help protect our customers:\r\n\u2022 Carsten Eiram, Secunia Research (CVE-2010-2587, CVE-2010-2588, CVE-2010-2589).\r\n\u2022 Krystian Kloskowski (h07), working with Secunia Research (CVE-2010-4092).\r\n\u2022 Will Dormann of CERT/CC (CVE-2010-4093, CVE-2010-4193, CVE-2010-4194,\r\nCVE-2010-4195, CVE-2010-4196).\r\n\u2022 Andrzej Dyjak of iDefense Labs (CVE-2010-4187).\r\n\u2022 Aaron Portnoy and Logan Brown, TippingPoint DVLabs (CVE-2010-4188).\r\n\u2022 Logan Brown and Aaron Portnoy, TippingPoint DVLabs(CVE-2011-0555,\r\nCVE-2011-0556).\r\n\u2022 Aaron Portnoy and Logan Brown, TippingPoint DVLabs (CVE-2010-4189).\r\n\u2022 Aniway and Luigi Auriemma through TippingPoint's Zero Day Initiative\r\n(CVE-2010-4190).\r\n\u2022 An anonymous reporter through TippingPoint's Zero Day Initiative (CVE-2010-4191).\r\n\u2022 Aniway through TippingPoint's Zero Day Initiative (CVE-2010-4192).\r\n\u2022 IBM X-Force (CVE-2010-4306, CVE-2010-4307).\r\n\u2022 An anonymous reporter through TippingPoint's Zero Day Initiative (CVE-2011-0557).\r\n\u2022 Logan Brown and Aaron Portnoy, TippingPoint DVLabs and Luigi Auriemma through TippingPoint's Zero\r\nDay Initiative (CVE-2011-0569). ", "edition": 1, "cvss3": {}, "published": "2011-02-11T00:00:00", "title": "Security update available for Shockwave Player", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2010-4187", "CVE-2011-0555", "CVE-2010-4307", "CVE-2010-4192", "CVE-2010-4093", "CVE-2010-2589", "CVE-2011-0569", "CVE-2011-0556", "CVE-2010-4189", "CVE-2010-4190", "CVE-2010-4195", "CVE-2010-2588", "CVE-2011-0557", "CVE-2010-4196", "CVE-2010-4193", "CVE-2010-2587", "CVE-2010-4188", "CVE-2010-4191", "CVE-2010-4092", "CVE-2010-4194", "CVE-2010-4306"], "modified": "2011-02-11T00:00:00", "id": "SECURITYVULNS:DOC:25658", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:25658", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2021-08-19T13:01:34", "description": "The remote Windows host contains a version of Adobe's Shockwave Player that is earlier than 11.5.9.620. Such versions are potentially affected by the following issues :\n\n - Several unspecified errors exist in the 'dirapi.dll' module that may allow arbitrary code execution. (CVE-2010-2587, CVE-2010-2588, CVE-2010-4188)\n\n - An error exists in the 'dirapi.dll' module related to an integer overflow and that may allow arbitrary code execution. (CVE-2010-2589)\n\n - It is reported that a use-after-free error exists in an unspecified compatibility component related to the 'Settings' window and an unloaded, unspecified library. This error is reported to allow arbitrary code execution when a crafted, malicious website is visited. (CVE-2010-4092)\n\n - Unspecified errors exist that may allow arbitrary code execution or memory corruption. The attack vectors is unspecified. (CVE-2010-4093, CVE-2010-4187, CVE-2010-4190, CVE-2010-4191, CVE-2010-4192, CVE-2010-4306, CVE-2011-0555)\n\n - An input validation error exists in the 'IML32' module that may allow arbitrary code execution when processing global color table size of a GIF image contained in a Director movie. (CVE-2010-4189)\n\n - An unspecified input validation error exists that may allow arbitrary code execution through unspecified vectors. (CVE-2010-4193)\n\n - An unspecified input validation error exists in the 'dirapi.dll' module that may allow arbitrary code execution through unspecified vectors. (CVE-2010-4194)\n\n - An integer overflow error exists in the '3D Assets' module when parsing 3D assets containing the record type '0xFFFFFF45'. This error may allow arbitrary code execution. (CVE-2010-4196)\n\n - An input validation error exists in the 'DEMUX' chunks parsing portion of the 'TextXtra.x32' module. This error may allow arbitrary code execution. (CVE-2010-4195)\n\n - An unspecified buffer overflow error exists that may allow arbitrary code execution through unspecified vectors. (CVE-2010-4307)\n\n - An error exists in the 'PFR1' chunks parsing portion of the 'Font Xtra.x32' module. This error may allow arbitrary code execution. (CVE-2011-0556)\n\n - An unspecified integer overflow error exists that may allow arbitrary code execution through unspecified vectors.(CVE-2011-0557)\n\n - An error exists in the 'Font Xtra.x32' module related to signedness that may allow arbitrary code execution.\n (CVE-2011-0569)", "cvss3": {"score": null, "vector": null}, "published": "2011-02-10T00:00:00", "type": "nessus", "title": "Shockwave Player < 11.5.9.620 (APSB11-01)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-2587", "CVE-2010-2588", "CVE-2010-2589", "CVE-2010-4092", "CVE-2010-4093", "CVE-2010-4187", "CVE-2010-4188", "CVE-2010-4189", "CVE-2010-4190", "CVE-2010-4191", "CVE-2010-4192", "CVE-2010-4193", "CVE-2010-4194", "CVE-2010-4195", "CVE-2010-4196", "CVE-2010-4306", "CVE-2010-4307", "CVE-2011-0555", "CVE-2011-0556", "CVE-2011-0557", "CVE-2011-0569"], "modified": "2018-07-27T00:00:00", "cpe": ["cpe:/a:adobe:shockwave_player"], "id": "SHOCKWAVE_PLAYER_APSB11-01.NASL", "href": "https://www.tenable.com/plugins/nessus/51936", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(51936);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2018/07/27 18:38:15\");\n\n script_cve_id(\n \"CVE-2010-2587\", \"CVE-2010-2588\", \"CVE-2010-2589\", \"CVE-2010-4092\", \n \"CVE-2010-4093\", \"CVE-2010-4187\", \"CVE-2010-4188\", \"CVE-2010-4189\",\n \"CVE-2010-4190\", \"CVE-2010-4191\", \"CVE-2010-4192\", \"CVE-2010-4193\",\n \"CVE-2010-4194\", \"CVE-2010-4195\", \"CVE-2010-4196\", \"CVE-2010-4306\",\n \"CVE-2010-4307\", \"CVE-2011-0555\", \"CVE-2011-0556\", \"CVE-2011-0557\",\n \"CVE-2011-0569\");\n script_bugtraq_id(\n 44617, \n 46316,\n 46317,\n 46318,\n 46319,\n 46320,\n 46321,\n 46324,\n 46325,\n 46326,\n 46327,\n 46328,\n 46329,\n 46330,\n 46332,\n 46333,\n 46334,\n 46335,\n 46336,\n 46338,\n 46339\n );\n script_xref(name:\"Secunia\", value:\"42112\");\n\n script_name(english:\"Shockwave Player < 11.5.9.620 (APSB11-01)\");\n script_summary(english:\"Checks version of Shockwave Player\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host contains a web browser plugin that is\naffected by multiple vulnerabilities.\");\n\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host contains a version of Adobe's Shockwave\nPlayer that is earlier than 11.5.9.620. Such versions are potentially\naffected by the following issues :\n\n - Several unspecified errors exist in the 'dirapi.dll' \n module that may allow arbitrary code execution. \n (CVE-2010-2587, CVE-2010-2588, CVE-2010-4188)\n\n - An error exists in the 'dirapi.dll' module related to \n an integer overflow and that may allow arbitrary code\n execution. (CVE-2010-2589)\n\n - It is reported that a use-after-free error exists in an\n unspecified compatibility component related to the \n 'Settings' window and an unloaded, unspecified library. \n This error is reported to allow arbitrary code execution \n when a crafted, malicious website is visited. \n (CVE-2010-4092)\n\n - Unspecified errors exist that may allow arbitrary \n code execution or memory corruption. The attack vectors\n is unspecified. (CVE-2010-4093, CVE-2010-4187, \n CVE-2010-4190, CVE-2010-4191, CVE-2010-4192, \n CVE-2010-4306, CVE-2011-0555)\n\n - An input validation error exists in the 'IML32' module\n that may allow arbitrary code execution when processing \n global color table size of a GIF image contained in a \n Director movie. (CVE-2010-4189)\n\n - An unspecified input validation error exists that may\n allow arbitrary code execution through unspecified\n vectors. (CVE-2010-4193)\n\n - An unspecified input validation error exists in the \n 'dirapi.dll' module that may allow arbitrary code \n execution through unspecified vectors. (CVE-2010-4194)\n\n - An integer overflow error exists in the '3D Assets'\n module when parsing 3D assets containing the record\n type '0xFFFFFF45'. This error may allow arbitrary code\n execution. (CVE-2010-4196)\n\n - An input validation error exists in the 'DEMUX' chunks \n parsing portion of the 'TextXtra.x32' module. This\n error may allow arbitrary code execution. \n (CVE-2010-4195)\n\n - An unspecified buffer overflow error exists that may\n allow arbitrary code execution through unspecified\n vectors. (CVE-2010-4307)\n\n - An error exists in the 'PFR1' chunks parsing portion\n of the 'Font Xtra.x32' module. This error may allow\n arbitrary code execution. (CVE-2011-0556)\n\n - An unspecified integer overflow error exists that may\n allow arbitrary code execution through unspecified\n vectors.(CVE-2011-0557)\n\n - An error exists in the 'Font Xtra.x32' module related\n to signedness that may allow arbitrary code execution.\n (CVE-2011-0569)\");\n\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-11-078/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-11-079/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-11-080/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.adobe.com/support/security/bulletins/apsb11-01.html\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Adobe Shockwave 11.5.9.620 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/02/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/02/10\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:shockwave_player\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"shockwave_player_apsb09_08.nasl\");\n script_require_keys(\"SMB/shockwave_player\");\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"smb_func.inc\");\n\nport = kb_smb_transport();\ninstalls = get_kb_list('SMB/shockwave_player/*/path');\nif (isnull(installs)) exit(0, 'Shockwave Player was not detected on the remote host.');\n\ninfo = NULL;\npattern = 'SMB/shockwave_player/([^/]+)/([^/]+)/path';\n\nforeach install (keys(installs))\n{\n match = eregmatch(string:install, pattern:pattern);\n if (!match) exit(1, 'Unexpected format of KB key \"' + install + '\".');\n\n file = installs[install];\n variant = match[1];\n version = match[2];\n\n if (ver_compare(ver:version, fix:'11.5.9.620') == -1)\n {\n if (variant == 'Plugin')\n info += '\\n - Browser Plugin (for Firefox / Netscape / Opera) :\\n';\n else if (variant == 'ActiveX')\n info += '\\n - ActiveX control (for Internet Explorer) :\\n';\n info += ' ' + file + ', ' + version + '\\n';\n }\n}\n\nif (!info) exit(0, 'No vulnerable installs of Shockwave Player were found.');\n\nif (report_verbosity > 0)\n{\n if (max_index(split(info)) > 2) s = \"s\";\n else s = \"\";\n\n report = \n '\\nNessus has identified the following vulnerable instance'+s+' of Shockwave'+\n '\\nPlayer installed on the remote host :\\n'+\n info;\n security_hole(port:port, extra:report);\n}\nelse security_hole(port);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-16T14:13:27", "description": "The remote Mac OS X host contains a version of Adobe Shockwave Player that is 11.5.9.615 or earlier. It is, therefore, affected by multiple vulnerabilities :\n\n - Several unspecified errors exist in the 'dirapi.dll' module that allow arbitrary code execution.\n (CVE-2010-2587, CVE-2010-2588, CVE-2010-4188)\n\n - An error exists in the 'dirapi.dll' module related to an integer overflow that allows arbitrary code execution. (CVE-2010-2589)\n\n - It is reported that a use-after-free error exists in an unspecified compatibility component related to the 'Settings' window and an unloaded, unspecified library.\n This error is reported to allow arbitrary code execution when a crafted, malicious website is visited.\n (CVE-2010-4092)\n\n - Unspecified errors exist that allow arbitrary code execution or memory corruption. The attack vectors is unspecified. (CVE-2010-4093, CVE-2010-4187, CVE-2010-4190, CVE-2010-4191, CVE-2010-4192, CVE-2010-4306, CVE-2011-0555)\n\n - An input validation error exists in the 'IML32' module that allows arbitrary code execution when processing the global color table size of a GIF image contained in a Director movie. (CVE-2010-4189)\n\n - An unspecified input validation error exists that allows arbitrary code execution through unspecified vectors.\n (CVE-2010-4193)\n\n - An unspecified input validation error exists in the 'dirapi.dll' module that allows arbitrary code execution through unspecified vectors. (CVE-2010-4194)\n\n - An integer overflow error exists in the '3D Assets' module when parsing 3D assets containing the record type '0xFFFFFF45'. This error allows arbitrary code execution. (CVE-2010-4196)\n\n - An input validation error exists in the 'DEMUX' chunks parsing portion of the 'TextXtra.x32' module. This error allows arbitrary code execution. (CVE-2010-4195)\n\n - An unspecified buffer overflow error exists that allows arbitrary code execution through unspecified vectors.\n (CVE-2010-4307)\n\n - An error exists in the 'PFR1' chunks parsing portion of the 'Font Xtra.x32' module. This error allows arbitrary code execution. (CVE-2011-0556)\n\n - An unspecified integer overflow error exists that allows arbitrary code execution through unspecified vectors (CVE-2011-0557)\n\n - An error exists in the 'Font Xtra.x32' module related to signedness that allows arbitrary code execution.\n (CVE-2011-0569)", "cvss3": {"score": null, "vector": null}, "published": "2014-12-22T00:00:00", "type": "nessus", "title": "Adobe Shockwave Player <= 11.5.9.615 (APSB11-01) (Mac OS X)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-2587", "CVE-2010-2588", "CVE-2010-2589", "CVE-2010-4092", "CVE-2010-4093", "CVE-2010-4187", "CVE-2010-4188", "CVE-2010-4189", "CVE-2010-4190", "CVE-2010-4191", "CVE-2010-4192", "CVE-2010-4193", "CVE-2010-4194", "CVE-2010-4195", "CVE-2010-4196", "CVE-2010-4306", "CVE-2010-4307", "CVE-2011-0555", "CVE-2011-0556", "CVE-2011-0557", "CVE-2011-0569"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:adobe:shockwave_player"], "id": "MACOSX_SHOCKWAVE_PLAYER_APSB11-01.NASL", "href": "https://www.tenable.com/plugins/nessus/80175", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(80175);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\n \"CVE-2010-2587\",\n \"CVE-2010-2588\",\n \"CVE-2010-2589\",\n \"CVE-2010-4092\",\n \"CVE-2010-4093\",\n \"CVE-2010-4187\",\n \"CVE-2010-4188\",\n \"CVE-2010-4189\",\n \"CVE-2010-4190\",\n \"CVE-2010-4191\",\n \"CVE-2010-4192\",\n \"CVE-2010-4193\",\n \"CVE-2010-4194\",\n \"CVE-2010-4195\",\n \"CVE-2010-4196\",\n \"CVE-2010-4306\",\n \"CVE-2010-4307\",\n \"CVE-2011-0555\",\n \"CVE-2011-0556\",\n \"CVE-2011-0557\",\n \"CVE-2011-0569\"\n );\n script_bugtraq_id(\n 44617,\n 46316,\n 46317,\n 46318,\n 46319,\n 46320,\n 46321,\n 46324,\n 46325,\n 46326,\n 46327,\n 46328,\n 46329,\n 46330,\n 46332,\n 46333,\n 46334,\n 46335,\n 46336,\n 46338,\n 46339\n );\n script_xref(name:\"SECUNIA\", value:\"42112\");\n\n script_name(english:\"Adobe Shockwave Player <= 11.5.9.615 (APSB11-01) (Mac OS X)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Mac OS X host contains a web browser plugin that is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Mac OS X host contains a version of Adobe Shockwave Player\nthat is 11.5.9.615 or earlier. It is, therefore, affected by multiple\nvulnerabilities :\n\n - Several unspecified errors exist in the 'dirapi.dll'\n module that allow arbitrary code execution.\n (CVE-2010-2587, CVE-2010-2588, CVE-2010-4188)\n\n - An error exists in the 'dirapi.dll' module related to\n an integer overflow that allows arbitrary code\n execution. (CVE-2010-2589)\n\n - It is reported that a use-after-free error exists in an\n unspecified compatibility component related to the\n 'Settings' window and an unloaded, unspecified library.\n This error is reported to allow arbitrary code execution\n when a crafted, malicious website is visited.\n (CVE-2010-4092)\n\n - Unspecified errors exist that allow arbitrary code\n execution or memory corruption. The attack vectors is\n unspecified. (CVE-2010-4093, CVE-2010-4187,\n CVE-2010-4190, CVE-2010-4191, CVE-2010-4192,\n CVE-2010-4306, CVE-2011-0555)\n\n - An input validation error exists in the 'IML32' module\n that allows arbitrary code execution when processing the\n global color table size of a GIF image contained in a\n Director movie. (CVE-2010-4189)\n\n - An unspecified input validation error exists that allows\n arbitrary code execution through unspecified vectors.\n (CVE-2010-4193)\n\n - An unspecified input validation error exists in the\n 'dirapi.dll' module that allows arbitrary code execution\n through unspecified vectors. (CVE-2010-4194)\n\n - An integer overflow error exists in the '3D Assets'\n module when parsing 3D assets containing the record\n type '0xFFFFFF45'. This error allows arbitrary code\n execution. (CVE-2010-4196)\n\n - An input validation error exists in the 'DEMUX' chunks\n parsing portion of the 'TextXtra.x32' module. This\n error allows arbitrary code execution. (CVE-2010-4195)\n\n - An unspecified buffer overflow error exists that allows\n arbitrary code execution through unspecified vectors.\n (CVE-2010-4307)\n\n - An error exists in the 'PFR1' chunks parsing portion\n of the 'Font Xtra.x32' module. This error allows\n arbitrary code execution. (CVE-2011-0556)\n\n - An unspecified integer overflow error exists that allows\n arbitrary code execution through unspecified vectors\n (CVE-2011-0557)\n\n - An error exists in the 'Font Xtra.x32' module related\n to signedness that allows arbitrary code execution.\n (CVE-2011-0569)\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-11-078/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-11-079/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-11-080/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.adobe.com/support/security/bulletins/apsb11-01.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Adobe Shockwave 11.5.9.620 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2011-0569\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/02/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/12/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:shockwave_player\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"shockwave_player_detect_macosx.nbin\");\n script_require_keys(\"installed_sw/Shockwave Player\", \"Host/MacOSX/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\n\nos = get_kb_item(\"Host/MacOSX/Version\");\nif (!os) audit(AUDIT_OS_NOT, \"Mac OS X\");\n\napp = 'Shockwave Player';\n\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\ninstall = get_single_install(app_name:app, exit_if_unknown_ver:TRUE);\n\nver = install['version'];\npath = install['path'];\n\nif (ver_compare(ver:ver, fix:'11.5.9.615', strict:FALSE) <= 0)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + ver +\n '\\n Fixed versions : 11.5.9.620' +\n '\\n';\n security_hole(port:0, extra:report);\n }\n else security_hole(port:0);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, app, ver, path);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}
ZDI-11-079: Adobe Shockwave Player 0xFFFFFF45 Record Count Element Remote Code Execution Vulnerability
