Multiple vulnerabilities in Macromedia Flash ActiveX

2002-10-29T00:00:00
ID SECURITYVULNS:DOC:3696
Type securityvulns
Reporter Securityvulns
Modified 2002-10-29T00:00:00

Description

Author: LOM <lom at lom.spb.ru> Product: Macromedia Flash ActiveX 6.0 (6,0,47,0) Vendor: Macromedia was not contacted Risk: High Remote: Yes Exploitable: Yes

Into:

Macromedia flash ActiveX plugin displays .swf files under Internet Explorer.

Vulnerabilities:

Few vulnerabilities were identified: protected memory reading, memory consumption DoS and more serious: 1. zlib 1.1.3 double free() bug 2. Buffer overflow in SWRemote parameter for flash object.

Details:

Last bug is very close to one reported by eEye in May [2]. This kind of overflows (heap based Unicode overflow) is definitely exploitable under Internet Explorer. Attached proof of concept (by LOM)[1] demonstrates exception triggered in free(). See [3] for exploiting heap overflows, [4] for exploiting Unicode overflows under Internet Explorer.

Credits:

Vulnerabilities were discovered by LOM <lom at lom.spb.ru>

References:

  1. Macromedia Shockwave proof of concept http://www.security.nnov.ru/files/swfexpl.zip
  2. eEye, Macromedia Flash Activex Buffer overflow http://www.eeye.com/html/Research/Advisories/AD20020502.html
  3. w00w00 on Heap Overflows http://www.w00w00.org/files/articles/heaptut.txt
  4. 3APA3A, Details and exploitation of buffer overflow in mshtml.dll (and few sidenotes on Unicode overflows in general) http://www.security.nnov.ru/search/document.asp?docid=2554