Macromedia Shockwave Flash Malformed Header Overflow #2

2002-12-17T00:00:00
ID SECURITYVULNS:DOC:3891
Type securityvulns
Reporter Securityvulns
Modified 2002-12-17T00:00:00

Description

Macromedia Shockwave Flash Malformed Header Overflow #2

Release Date: December 16, 2002

Severity: High (Remote Code Execution)

Systems Affected: Macromedia Flash Player versions less than 6.0.65.0

Description: While working on some pre-release Retina® CHAM tools, multiple exploitable conditions were discovered within the Shockwave Flash file format SWF (pronounced "SWIF").

There exists a vulnerability within Macromedia's Flash software and its handling of malformed Flash files. Attackers can use this vulnerability to compromise users of Macromedia's Flash software. A corrupt file may be placed on a website or in some cases within an HTML email.

We provided Macromedia with various corrupt Flash files, a few of which we verified for exploitability. Macromedia has since fixed the exploitable conditions as well as various other bugs that were found.

The primary danger of exploiting Macromedia Flash is its extensive user base and portability across operating systems. Further, it is "version frozen" on operating system installation set-ups, so issues may linger for sometime. Regardless, Macromedia has fixed all of the known issues.

Technical Description: The data header is roughly made out as:

[Flash Signature][version (1)][File Length(a number of bytes too short)][Frame Size (malformed)][Frame Rate (malformed)][Frame Count (malformed)][Data]

While the diagram may remain the same for this issue as in the previous issue (http://www.eeye.com/html/Research/Advisories/AD20020808b.html), there are variations in the malformed data which are very specific to this issue. In this case, EBP is completely controlled, so exploitation is straight-forward. EDI is also directly controlled as well as EDX and EDI which all give attackers the ability to easily exploit the vulnerable scenarios.

Protection: Retina® Network Security Scanner (http://www.eeye.com/Retina) has been updated to identify this latest Macromedia Flash vulnerability.

Vendor Status: Macromedia has been notified and released a patch for this vulnerability, available at: http://www.macromedia.com/v1/handlers/index.cfm?ID=23569

Credit: Drew Copley, Research Engineer, eEye Digital Security

Greetings: StoneFisk, the Shrug, Zonetripper, Die Liu Yu, Dror Shalev, Malware.

Copyright (c) 1998-2002 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail alert@eEye.com for permission.

Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

Feedback Please send suggestions, updates, and comments to:

eEye Digital Security http://www.eEye.com info@eEye.com

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo Delivery co-sponsored by TruSecure Corporation oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo Demonstrate your knowledge and understanding of core IT Security, become TICSA certified.

Are you responsible for IT security in job function, but not necessarily in title? Do you want to prove your IT security knowledge and increase opportunities? Interested? Visit;

http://www.trusecure.com/solutions/certifications/ticsa/

for more information. oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo