MacroMedia Flash/Shockwave plug-in on linux : memcpy overrun problem.

2000-08-15T00:00:00
ID SECURITYVULNS:DOC:552
Type securityvulns
Reporter Securityvulns
Modified 2000-08-15T00:00:00

Description

X-PMC-CI-e-mail-id: 13428

A replacement library for checking well-known type of stack overrun caused by memory copy / string copy operations has been made available, namely libsafe.

I have used it on Linux and I spotted a couple of suspicous popular programs on linux.

I have been using libsafe on linux and found that - netscape plug-in for Flash/Shockwave plug-in seems to have memcpy overrun problem. ( and adobe acrobat reader on linux have some issues with libsafe. But this seems to be caused by the different libc, somewhat old compat-libc, used by acrobat reader. So I won't go into details on acrobat reader.)

Flash / ShockWave plug-in for netscape.

For netscape flash/shockwave plug-in on linux, the log output below shows the output from libsafe. The first and the second last messages are from the test suite of libsafe. The other logs are from netscape (during flash/shockwave plug-in operation from what I remember). You can see that the version of netscape 4.72, 4.73 and 4.74 suffered from the memcpy() overwrite problem. (During the period, the kernel was upgraded from 2.2.14 to 2.2.15,2.2.16, 2.4.0-test4, etc..)

ishikawa@standard$ more libsafe-netscape-showckwave-flash.bug Apr 23 01:04:15 standard libsafe.so[1534]: version 1.3 Apr 23 01:04:15 standard libsafe.so[1534]: detected an attempt to write across stack boundary. Apr 23 01:04:15 standard libsafe.so[1534]: terminating /opt2/tools/libsafe/exploits/t1 Apr 23 01:04:15 standard libsafe.so[1534]: overflow caused by strcpy() Apr 29 04:35:23 standard libsafe.so[648]: version 1.3 Apr 29 04:35:23 standard libsafe.so[648]: detected an attempt to write across stack boundary. Apr 29 04:35:23 standard libsafe.so[648]: terminating /opt/ns472/netscape Apr 29 04:35:23 standard libsafe.so[648]: overflow caused by memcpy() May 2 02:11:53 standard libsafe.so[1153]: version 1.3 May 2 02:11:53 standard libsafe.so[1153]: detected an attempt to write across stack boundary. May 2 02:11:53 standard libsafe.so[1153]: terminating /opt/ns472/netscape May 2 02:11:53 standard libsafe.so[1153]: overflow caused by memcpy() Jul 2 02:58:32 standard libsafe.so[1648]: version 1.3 Jul 2 02:58:32 standard libsafe.so[1648]: detected an attempt to write across stack boundary. Jul 2 02:58:32 standard libsafe.so[1648]: terminating /opt/ns473/netscape Jul 2 02:58:32 standard libsafe.so[1648]: overflow caused by memcpy() Jul 2 23:39:05 standard libsafe.so[639]: version 1.3 Jul 2 23:39:05 standard libsafe.so[639]: detected an attempt to write across stack boundary. Jul 2 23:39:05 standard libsafe.so[639]: terminating /opt/ns473/netscape Jul 2 23:39:05 standard libsafe.so[639]: overflow caused by memcpy() Jul 8 03:04:47 standard libsafe.so[390]: version 1.3 Jul 8 03:04:47 standard libsafe.so[390]: detected an attempt to write across stack boundary. Jul 8 03:04:47 standard libsafe.so[390]: terminating /opt/ns473/netscape Jul 8 03:04:47 standard libsafe.so[390]: overflow caused by memcpy() Jul 11 04:10:47 standard libsafe.so[1424]: version 1.3 Jul 11 04:10:47 standard libsafe.so[1424]: detected an attempt to write across stack boundary. Jul 11 04:10:47 standard libsafe.so[1424]: terminating /opt2/tools/libsafe/exploits/t1 Jul 11 04:10:47 standard libsafe.so[1424]: overflow caused by strcpy() Aug 14 00:30:11 standard libsafe.so[393]: version 1.3 Aug 14 00:30:11 standard libsafe.so[393]: detected an attempt to write across stack boundary. Aug 14 00:30:11 standard libsafe.so[393]: terminating /opt/ns474/netscape Aug 14 00:30:11 standard libsafe.so[393]: overflow caused by memcpy()

It has been rather difficult to figure out what URL exactly caused the libsafe to detect the error and abort netscape. Often times, when I clicked on a new URL, one of the URL links in the new web page is a flash shockwave page and the loading automatically started, and before I knew it, the netscape aborted.

But for the last one, dated Aug 14, I know what URL caused the abort exactly. This prompted me to write this article. (Presumably, those who have access to the source code of the Flash/Shockwave plug-in should be able to fix this problem easily by trying the URL.)

    URL:
    http://www.washingtonpost.com/wp-srv/photo/conventions/

    There is a big photo of the national political convention
    in the middle and "ENTER" button.
    Clicking on  "ENTER" will start loading the flash/shockwave
    movie or something and this triggered the error reported
    in the above log. (As soon as the loading of ~ 500KB
    data endded, my netscape aborted.)

Severity/Exploit:

I have no idea how hard it is to exploit this memcpy overrun. But given that some linux distribution vendors felt it was necessary to do something about jpeg decoder bug in netscape, this plug-in issue probably ought to be dealt with in a similar manner : this can cause DoS attack certainly.

Before I forget, let me explain that I tried to reach the people responsible for technical problems/security problems at Macromedia without success so far. Simply stated, I could not find contact e-mail addresses easily. I am not a registered user of these programs (they are available for free), and so it is very difficult to use MacroMedia web submission forms. It has been a few weeks since I wrote to various addresses I found on the web pages. I have not heard from human recipients yet and decided to post this article instead in the hope of getting someone at MacroMedia to become aware of the problem.

(Come to think of it, I thought this may be marginally related to the netscape browser itself, and so sent a message using the security reporting form on the Netscape web page. I wonder if the message was forwarded to MacroMedia.)

I would welcome anyone forward this post to responsible parties.

My suggestions to software vendors: on the web page, either post a security-related contact address or at least a generic e-mail address where these findings can be sent. Posting only e-mail addresses for very limited use is not very helpful under these circumstances.

-- Ishikawa, Chiaki ishikawa@personal-media.co.jp.NoSpam or (family name, given name) Chiaki.Ishikawa@personal-media.co.jp.NoSpam Personal Media Corp. Remove .NoSpam at the end before use Shinagawa, Tokyo, Japan 142-0051