Lucene search
Vulnerability Research LaboratoryVULNERABLE:179HistoryJun 18, 2011 - 12:00 a.m.
Flashplayer npswf32.dll - Memory Corruption Vulnerability
2011-06-1800:00:00
Vulnerability Research Laboratory
www.vulnerability-lab.com
4
Document Title:
===============
Flashplayer npswf32.dll - Memory Corruption Vulnerability
Release Date:
=============
2011-06-18
Vulnerability Laboratory ID (VL-ID):
====================================
179
Common Vulnerability Scoring System:
====================================
8.1
Product & Service Introduction:
===============================
Adobe® Flash® Player ist eine auf unterschiedlichen Plattformen einsetzbare, im Browser laufende Laufzeitanwendung, die
eine unbeeinträchtigte Anzeige von ausdrucksstarken Multimedia-Anwendungen, Inhalten und Videos auf unterschiedlichen
Displays und Browsern ermöglicht. Flash Player 10.3 wurde für optimale Anzeige auf Displays von Mobilgeräten ausgelegt
und nutzt systemeigene Funktionen des jeweiligen Geräts, damit der Benutzer eine detailreichere und fesselndere Darstellung erhält.
(Copy of the Vendor Homepage: http://get.adobe.com/de/flashplayer/)
Abstract Advisory Information:
==============================
The Vulnerability-Lab Team identified a critical memory corruption on the new Shockwave Flashplayer & Browser Addon.
Vulnerability Disclosure Timeline:
==================================
2011-04-06: Vendor Notification
2011-00-00: Vendor Response/Feedback
2011-00-00: Vendor Fix/Patch
2011-06-16: Public or Non-Public Disclosure
Discovery Status:
=================
Published
Affected Product(s):
====================
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
A new critical vulnerability has been identified in Adobe SW Flash Player, which may be exploited by remote attackers to
execute arbitrary commands. This issue is due to a memory corruption error when embedding a specially crafted .swf file through
a xul on browser players. Adobe Flash crashes (NPSWF32.dll) due to an null pointer exception, which allows an attacker to
overwrite & read a pointer in memory. The result is an arbitrary code execution. The victim need to visit a specially crafted embed HTML
or XUL Web page with player for execution or need to open a malicious & manipulated stream via player.
Vulnerable Module(s):
[+] NPSWF32.dll
--- Error Logs ---
Version=1
EventType=APPCRASH
EventTime=129489977043370414
ReportType=2
Consent=1
ReportIdentifier=f144b1d9-7665-11e0-8892-e88c0453f9c7
IntegratorReportIdentifier=f144b1d8-7665-11e0-8892-e88c0453f9c7
WOW64=1
Response.type=4
Sig[0].Name=Anwendungsname
Sig[0].Value=plugin-container.exe
Sig[1].Name=Anwendungsversion
Sig[1].Value=2.0.1.4120
Sig[2].Name=Anwendungszeitstempel
Sig[2].Value=4da6a99c
Sig[3].Name=Fehlermodulname
Sig[3].Value=NPSWF32.dll
Sig[4].Name=Fehlermodulversion
Sig[4].Value=10.2.152.26
Sig[5].Name=Fehlermodulzeitstempel
Sig[5].Value=4d4b5b5c
Sig[6].Name=Ausnahmecode
Sig[6].Value=c0000005
Sig[7].Name=Ausnahmeoffset
Sig[7].Value=00178b8a
DynamicSig[1].Name=Betriebsystemversion
DynamicSig[1].Value=6.1.7600.2.0.0.768.3
DynamicSig[2].Name=Gebietsschema-ID
DynamicSig[2].Value=1031
DynamicSig[22].Name=Zusatzinformation 1
DynamicSig[22].Value=ca57
DynamicSig[23].Name=Zusatzinformation 2
DynamicSig[23].Value=ca57f4d2c38c7795b111e2ddddad5066
DynamicSig[24].Name=Zusatzinformation 3
DynamicSig[24].Value=2466
DynamicSig[25].Name=Zusatzinformation 4
DynamicSig[25].Value=2466efe0a69899023df82e3bd3889773
UI[2]=C:\\\\\\\\Program Files(x86)\\\\\\\\Mozilla Firefox\\\\\\\\\\\\\\\\plugin-container.exe
LoadedModule[0]=C:\\\\\\\\plugin-container.exe
LoadedModule[1]=C:/Windows\\\\\\\\SysWOW64/ntdll.dll
... ... ...
LoadedModule[78]=C:\\\\\\\\Windows\\\\\\\\\\\\\\\\system32\\\\\\\\midimap.dll
FriendlyEventName=Nicht mehr funktionsfähig
ConsentKey=APPCRASH
AppName=Plugin Container for Firefox
AppPath=C:\\\\\\\\Program Files (x86)\\\\\\\\\\\\\\\\Mozilla Firefox\\\\\\\\\\\\\\\\plugin-container.exe
--- Exception Log ---
> .?
eax=7f0c1855 ebx=00000000 ecx=00000000 edx=00000000 esi=00619400 edi=02dd6a14
eip=688a8b8a esp=0031ea64 ebp=0031eaf0 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
Unable to load image C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\Macromed\\\\\\\\Flash\\\\\\\\NPSWF32.dll, Win32 error 0n2
*** WARNING: Unable to verify timestamp for NPSWF32.dll
*** ERROR: Module load completed but symbols could not be loaded for NPSWF32.dll
NPSWF32+0x178b8a:
688a8b8a 8b01 mov eax,dword ptr [ecx] ds:002b:00000000=????????
--- Debug Log ---
FAULTING_IP:
NPSWF32+178b8a
688a8b8a 8b01 mov eax,dword ptr [ecx]
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 688a8b8a (NPSWF32+0x00178b8a)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000000
Attempt to read from address 00000000
PROCESS_NAME: plugin-container.exe
FAULTING_MODULE: 75140000 kernel32
DEBUG_FLR_IMAGE_TIMESTAMP: 4d4b5b5c
MODULE_NAME: NPSWF32
ERROR_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%08lx verweist auf Speicher 0x%08lx. Der Vorgang %s konnte nicht im Speicher durchgef hrt werden.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%08lx verweist auf Speicher 0x%08lx. Der Vorgang %s konnte nicht im Speicher durchgef hrt werden.
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 00000000
READ_ADDRESS: 00000000
FOLLOWUP_IP:
NPSWF32+178b8a
688a8b8a 8b01 mov eax,dword ptr [ecx]
FAULTING_THREAD: 000009ac
BUGCHECK_STR: APPLICATION_FAULT_NULL_POINTER_READ_WRONG_SYMBOLS
PRIMARY_PROBLEM_CLASS: NULL_POINTER_READ
DEFAULT_BUCKET_ID: NULL_POINTER_READ
IP_ON_STACK:
+6d2e952f0505d890
0031eb78 0000 add byte ptr [eax],al
FRAME_ONE_INVALID: 1
LAST_CONTROL_TRANSFER: from 0031eb78 to 688a8b8a
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
0031eaf0 0031eb78 00000002 0031eb74 c0150008 NPSWF32+0x178b8a
00000000 00000000 00000000 00000000 00000000 0x31eb78
STACK_COMMAND: ~0s; .ecxr ; kb
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: NPSWF32+178b8a
FOLLOWUP_NAME: MachineOwner
IMAGE_NAME: NPSWF32.dll
BUCKET_ID: WRONG_SYMBOLS
FAILURE_BUCKET_ID: NULL_POINTER_READ_c0000005_NPSWF32.dll!Unknown
Followup: MachineOwner
---------
0:000> .exr 0xffffffffffffffff
ExceptionAddress: 688a8b8a (NPSWF32+0x00178b8a)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000000
Attempt to read from address 00000000
---------
Pictures:
../1.png
../2.png
../3.png
../4.png
../5.png
../6.png
../7.png
../8.png
Proof of Concept (PoC):
=======================
The memory corruption vulnerability can be exploited by local & remote attackers. For demonstration or reproduce ...
Required for Reproduction:
Microsoft Windows7 x64; Mozilla Firefox; AntToolbar + Player & the famous Shockwave Flashplayer 10.3.181.14 with NPSWF32.dll
Manually but remote reproduce ... follow the steps 1:1!
1. Install Mozilla Firefox & the addon Ant Toolbar with the nice player
2. To catch the bug use windbg, immunity or ollydbg under win7 x64
3. Open http://th3-0utl4ws.com with our .swf PoC
4. Down in the Browser Status Bar click on the Download or Player Button
5. Startup the SWF file of the website & open it for example 2 times
6. The crash happens when the security-check is asking the user for his acceptance, when processing the .swf file.
PoC:
../video-demo.wmv
PoC:
../intro.swf
Analyses: (Reports)
../AppCrash_plugin-container_1a70e13d391b60691e57e8a02eb38b46a893a1d_003d8c2b
../AppCrash_plugin-container_8d691233d77f2d079a51d6433658a5c9a5de58_04e19f4f
../AppCrash_plugin-container_8d691233d77f2d079a51d6433658a5c9a5de58_11e6e7b0
../AppCrash_plugin-container_8d691233d77f2d079a51d6433658a5c9a5de58_cab_1303fae3
../AppCrash_plugin-container_6080e4526ed4385e53e8431a6d8a65a91178d77_114ed366
../AppCrash_plugin-container_6080e4526ed4385e53e8431a6d8a65a91178d77_cab_0cb4ab67
../Flash
../Video-PoC && ../PoC
Security Risk:
==============
The security risk of the remote memory corruption vulnerability is estimated as critical.
Credits & Authors:
==================
Vulnerability Research Laboratory
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register
Contact: [email protected] - [email protected] - [email protected]
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact ([email protected] or [email protected]) to get a permission.
Copyright © 2012 | Vulnerability Laboratory