Flashplayer npswf32.dll - Memory Corruption Vulnerability

2011-06-18T00:00:00
ID VULNERLAB:179
Type vulnerlab
Reporter Vulnerability Research Laboratory
Modified 2011-06-18T00:00:00

Description

                                        
                                            Document Title:
===============
Flashplayer npswf32.dll - Memory Corruption Vulnerability



Release Date:
=============
2011-06-18


Vulnerability Laboratory ID (VL-ID):
====================================
179


Common Vulnerability Scoring System:
====================================
8.1


Product & Service Introduction:
===============================
Adobe® Flash® Player ist eine auf unterschiedlichen Plattformen einsetzbare, im Browser laufende Laufzeitanwendung, die 
eine unbeeinträchtigte Anzeige von ausdrucksstarken Multimedia-Anwendungen, Inhalten und Videos auf unterschiedlichen 
Displays und Browsern ermöglicht. Flash Player 10.3 wurde für optimale Anzeige auf Displays von Mobilgeräten ausgelegt 
und nutzt systemeigene Funktionen des jeweiligen Geräts, damit der Benutzer eine detailreichere und fesselndere Darstellung erhält.

(Copy of the Vendor Homepage: http://get.adobe.com/de/flashplayer/)


Abstract Advisory Information:
==============================
The Vulnerability-Lab Team identified a critical memory corruption on the new Shockwave Flashplayer & Browser Addon.


Vulnerability Disclosure Timeline:
==================================
2011-04-06:	Vendor Notification
2011-00-00:	Vendor Response/Feedback
2011-00-00:	Vendor Fix/Patch
2011-06-16:	Public or Non-Public Disclosure


Discovery Status:
=================
Published


Affected Product(s):
====================

Exploitation Technique:
=======================
Remote


Severity Level:
===============
High


Technical Details & Description:
================================
A new critical vulnerability has been identified in Adobe SW Flash Player, which may be exploited by remote attackers to 
execute arbitrary commands. This issue is due to a memory corruption error when embedding a specially crafted .swf file through 
a xul on browser players. Adobe Flash crashes (NPSWF32.dll) due to an null pointer exception, which allows an attacker to 
overwrite & read a pointer in memory. The result is an arbitrary code execution. The victim need to visit a specially crafted embed HTML 
or XUL Web page with player for execution or need to open a malicious & manipulated stream via player.


Vulnerable Module(s):
			[+] NPSWF32.dll




--- Error Logs ---
Version=1
EventType=APPCRASH
EventTime=129489977043370414
ReportType=2
Consent=1
ReportIdentifier=f144b1d9-7665-11e0-8892-e88c0453f9c7
IntegratorReportIdentifier=f144b1d8-7665-11e0-8892-e88c0453f9c7
WOW64=1
Response.type=4
Sig[0].Name=Anwendungsname
Sig[0].Value=plugin-container.exe
Sig[1].Name=Anwendungsversion
Sig[1].Value=2.0.1.4120
Sig[2].Name=Anwendungszeitstempel
Sig[2].Value=4da6a99c
Sig[3].Name=Fehlermodulname
Sig[3].Value=NPSWF32.dll
Sig[4].Name=Fehlermodulversion
Sig[4].Value=10.2.152.26
Sig[5].Name=Fehlermodulzeitstempel
Sig[5].Value=4d4b5b5c
Sig[6].Name=Ausnahmecode
Sig[6].Value=c0000005
Sig[7].Name=Ausnahmeoffset
Sig[7].Value=00178b8a
DynamicSig[1].Name=Betriebsystemversion
DynamicSig[1].Value=6.1.7600.2.0.0.768.3
DynamicSig[2].Name=Gebietsschema-ID
DynamicSig[2].Value=1031
DynamicSig[22].Name=Zusatzinformation 1
DynamicSig[22].Value=ca57
DynamicSig[23].Name=Zusatzinformation 2
DynamicSig[23].Value=ca57f4d2c38c7795b111e2ddddad5066
DynamicSig[24].Name=Zusatzinformation 3
DynamicSig[24].Value=2466
DynamicSig[25].Name=Zusatzinformation 4
DynamicSig[25].Value=2466efe0a69899023df82e3bd3889773
UI[2]=C:\\\\\\\\Program Files(x86)\\\\\\\\Mozilla Firefox\\\\\\\\\\\\\\\\plugin-container.exe
LoadedModule[0]=C:\\\\\\\\plugin-container.exe
LoadedModule[1]=C:/Windows\\\\\\\\SysWOW64/ntdll.dll
...   ...   ...
LoadedModule[78]=C:\\\\\\\\Windows\\\\\\\\\\\\\\\\system32\\\\\\\\midimap.dll
FriendlyEventName=Nicht mehr funktionsfähig
ConsentKey=APPCRASH
AppName=Plugin Container for Firefox
AppPath=C:\\\\\\\\Program Files (x86)\\\\\\\\\\\\\\\\Mozilla Firefox\\\\\\\\\\\\\\\\plugin-container.exe


--- Exception Log ---
> .?
eax=7f0c1855 ebx=00000000 ecx=00000000 edx=00000000 esi=00619400 edi=02dd6a14
eip=688a8b8a esp=0031ea64 ebp=0031eaf0 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
Unable to load image C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\Macromed\\\\\\\\Flash\\\\\\\\NPSWF32.dll, Win32 error 0n2
*** WARNING: Unable to verify timestamp for NPSWF32.dll
*** ERROR: Module load completed but symbols could not be loaded for NPSWF32.dll
NPSWF32+0x178b8a:
688a8b8a 8b01            mov     eax,dword ptr [ecx]  ds:002b:00000000=????????



--- Debug Log ---
FAULTING_IP: 
NPSWF32+178b8a
688a8b8a 8b01            mov     eax,dword ptr [ecx]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 688a8b8a (NPSWF32+0x00178b8a)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 00000000
Attempt to read from address 00000000

PROCESS_NAME:  plugin-container.exe

FAULTING_MODULE: 75140000 kernel32
DEBUG_FLR_IMAGE_TIMESTAMP:  4d4b5b5c
MODULE_NAME: NPSWF32
ERROR_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%08lx verweist auf Speicher 0x%08lx. Der Vorgang %s konnte nicht im Speicher durchgef hrt werden.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%08lx verweist auf Speicher 0x%08lx. Der Vorgang %s konnte nicht im Speicher durchgef hrt werden.
EXCEPTION_PARAMETER1:  00000000
EXCEPTION_PARAMETER2:  00000000
READ_ADDRESS:  00000000 

FOLLOWUP_IP: 
NPSWF32+178b8a
688a8b8a 8b01            mov     eax,dword ptr [ecx]

FAULTING_THREAD:  000009ac
BUGCHECK_STR:  APPLICATION_FAULT_NULL_POINTER_READ_WRONG_SYMBOLS
PRIMARY_PROBLEM_CLASS:  NULL_POINTER_READ
DEFAULT_BUCKET_ID:  NULL_POINTER_READ

IP_ON_STACK: 
+6d2e952f0505d890
0031eb78 0000            add     byte ptr [eax],al

FRAME_ONE_INVALID: 1
LAST_CONTROL_TRANSFER:  from 0031eb78 to 688a8b8a

STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
0031eaf0 0031eb78 00000002 0031eb74 c0150008 NPSWF32+0x178b8a
00000000 00000000 00000000 00000000 00000000 0x31eb78


STACK_COMMAND:		~0s; .ecxr ; kb
SYMBOL_STACK_INDEX:  	0
SYMBOL_NAME:  		NPSWF32+178b8a
FOLLOWUP_NAME:  	MachineOwner
IMAGE_NAME:  		NPSWF32.dll
BUCKET_ID:  		WRONG_SYMBOLS
FAILURE_BUCKET_ID:  	NULL_POINTER_READ_c0000005_NPSWF32.dll!Unknown
Followup: 		MachineOwner
---------

0:000> .exr 0xffffffffffffffff
ExceptionAddress: 688a8b8a (NPSWF32+0x00178b8a)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 00000000
Attempt to read from address 00000000
---------


Pictures:
		../1.png
		../2.png
		../3.png
		../4.png
		../5.png
		../6.png
		../7.png
		../8.png


Proof of Concept (PoC):
=======================
The memory corruption vulnerability can be exploited by local & remote attackers. For demonstration or reproduce ...

Required for Reproduction: 
Microsoft Windows7 x64; Mozilla Firefox; AntToolbar + Player & the famous Shockwave Flashplayer 10.3.181.14 with NPSWF32.dll

Manually but remote reproduce ... follow the steps 1:1!

1. Install Mozilla Firefox & the addon Ant Toolbar with the nice player
2. To catch the bug use windbg, immunity or ollydbg under win7 x64
3. Open http://th3-0utl4ws.com with our .swf PoC
4. Down in the Browser Status Bar click on the Download or Player Button
5. Startup the SWF file of the website & open it for example 2 times
6. The crash happens when the security-check is asking the user for his acceptance, when processing the .swf file.

PoC:
		../video-demo.wmv

PoC:
		../intro.swf

Analyses: (Reports)

		../AppCrash_plugin-container_1a70e13d391b60691e57e8a02eb38b46a893a1d_003d8c2b
		../AppCrash_plugin-container_8d691233d77f2d079a51d6433658a5c9a5de58_04e19f4f
		../AppCrash_plugin-container_8d691233d77f2d079a51d6433658a5c9a5de58_11e6e7b0
		../AppCrash_plugin-container_8d691233d77f2d079a51d6433658a5c9a5de58_cab_1303fae3
		../AppCrash_plugin-container_6080e4526ed4385e53e8431a6d8a65a91178d77_114ed366
		../AppCrash_plugin-container_6080e4526ed4385e53e8431a6d8a65a91178d77_cab_0cb4ab67
		../Flash
		../Video-PoC  && ../PoC


Security Risk:
==============
The security risk of the remote memory corruption vulnerability is estimated as critical.


Credits & Authors:
==================
Vulnerability Research Laboratory


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.vulnerability-lab.com/register
Contact:    admin@vulnerability-lab.com 	- support@vulnerability-lab.com 	       - research@vulnerability-lab.com
Section:    video.vulnerability-lab.com 	- forum.vulnerability-lab.com 		       - news.vulnerability-lab.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.

    				   	Copyright © 2012 | Vulnerability Laboratory