Adobe Shockwave Invalid Offset Memory Corruption Remote Code Execution Vulnerability

ID ZDI-10-087
Type zdi
Reporter Anonymous
Modified 2010-11-09T00:00:00


This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Shockwave. User interaction is required in that a target visit a malicious website.

The specific flaw exists within the code responsible for parsing Director files. The vulnerable function is exported as an ordinal from the iml32.dll module. Ordinal 1409 trusts a value from the file as an offset and updates pointers accordingly. By crafting a large enough value and seeking the file pointer past the end of a buffer this can be abused to corrupt heap memory. An attacker can abuse this to execute arbitrary code under the context of the user running the browser.