Adobe Shockwave KEY* Chunk Invalid Size Remote Code Execution Vulnerability

ID ZDI-11-212
Type zdi
Reporter Luigi Auriemma
Modified 2011-06-22T00:00:00


This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Shockwave. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the way Shockwave handles KEY elements in a Director file. The Shockwave player will allocate memory with a size taken from the Shockwave file but will always copy a few bytes into that allocation. KEY sizes smaller then 4 will therefore cause an overwrite of the allocation. By cleverly crafting the input file, an attacker can leverage this to execute remote code under the context of the current user.