SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   Adobe Flash Player Vendors:   Macromedia
Macromedia ActiveX Flash Player Heap Overflow Will Execute Arbitrary Code in Malicious Flash Content
SecurityTracker Alert ID:  1005649
SecurityTracker URL:  http://securitytracker.com/id/1005649
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 18 2002
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 6.0 (6,0,47,0)
Description:   A heap overflolw vulnerability was reported in the Macromedia Flash player's ActiveX component for Microsoft Windows. A remote user can execute arbitrary code on the target user's system.

SECURITY.NNOV reported that the Flash player is affected by the previously reported double free() zlib vulnerability as well as a previously unreported overflow in the SWRemote parameter. The SWRemote overflow may be triggered by setting and changing the parameter properties (using Javascript, for example).

A remote user can create malicious Flash content that, when viewed by the target user, will cause arbitrary code to be executed on the target user's computer. The code will run with the privileges of the target user.

Demonstration exploit code is available at:

http://www.security.nnov.ru/files/swfexpl.zip

The vendor has reportedly been notified.

SECURITY.NNOV credits LOM <lom at lom.spb.ru> with discovering the flaw.

Impact:   A remote user can cause arbitrary code to be executed on the target user's system with the privileges of the target user.
Solution:   No solution was available at the time of this entry. The author of the advisory indicates that you can disable ActiveX in Internet Explorer or uninstall the flash ActiveX component as a workaround.
Vendor URL:  www.macromedia.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Vendor Issues Fix and Disputes One Claim) Re: Macromedia ActiveX Flash Player Heap Overflow Will Execute Arbitrary Code in Malicious Flash Content
Macromedia has responded to indicate that both issues have been resolved.



 Source Message Contents

Subject:  LOM: Multiple vulnerabilities in Macromedia Flash ActiveX



Author: LOM <lom at lom.spb.ru>
Product:  Macromedia Flash ActiveX 6.0 (6,0,47,0) for Microsoft Internet
          Explorer
Vendor: Macromedia was contacted on 23 Oct 2002.
Risk: High
Remote: Yes
Exploitable: Yes

Into:

Macromedia  flash  ActiveX  plugin  displays  .swf  files under Internet
Explorer.  Quoting www.macromedia.com: "Over 97.8% of all web users have
the Macromedia Flash Player".

Vulnerabilities:

Few  vulnerabilities  were  identified: protected memory reading, memory
consumption DoS and more serious:
 1. zlib 1.1.3 double free() bug
 2. Buffer overflow in SWRemote parameter for flash object.

Details:

Last  bug  is very close to one reported by eEye in May [2]. Probably it
was  not  found  by eEye because overflow is heap based, so exception is
triggered on free(). It may be achieved by setting and changing property
with Javascript, for example. This kind of overflows (heap based Unicode
overflow)  is  exploitable  under  Internet  Explorer. Attached proof of
concept  (by LOM)[1] demonstrates exception triggered in free(). See [3]
for  exploiting  heap  overflows,  [4]  for exploiting Unicode overflows
under Internet Explorer.

Credits:

Vulnerabilities were discovered by LOM <lom at lom.spb.ru>

Vendor:

Macromedia  was contacted on 23 Oct 2002. The only reply was received on
29 Oct 2002 that Macromedia will look into these issues.

Workaround:

Disable ActiveX in Internet Explorer or uninstall flash ActiveX.

References:

1. Macromedia Shockwave proof of concept
   http://www.security.nnov.ru/files/swfexpl.zip
2. eEye, Macromedia Flash Activex Buffer overflow
   http://www.eeye.com/html/Research/Advisories/AD20020502.html
3. w00w00 on Heap Overflows
   http://www.w00w00.org/files/articles/heaptut.txt
4. 3APA3A, Details and exploitation of buffer overflow in mshtml.dll (and
   few sidenotes on Unicode overflows in general)
   http://www.security.nnov.ru/search/document.asp?docid=2554
5. Additional or updated information on this issue
   http://www.security.nnov.ru/search/news.asp?binid=1982



-- 
http://www.security.nnov.ru
         /\_/\
        { , . }     |\
+--oQQo->{ ^ }<-----+ \
|  ZARAZA  U  3APA3A   }
+-------------o66o--+ /
                    |/
You know my name - look up my number (The Beatles)


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC