SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   Adobe Flash Player Vendors:   Macromedia
(Vendor Issues Fix and Disputes One Claim) Re: Macromedia ActiveX Flash Player Heap Overflow Will Execute Arbitrary Code in Malicious Flash Content
SecurityTracker Alert ID:  1005654
SecurityTracker URL:  http://securitytracker.com/id/1005654
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 19 2002
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6.0 (6,0,47,0)
Description:   A heap overflolw vulnerability was reported in the Macromedia Flash player's ActiveX component for Microsoft Windows. A remote user can execute arbitrary code on the target user's system.

SECURITY.NNOV reported that the Flash player is affected by the previously reported double free() zlib vulnerability as well as a previously unreported overflow in the SWRemote parameter. The SWRemote overflow may be triggered by setting and changing the parameter properties (using Javascript, for example).

A remote user can create malicious Flash content that, when viewed by the target user, will cause arbitrary code to be executed on the target user's computer. The code will run with the privileges of the target user.

Demonstration exploit code is available at:

http://www.security.nnov.ru/files/swfexpl.zip

The vendor has reportedly been notified.

SECURITY.NNOV credits LOM <lom at lom.spb.ru> with discovering the flaw.

Impact:   A remote user can cause arbitrary code to be executed on the target user's system with the privileges of the target user.
Solution:   Macromedia reports that Flash Player 6 was released with the fix for the double free() bug back in March 2002 and that the current version of the Flash Player ships with the latest version (1.1.4) of zlib.

Macromedia confirms that the SW Remote parameter tag can be triggered to crash the Flash Player, but indicates that they could not reproduce an exploitable buffer overflow (to execute code). The denial of service bug has reportedly been fixed in their publicly available beta software, available at:

http://www.macromedia.com/software/flashplayer/special/beta/

In both cases, Macromedia indicates that they worked directly with the reporter to resolve these issues.

Vendor URL:  www.macromedia.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Nov 18 2002 Macromedia ActiveX Flash Player Heap Overflow Will Execute Arbitrary Code in Malicious Flash Content



 Source Message Contents

Subject:  Re: LOM: Multiple vulnerabilities in Macromedia Flash ActiveX


In-Reply-To: <118-2136623052.20021118134327@SECURITY.NNOV.RU>

Status on the below posting regarding:

1. zlib 1.1.3 double free() bug
2. Buffer overflow in SWRemote parameter for flash object.

1. zlib 1.1.4 double free() bug
=====================
Flash Player 6 was released with the fix for the double free() bug back in 
March 2002, the player ships with the latest version 1.1.4.

We have not found any exploit of this to date, since we ship with the 
latest version


2. SW Remote parameter tag
=====================
We investigated this issue and worked with LOM <lom at lom.spb.ru> to try 
and reproduce this buffer overflow.  In all of our testing we could NOT 
reproduce a buffer overflow, but there is indeed a crash bug which we have 
a fix for in our public beta at
<http://www.macromedia.com/software/flashplayer/special/beta/>

In all of these cases we worked directly with the reporter and resolved 
these issues, to be either an issue or a non issue.

Macromedia is committed to security, we take security very seriously.

Regards
Troy Evans
Flash Player Product Manager




>Author: LOM <lom at lom.spb.ru>
>Product:  Macromedia Flash ActiveX 6.0 (6,0,47,0) for Microsoft Internet
>          Explorer
>Vendor: Macromedia was contacted on 23 Oct 2002.
>Risk: High
>Remote: Yes
>Exploitable: Yes
>
>Into:
>
>Macromedia  flash  ActiveX  plugin  displays  .swf  files under Internet
>Explorer.  Quoting www.macromedia.com: "Over 97.8% of all web users have
>the Macromedia Flash Player".
>
>Vulnerabilities:
>
>Few  vulnerabilities  were  identified: protected memory reading, memory
>consumption DoS and more serious:
> 1. zlib 1.1.3 double free() bug
> 2. Buffer overflow in SWRemote parameter for flash object.
>
>Details:
>
>Last  bug  is very close to one reported by eEye in May [2]. Probably it
>was  not  found  by eEye because overflow is heap based, so exception is
>triggered on free(). It may be achieved by setting and changing property
>with Javascript, for example. This kind of overflows (heap based Unicode
>overflow)  is  exploitable  under  Internet  Explorer. Attached proof of
>concept  (by LOM)[1] demonstrates exception triggered in free(). See [3]
>for  exploiting  heap  overflows,  [4]  for exploiting Unicode overflows
>under Internet Explorer.
>
>Credits:
>
>Vulnerabilities were discovered by LOM <lom at lom.spb.ru>
>
>Vendor:
>
>Macromedia  was contacted on 23 Oct 2002. The only reply was received on
>29 Oct 2002 that Macromedia will look into these issues.
>
>Workaround:
>
>Disable ActiveX in Internet Explorer or uninstall flash ActiveX.
>
>References:
>
>1. Macromedia Shockwave proof of concept
>   http://www.security.nnov.ru/files/swfexpl.zip
>2. eEye, Macromedia Flash Activex Buffer overflow
>   http://www.eeye.com/html/Research/Advisories/AD20020502.html
>3. w00w00 on Heap Overflows
>   http://www.w00w00.org/files/articles/heaptut.txt
>4. 3APA3A, Details and exploitation of buffer overflow in mshtml.dll (and
>   few sidenotes on Unicode overflows in general)
>   http://www.security.nnov.ru/search/document.asp?docid=2554
>5. Additional or updated information on this issue
>   http://www.security.nnov.ru/search/news.asp?binid=1982

>


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC