SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   Adobe Flash Player Vendors:   Macromedia
Macromedia Flash Null Pointer Assignment in LoadMovie() Lets Remote Users Deny Service
SecurityTracker Alert ID:  1009674
SecurityTracker URL:  http://securitytracker.com/id/1009674
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 6 2004
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): 7.0 r19
Description:   Rafel Ivgi (The-Insider) reported a null pointer vulnerability in the Macromedia Flash Player. A remote user can cause a target user's player to crash.

It is reported that a remote user can create code that calls the LoadMovie() function with a non-zero layer index to cause the target user's player to crash.

Some demonstration exploit content is provided:

<script language=vbscript>
Set mymy2= CreateObject("ShockwaveFlash.ShockwaveFlash.1")
mymy2.LoadMovie 1,"c6ool.swf"
</script>

Impact:   A remote user can create Flash content that, when loaded by the target user, will cause the target user's player to crash.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.macromedia.com/ (Links to External Site)
Cause:   Boundary error, Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Macromedia Flash Player 7.0 r19 - Null Pointer Assignment(Remote


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application:     Macromedia Flash Player
Vendors:          http://www.macromedia.com
Version:           7.0 r19
Platforms:       WindowsXP Professional,SP1,SP2
Bug:                 Null Pointer Assignment
Risk:                 Medium - Denial Of Service
Exploitation:    Remote with browser
Date:                1 Apr 2004
Author:             Rafel Ivgi, The-Insider
e-mail:              the_insider@mail.com
web:                 http://theinsider.deep-ice.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1) Introduction
2) Bugs
3) The Code

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===============
1) Introduction
===============

Macromedia Flash Player is a module/plugin that comes by default with
windows installation.
It is widely used accross website all around the world. It is stable and its
designers took
made a few efforts to make it secure.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

======
2) Bug
======

Marcromedia Flash Player has a flaw at the "LoadMovie" function.
The function is designed the following way: LoadMovie(layer as long, url as
string).

This functions handles long strings, non-alphabetic chars and even an
overflow at high layer num.
The only thing it crashes upon is loading a flash movie into a non-zero
layer index.

This means that"
LoadMovie 1,"c6ool.swf"
Will Crash Internet Explorer Window because of a null pointer assignment by
the flash module.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===========
3) The Code
===========

This is Proof Of Concept Code:
------------------- CUT HERE -------------------
<script language=vbscript>
Set mymy2= CreateObject("ShockwaveFlash.ShockwaveFlash.1")
mymy2.LoadMovie 1,"c6ool.swf"
</script>
------------------- CUT HERE -------------------

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

---
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com

"Only the one who sees the invisible , Can do the Impossible."


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC