SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   Adobe Flash Player Vendors:   Adobe Systems Incorporated
Adobe Flash Professional/Basic Bug in Parsing FLA Files Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1019681
SecurityTracker URL:  http://securitytracker.com/id/1019681
CVE Reference:   CVE-2008-1201   (Links to External Site)
Date:  Mar 20 2008
Impact:   Execution of arbitrary code via network, User access via network
Vendor Confirmed:  Yes  
Version(s): Flash CS3 Professional, Flash Professional 8, and Flash Basic 8
Description:   A vulnerability was reported in Adobe Flash Professional and Flash Basic. A remote user can cause arbitrary code to be executed on the target user's system.

A remote user can create a specially crafted FLA file that, when loaded by the target user, will trigger a memory corruption error and execute arbitrary code on the target system. The code will run with the privileges of the target user.

The Mac versions of Flash Professional and Flash Basic are not affected.

Flash Player is not affected.

The vendor was notified on November 9, 2007.

cocoruder reported this vulnerability.

The original advisory is available at:

http://www.fortiguardcenter.com/advisory/FGA-2008-07.html
Impact:   A remote user can create a file that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution:   No solution was available at the time of this entry.

Adobe plans to issue a fix in the next major release of Flash Professional.

The Adobe advisory is available at:

http://www.adobe.com/support/security/advisories/apsa08-03.html
Vendor URL:  www.adobe.com/support/security/advisories/apsa08-03.html (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
May 7 2008 (Adobe After Effects is Affected) Adobe Flash Professional/Basic Bug in Parsing FLA Files Lets Remote Users Execute Arbitrary Code
Adobe After Effects CS3 is vulnerable.


 Source Message Contents
Subject:  [Full-disclosure] Adobe Flash CS3 Professional FLA File Parsing

Adobe Flash CS3 Professional FLA File Parsing Multiple Local Code
Execute Vulnerabilities

by cocoruder(frankruder@hotmail.com)
http://ruder.cdut.net


Summary:

    More than three local code execute vulnerabilities exist in Adobe
Flash CS3 Professional while it is parsing FLA files. An attacker who
successfully exploit these vulnerabilities can run arbitrary code on
the affected system.



Affected Software Versions:

    Adobe Flash CS3 Professional 9.0
    Macromedia Flash MX 2004



Details:

    All these vulnerabilities are due to the parser does not handle
the malformed FLA file accurately, by changing value of some special
addresses in normal FLA file, it can result in some unexpected errors
at "call" instruction, the following is one of the situations:

	eax=00000000 ebx=00000000 ecx=41414141 edx=00000000 esi=08feac38 edi=0012eb2c
	eip=00943502 esp=0012e15c ebp=08feac3c iopl=0         nv up ei pl nz na pe nc
	cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00250206
	*** ERROR: Symbol file could not be found.  Defaulted to export
symbols for Flash-unprepped.exe -
	Flash_unprepped!std::basic_istream<char,std::char_traits<char>
>::basic_istream<char,std::char_traits<char> >+0x3d7762:
	00943502 8b01            mov     eax,dword ptr
[ecx]	ds:0023:41414141=????????, can be controlled
	00943504 8b10            mov     edx,dword ptr [eax]
	00943506 6a01            push    1
	00943508 ffd2            call    edx				; code executing is possible
	0094350a 8bbe48020000    mov     edi,dword ptr [esi+248h]
	00943510 3bfb            cmp     edi,ebx
	00943512 899ef4010000    mov     dword ptr [esi+1F4h],ebx
	00943518 7410            je
Flash_unprepped!std::basic_istream<char,std::char_traits<char>
>::basic_istream<char,std::char_traits<char> >+0x3d778a (0094352a)


    It is confirmed that at least one of them can be written
successful working exploits for, on the other hand, because the FLA
file can not be loaded remotely, which can reduce the threat of these
vulnerabilities.



Vendor Response:

    Adobe has replied me that they will fix these vulnerabilities in
the next major release of Flash Professional, we suggest all of the
Adobe Flash CS3 Professional users do not open the FLA file which are
from distrustful source.

    An advisory from the vendor can be found at:

    http://www.adobe.com/support/security/advisories/apsa08-03.html

    Fortinet advisory can be found at:

    http://www.fortiguardcenter.com/advisory/FGA-2008-07.html



CVE Information:

    CVE-2008-1201



Disclosure Timeline:

    2007.11.09		Vendor notified via email
    2007.11.10		Vendor responded
    2007.11.16		Vendor replied they can not find a way to exploit
    2007.11.16		Send some notes to the vendor
    2007.11.27		Vendor replied they still can not find a way to exploit
    2007.11.28		Send an working exploit to the vendor
    2008.03.11		Vendor replied there will not be a plan for developing
an update due to the threat of the vul, they will fix it via the next
major release.
    2008.03.20		Coordinated vulnerability disclosure



--EOF--

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC