LOM: Multiple vulnerabilities in Macromedia Flash ActiveX

From: 3APA3A (3APA3A@SECURITY.NNOV.RU)
Date: 11/18/02

Next message: Georgi Guninski: "Re: bind 8 info update regarding ISS"

Previous message: Matthew Bukaty: "Trojan in TCP Dump"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Mon, 18 Nov 2002 20:58:23 +0300
From: 3APA3A <3APA3A@SECURITY.NNOV.RU>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Author: LOM <lom at lom.spb.ru>
Product: Macromedia Flash ActiveX 6.0 (6,0,47,0) for Microsoft Internet
Explorer
Vendor: Macromedia was contacted on 23 Oct 2002.
Risk: High
Remote: Yes
Exploitable: Yes

Into:

Macromedia flash ActiveX plugin displays .swf files under Internet
Explorer. Quoting www.macromedia.com: "Over 97.8% of all web users have
the Macromedia Flash Player".

Vulnerabilities:

Few vulnerabilities were identified: protected memory reading, memory
consumption DoS and more serious:
1. zlib 1.1.3 double free() bug
2. Buffer overflow in SWRemote parameter for flash object.

Details:

Last bug is very close to one reported by eEye in May [2]. Probably it
was not found by eEye because overflow is heap based, so exception is
triggered on free(). It may be achieved by setting and changing property
with Javascript, for example. This kind of overflows (heap based Unicode
overflow) is exploitable under Internet Explorer. Proof of concept (by
LOM)[1] demonstrates exception triggered in free(). See [3] for
exploiting heap overflows, [4] for exploiting Unicode overflows under
Internet Explorer.

Credits:

Vulnerabilities were discovered by LOM <lom at lom.spb.ru>

Vendor:

Macromedia was contacted on 23 Oct 2002. The only reply was received on
29 Oct 2002 that Macromedia will look into these issues.

Workaround:

Disable ActiveX in Internet Explorer or uninstall flash ActiveX.

References:

1. Macromedia Shockwave proof of concept
   http://www.security.nnov.ru/files/swfexpl.zip
2. eEye, Macromedia Flash Activex Buffer overflow
   http://www.eeye.com/html/Research/Advisories/AD20020502.html
3. w00w00 on Heap Overflows
   http://www.w00w00.org/files/articles/heaptut.txt
4. 3APA3A, Details and exploitation of buffer overflow in mshtml.dll (and
   few sidenotes on Unicode overflows in general)
   http://www.security.nnov.ru/search/document.asp?docid=2554
5. Additional or updated information on this issue
   http://www.security.nnov.ru/search/news.asp?binid=1982

--
http://www.security.nnov.ru
         /\_/\
        { , . }     |\
+--oQQo->{ ^ }<-----+ \
|  ZARAZA  U  3APA3A   }
+-------------o66o--+ /
                    |/
You know my name - look up my number (The Beatles)
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by TruSecure Corporation
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Demonstrate your knowledge and understanding of core IT Security, become
TICSA certified.
Are you responsible for IT security in job function, but not necessarily
in title? Do you want to prove your IT security knowledge and increase
opportunities? Interested? Visit;
http://www.trusecure.com/solutions/certifications/ticsa/
for more information.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

Next message: Georgi Guninski: "Re: bind 8 info update regarding ISS"
Previous message: Matthew Bukaty: "Trojan in TCP Dump"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]