Macromedia Shockwave Flash Malformed Header Overflow #2

From: Marc Maiffret (marc@EEYE.COM)
Date: 12/17/02

  • Next message: Holmes, Ben: "Re: MS02-071, shatter?" 
    Date:         Mon, 16 Dec 2002 17:27:13 -0800
From: Marc Maiffret <marc@EEYE.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    Macromedia Shockwave Flash Malformed Header Overflow #2

    Release Date:
    December 16, 2002

    Severity:
    High (Remote Code Execution)

    Systems Affected:
    Macromedia Flash Player versions less than 6.0.65.0

    Description:
    While working on some pre-release Retina® CHAM tools, multiple exploitable
    conditions were discovered within the Shockwave Flash file format SWF
    (pronounced "SWIF").

    There exists a vulnerability within Macromedia's Flash software and its
    handling of malformed Flash files. Attackers can use this vulnerability to
    compromise users of Macromedia's Flash software. A corrupt file may be
    placed on a website or in some cases within an HTML email.

    We provided Macromedia with various corrupt Flash files, a few of which we
    verified for exploitability. Macromedia has since fixed the exploitable
    conditions as well as various other bugs that were found.

    The primary danger of exploiting Macromedia Flash is its extensive user base
    and portability across operating systems. Further, it is "version frozen" on
    operating system installation set-ups, so issues may linger for sometime.
    Regardless, Macromedia has fixed all of the known issues.

    Technical Description:
    The data header is roughly made out as:

    [Flash Signature][version (1)][File Length(a number of bytes too
    short)][Frame Size (malformed)][Frame Rate (malformed)][Frame Count
    (malformed)][Data]

    While the diagram may remain the same for this issue as in the previous
    issue (http://www.eeye.com/html/Research/Advisories/AD20020808b.html), there
    are variations in the malformed data which are very specific to this issue.
    In this case, EBP is completely controlled, so exploitation is
    straight-forward. EDI is also directly controlled as well as EDX and EDI
    which all give attackers the ability to easily exploit the vulnerable
    scenarios.

    Protection:
    Retina® Network Security Scanner (http://www.eeye.com/Retina) has been
    updated to identify this latest Macromedia Flash vulnerability.

    Vendor Status:
    Macromedia has been notified and released a patch for this vulnerability,
    available at:
    http://www.macromedia.com/v1/handlers/index.cfm?ID=23569

    Credit:
    Drew Copley, Research Engineer, eEye Digital Security

    Greetings:
    StoneFisk, the Shrug, Zonetripper, Die Liu Yu, Dror Shalev, Malware.

    Copyright (c) 1998-2002 eEye Digital Security
    Permission is hereby granted for the redistribution of this alert
    electronically. It is not to be edited in any way without express consent of
    eEye. If you wish to reprint the whole or any part of this alert in any
    other medium excluding electronic medium, please e-mail alert@eEye.com for
    permission.

    Disclaimer
    The information within this paper may change without notice. Use of this
    information constitutes acceptance for use in an AS IS condition. There are
    NO warranties with regard to this information. In no event shall the author
    be liable for any damages whatsoever arising out of or in connection with
    the use or spread of this information. Any use of this information is at the
    user's own risk.

    Feedback
    Please send suggestions, updates, and comments to:

    eEye Digital Security
    http://www.eEye.com
    info@eEye.com

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by TruSecure Corporation
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Demonstrate your knowledge and understanding of core IT Security, become
    TICSA certified.

    Are you responsible for IT security in job function, but not necessarily
    in title? Do you want to prove your IT security knowledge and increase
    opportunities? Interested? Visit;

    http://www.trusecure.com/solutions/certifications/ticsa/

    for more information.
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

    Relevant Pages

    • [NEWS] Macromedia Shockwave Flash Malformed Header Overflow
      ... This vulnerability has been proven to work with all versions of Macromedia ... Flash on Windows and UNIX, ... function pointer address and redirect the flow of control to a specified ...
      (Securiteam)
    • Re: Is FreeBSD ready for desktop (Mozilla Flash)
      ... If the monitor doesn't support probing for this, ... > The first site I hit tells me I have no Flash support. ... happen to be using a hardware/software combination blessed by Macromedia. ... proprietary plugins which add zero value to the browsing experience) by white ...
      (comp.unix.bsd.freebsd.misc)
    • RE: Macromedia on Internet Explorer 6
      ... It did remove the player since content didn't play in either IE ... Go to Macromedia website and download the special uninstaller for Flash 8. ...
      (microsoft.public.windows.inetexplorer.ie6.browser)
    • [VulnWatch] Macromedia Shockwave Flash Malformed Header Overflow #2
      ... Macromedia Flash Player versions less than 6.0.65.0 ... There exists a vulnerability within Macromedia's Flash software and its ... verified for exploitability. ...
      (VulnWatch)
    • RE: Macromedia on Internet Explorer 6
      ... I tried re-installing the Flash Player 8 for IE and it still is not ... Go to Macromedia website and download the special uninstaller for Flash 8. ... IE6 alerts me that I need to install the Flash Player. ...
      (microsoft.public.windows.inetexplorer.ie6.browser)