[NT] Macromedia Shockwave Flash Malformed Header Overflow (Additional problems)

• Previous message: support@securiteam.com: "[NEWS] XSS Vulnerability Found in Cisco Website"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: support@securiteam.com
To: list@securiteam.com
Date: 18 Dec 2002 00:25:01 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -

  Macromedia Shockwave Flash Malformed Header Overflow (Additional problems)
------------------------------------------------------------------------

SUMMARY

There exists a vulnerability within Macromedia's Flash software in its
handling of malformed Flash files. Attackers can use this vulnerability to
compromise user's operating system. A corrupt file may be placed on a
website or in some cases within an HTML email.

eEye provided Macromedia with various corrupt Flash files, a few of which
eEye verified for exploitability. Macromedia has since fixed the
exploitable conditions as well as various other bugs that were found.

The primary danger of exploiting Macromedia Flash is its extensive user
base and portability across operating systems. Further, it is "version
frozen" on operating system installation set-ups, so issues may linger for
sometime. Regardless, Macromedia has fixed all of the known issues.

DETAILS

Systems Affected:
 * Macromedia Flash Player versions older than 6.0.65.0

Technical Description:
The data header is roughly made out as:

[Flash Signature][version (1)][File Length(a number of bytes too
short)][Frame Size (malformed)][Frame Rate (malformed)][Frame
Count(malformed)][Data]

While the diagram may remain the same for this issue as in the previous
issue ( <http://www.eeye.com/html/Research/Advisories/AD20020808b.html>
http://www.eeye.com/html/Research/Advisories/AD20020808b.html), there are
variations in the malformed data which are very specific to this issue. In
this case, EBP is completely controlled, so exploitation is
straight-forward. EDI is also directly controlled as well as EDX and EDI
which all give attackers the ability to easily exploit the vulnerable
scenarios.

Vendor Status:
Macromedia has been notified and released a patch for this vulnerability,
available at:
 <http://www.macromedia.com/v1/handlers/index.cfm?ID=23569>
http://www.macromedia.com/v1/handlers/index.cfm?ID=23569

ADDITIONAL INFORMATION

The information has been provided by <mailto:marc@eeye.com> Marc
Maiffret.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Next message: support@securiteam.com: "[UNIX] Linux kernel 2.2.x /proc/pid/mem mmap() Vulnerability"
• Previous message: support@securiteam.com: "[NEWS] XSS Vulnerability Found in Cisco Website"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]