LOM: Multiple vulnerabilities in Macromedia Flash ActiveX

From: 3APA3A (3APA3A@SECURITY.NNOV.RU)
Date: 11/18/02

  • Next message: secure@conectiva.com.br: "[CLA-2002:548] Conectiva Linux Security Announcement - windowmaker"
    Date: Mon, 18 Nov 2002 13:43:27 +0300
    From: 3APA3A <3APA3A@SECURITY.NNOV.RU>
    To: bugtraq@securityfocus.com
    
    

    Author: LOM <lom at lom.spb.ru>
    Product: Macromedia Flash ActiveX 6.0 (6,0,47,0) for Microsoft Internet
              Explorer
    Vendor: Macromedia was contacted on 23 Oct 2002.
    Risk: High
    Remote: Yes
    Exploitable: Yes

    Into:

    Macromedia flash ActiveX plugin displays .swf files under Internet
    Explorer. Quoting www.macromedia.com: "Over 97.8% of all web users have
    the Macromedia Flash Player".

    Vulnerabilities:

    Few vulnerabilities were identified: protected memory reading, memory
    consumption DoS and more serious:
     1. zlib 1.1.3 double free() bug
     2. Buffer overflow in SWRemote parameter for flash object.

    Details:

    Last bug is very close to one reported by eEye in May [2]. Probably it
    was not found by eEye because overflow is heap based, so exception is
    triggered on free(). It may be achieved by setting and changing property
    with Javascript, for example. This kind of overflows (heap based Unicode
    overflow) is exploitable under Internet Explorer. Attached proof of
    concept (by LOM)[1] demonstrates exception triggered in free(). See [3]
    for exploiting heap overflows, [4] for exploiting Unicode overflows
    under Internet Explorer.

    Credits:

    Vulnerabilities were discovered by LOM <lom at lom.spb.ru>

    Vendor:

    Macromedia was contacted on 23 Oct 2002. The only reply was received on
    29 Oct 2002 that Macromedia will look into these issues.

    Workaround:

    Disable ActiveX in Internet Explorer or uninstall flash ActiveX.

    References:

    1. Macromedia Shockwave proof of concept
       http://www.security.nnov.ru/files/swfexpl.zip
    2. eEye, Macromedia Flash Activex Buffer overflow
       http://www.eeye.com/html/Research/Advisories/AD20020502.html
    3. w00w00 on Heap Overflows
       http://www.w00w00.org/files/articles/heaptut.txt
    4. 3APA3A, Details and exploitation of buffer overflow in mshtml.dll (and
       few sidenotes on Unicode overflows in general)
       http://www.security.nnov.ru/search/document.asp?docid=2554
    5. Additional or updated information on this issue
       http://www.security.nnov.ru/search/news.asp?binid=1982

    -- 
    http://www.security.nnov.ru
             /\_/\
            { , . }     |\
    +--oQQo->{ ^ }<-----+ \
    |  ZARAZA  U  3APA3A   }
    +-------------o66o--+ /
                        |/
    You know my name - look up my number (The Beatles)