Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:24596
HistoryAug 26, 2010 - 12:00 a.m.

Adobe Shockwave Player Memory Corruption Vulnerability - CVE-2010-2880

2010-08-2600:00:00
vulners.com
19
JSON

Dear List,

I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability.

Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/

Memory corruption when Adobe Shockwave Player parses .dir media file
CVE-2010-2880

INTRODUCTION

Adobe Shockwave Player is the Adobe plugin to many different browsers to view rich-media content on the web including animations, interactive presentations, and online entertainment.

Adobe Shockwave Player does not properly parse .dir media file, which causes a corruption in module DIRAPI.dll by opening a malformed file with an invalid value located in PoC repro01.dir at offset 0x47.

This problem was confirmed in the following versions of Adobe Shockwave Player, other versions may be also affected.

Shockwave Player version 11.5.7.609 and older for Windows and MacOS

CVSS Scoring System

The CVSS score is: 9
Base Score: 10
Temporal Score: 9
We used the following values to calculate the scores:
Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal score is: E:POC/RL:U/RC:C

TRIGGERING THE PROBLEM

To trigger the problem a PoC file (repro01.dir) is available to interested parts.

DETAILS

Disassembly:

68001602 40 INC EAX
68001603 83E0 FE AND EAX,FFFFFFFE
68001606 8945 04 MOV DWORD PTR SS:[EBP+4],EAX
68001609 8D5408 08 LEA EDX,DWORD PTR DS:[EAX+ECX+8]
6800160D 8B47 20 MOV EAX,DWORD PTR DS:[EDI+20]
68001610 8B58 10 MOV EBX,DWORD PTR DS:[EAX+10]
68001613 83FB FF CMP EBX,-1
68001616 895424 14 MOV DWORD PTR SS:[ESP+14],EDX
6800161A 895C24 10 MOV DWORD PTR SS:[ESP+10],EBX
6800161E 0F8E 92010000 JLE DIRAPI.680017B6
68001624 53 PUSH EBX
68001625 57 PUSH EDI
68001626 E8 C5140000 CALL DIRAPI.68002AF0
6800162B 8BD8 MOV EBX,EAX
6800162D 8B43 10 MOV EAX,DWORD PTR DS:[EBX+10] <– Problem

EBX = 0x46A6FAAC
EAX = 0x46A6FAAC

CREDITS

This vulnerability was discovered and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT).

Best Regards,

Rodrigo.


Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies

Related

cve 2
checkpoint_advisories 1
prion 2
securityvulns 3
openvas 2
nessus 2
cve
cve
CVE-2010-2880
2010-08-26 21:00:00
CVE-2010-4086
2010-10-29 19:00:00
checkpoint_advisories
checkpoint_advisories
Adobe Shockwave Player MMAP Index Memory Corruption (APSB10-20; CVE-2010-2880)
2010-08-24 00:00:00
prion
prion
Memory corruption
2010-08-26 21:00:00
Memory corruption
2010-10-29 19:00:00
securityvulns
securityvulns
Adobe Shockwave Player Memory Corruption Vulnerability - CVE-2010-4086
2010-11-02 00:00:00
Adobe Shockwave Player multiple security vulnerabilities
2010-08-26 00:00:00
Security update available for Shockwave Player
2010-08-26 00:00:00
openvas
openvas
Adobe Shockwave Player Multiple Vulnerabilities Aug-10
2010-09-01 00:00:00
Adobe Shockwave Player Multiple Vulnerabilities Aug-10
2010-09-01 00:00:00
nessus
nessus
Shockwave Player < 11.5.8.612
2010-08-25 00:00:00
Adobe Shockwave Player <= 11.5.7.609 (APSB10-20) (Mac OS X)
2014-12-22 00:00:00
JSON
Related for SECURITYVULNS:DOC:24596
cve2checkpoint_advisories1prion2securityvulns3openvas2nessus2