|
Author: LOM <lom at lom.spb.ru>
Product: Macromedia Flash ActiveX 6.0 (6,0,47,0)
Vendor: Macromedia was not contacted
Risk: High
Remote: Yes
Exploitable: Yes
Into:
Macromedia flash ActiveX plugin displays .swf files under Internet
Explorer.
Vulnerabilities:
Few vulnerabilities were identified: protected memory reading, memory
consumption DoS and more serious:
1. zlib 1.1.3 double free() bug
2. Buffer overflow in SWRemote parameter for flash object.
Details:
Last bug is very close to one reported by eEye in May [2]. This kind of
overflows (heap based Unicode overflow) is definitely exploitable under
Internet Explorer. Attached proof of concept (by LOM)[1] demonstrates
exception triggered in free(). See [3] for exploiting heap overflows,
[4] for exploiting Unicode overflows under Internet Explorer.
Credits:
Vulnerabilities were discovered by LOM <lom at lom.spb.ru>
References:
1. Macromedia Shockwave proof of concept
http://www.security.nnov.ru/files/swfexpl.zip
2. eEye, Macromedia Flash Activex Buffer overflow
http://www.eeye.com/html/Research/Advisories/AD20020502.html
3. w00w00 on Heap Overflows
http://www.w00w00.org/files/articles/heaptut.txt
4. 3APA3A, Details and exploitation of buffer overflow in mshtml.dll (and
few sidenotes on Unicode overflows in general)
http://www.security.nnov.ru/search/document.asp?docid=2554
|
