Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:3696
HistoryOct 29, 2002 - 12:00 a.m.

Multiple vulnerabilities in Macromedia Flash ActiveX

2002-10-2900:00:00
vulners.com
40

Author: LOM <lom at lom.spb.ru>
Product: Macromedia Flash ActiveX 6.0 (6,0,47,0)
Vendor: Macromedia was not contacted
Risk: High
Remote: Yes
Exploitable: Yes

Into:

Macromedia flash ActiveX plugin displays .swf files under Internet
Explorer.

Vulnerabilities:

Few vulnerabilities were identified: protected memory reading, memory
consumption DoS and more serious:

  1. zlib 1.1.3 double free() bug
  2. Buffer overflow in SWRemote parameter for flash object.

Details:

Last bug is very close to one reported by eEye in May [2]. This kind of
overflows (heap based Unicode overflow) is definitely exploitable under
Internet Explorer. Attached proof of concept (by LOM)[1] demonstrates
exception triggered in free(). See [3] for exploiting heap overflows,
[4] for exploiting Unicode overflows under Internet Explorer.

Credits:

Vulnerabilities were discovered by LOM <lom at lom.spb.ru>

References:

  1. Macromedia Shockwave proof of concept
    http://www.security.nnov.ru/files/swfexpl.zip
  2. eEye, Macromedia Flash Activex Buffer overflow
    http://www.eeye.com/html/Research/Advisories/AD20020502.html
  3. w00w00 on Heap Overflows
    http://www.w00w00.org/files/articles/heaptut.txt
  4. 3APA3A, Details and exploitation of buffer overflow in mshtml.dll (and
    few sidenotes on Unicode overflows in general)
    http://www.security.nnov.ru/search/document.asp?docid=2554