Marc Maiffret
17/12/02, 17:25
Macromedia Shockwave Flash Malformed Header Overflow #2
Release Date:
December 16, 2002
Severity:
High (Remote Code Execution)
Systems Affected:
Macromedia Flash Player versions less than 6.0.65.0
Description:
While working on some pre-release Retina® CHAM tools, multiple exploitable
conditions were discovered within the Shockwave Flash file format SWF
(pronounced "SWIF").
There exists a vulnerability within Macromedia's Flash software and its
handling of malformed Flash files. Attackers can use this vulnerability to
compromise users of Macromedia's Flash software. A corrupt file may be
placed on a website or in some cases within an HTML email.
We provided Macromedia with various corrupt Flash files, a few of which we
verified for exploitability. Macromedia has since fixed the exploitable
conditions as well as various other bugs that were found.
The primary danger of exploiting Macromedia Flash is its extensive user base
and portability across operating systems. Further, it is "version frozen" on
operating system installation set-ups, so issues may linger for sometime.
Regardless, Macromedia has fixed all of the known issues.
Technical Description:
The data header is roughly made out as:
[Flash Signature][version (1)][File Length(a number of bytes too
short)][Frame Size (malformed)][Frame Rate (malformed)][Frame Count
(malformed)][Data]
While the diagram may remain the same for this issue as in the previous
issue (http://www.eeye.com/html/Research/Advisories/AD20020808b.html), there
are variations in the malformed data which are very specific to this issue.
In this case, EBP is completely controlled, so exploitation is
straight-forward. EDI is also directly controlled as well as EDX and EDI
which all give attackers the ability to easily exploit the vulnerable
scenarios.
Protection:
Retina® Network Security Scanner (http://www.eeye.com/Retina) has been
updated to identify this latest Macromedia Flash vulnerability.
Vendor Status:
Macromedia has been notified and released a patch for this vulnerability,
available at:
http://www.macromedia.com/v1/handlers/index.cfm?ID=23569
Credit:
Drew Copley, Research Engineer, eEye Digital Security
Greetings:
StoneFisk, the Shrug, Zonetripper, Die Liu Yu, Dror Shalev, Malware.
Copyright (c) 1998-2002 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express consent of
eEye. If you wish to reprint the whole or any part of this alert in any
other medium excluding electronic medium, please e-mail alert@eEye.com for
permission.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.
Feedback
Please send suggestions, updates, and comments to:
eEye Digital Security
http://www.eEye.com
info@eEye.com
Release Date:
December 16, 2002
Severity:
High (Remote Code Execution)
Systems Affected:
Macromedia Flash Player versions less than 6.0.65.0
Description:
While working on some pre-release Retina® CHAM tools, multiple exploitable
conditions were discovered within the Shockwave Flash file format SWF
(pronounced "SWIF").
There exists a vulnerability within Macromedia's Flash software and its
handling of malformed Flash files. Attackers can use this vulnerability to
compromise users of Macromedia's Flash software. A corrupt file may be
placed on a website or in some cases within an HTML email.
We provided Macromedia with various corrupt Flash files, a few of which we
verified for exploitability. Macromedia has since fixed the exploitable
conditions as well as various other bugs that were found.
The primary danger of exploiting Macromedia Flash is its extensive user base
and portability across operating systems. Further, it is "version frozen" on
operating system installation set-ups, so issues may linger for sometime.
Regardless, Macromedia has fixed all of the known issues.
Technical Description:
The data header is roughly made out as:
[Flash Signature][version (1)][File Length(a number of bytes too
short)][Frame Size (malformed)][Frame Rate (malformed)][Frame Count
(malformed)][Data]
While the diagram may remain the same for this issue as in the previous
issue (http://www.eeye.com/html/Research/Advisories/AD20020808b.html), there
are variations in the malformed data which are very specific to this issue.
In this case, EBP is completely controlled, so exploitation is
straight-forward. EDI is also directly controlled as well as EDX and EDI
which all give attackers the ability to easily exploit the vulnerable
scenarios.
Protection:
Retina® Network Security Scanner (http://www.eeye.com/Retina) has been
updated to identify this latest Macromedia Flash vulnerability.
Vendor Status:
Macromedia has been notified and released a patch for this vulnerability,
available at:
http://www.macromedia.com/v1/handlers/index.cfm?ID=23569
Credit:
Drew Copley, Research Engineer, eEye Digital Security
Greetings:
StoneFisk, the Shrug, Zonetripper, Die Liu Yu, Dror Shalev, Malware.
Copyright (c) 1998-2002 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express consent of
eEye. If you wish to reprint the whole or any part of this alert in any
other medium excluding electronic medium, please e-mail alert@eEye.com for
permission.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.
Feedback
Please send suggestions, updates, and comments to:
eEye Digital Security
http://www.eEye.com
info@eEye.com