Advertisement






Adobe Shockwave Player Memory Corruption Vulnerability (CVE-2010-2869)

CVE Category Price Severity
CVE-2010-2869 CWE-119 Unknown High
Author Risk Exploitation Type Date
Unknown High Remote 2010-09-03
CVSS EPSS EPSSP
CVSS:4.0/AV:N/AC:M/Au:N/C:C/I:C/A:C 0.03243 0.62769

CVSS vector description

Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2010080171

Below is a copy:

I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability.

Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/

Memory corruption when Adobe Shockwave Player parses .dir media file
CVE-2010-2869

INTRODUCTION

Adobe Shockwave Player is the Adobe plugin to many different browsers to view rich-media content on the web including animations, interactive presentations, and online entertainment.

Adobe Shockwave player does not properly parse .dir media file, which causes a corruption in module IML32.dll by opening a malformed file with an invalid value located in PoC repro10.dir at offset 0x3712.

This problem was confirmed in the following versions of Adobe Shockwave Player, other versions may be also affected.

Shockwave Player version 11.5.7.609 and older for Windows and MacOS

CVSS Scoring System

The CVSS score is: 9
Base Score: 10
Temporal Score: 9
We used the following values to calculate the scores:
Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal score is: E:POC/RL:U/RC:C

TRIGGERING THE PROBLEM

To trigger the problem a PoC file (repro10.dir) is available to interested parts.

DETAILS

Disassembly:

7C9011DD > 8BFF             MOV EDI,EDI
7C9011DF   55               PUSH EBP
7C9011E0   8BEC             MOV EBP,ESP
7C9011E2   83EC 54          SUB ESP,54
7C9011E5   56               PUSH ESI
7C9011E6   64:A1 18000000   MOV EAX,DWORD PTR FS:[18]
7C9011EC   803D 94E0977C 00 CMP BYTE PTR DS:[7C97E094],0
7C9011F3   8B75 08          MOV ESI,DWORD PTR SS:[EBP+8]
7C9011F6   8945 FC          MOV DWORD PTR SS:[EBP-4],EAX
7C9011F9   0F85 F7EC0000    JNZ ntdll.7C90FEF6
7C9011FF   F646 10 10       TEST BYTE PTR DS:[ESI+10],10
7C901203   0F84 EDEC0000    JE ntdll.7C90FEF6
7C901209   5E               POP ESI
7C90120A   C9               LEAVE
7C90120B   C2 0400          RETN 4
7C90120E > CC               INT3
7C90120F   C3               RETN <--- Stop Here :)

EIP = 0x00000000

CREDITS

This vulnerability was discovered and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT).

Best Regards,
 
Rodrigo.
 
--
Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies



Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.