Advertisement






Adobe Shockwave Player Memory Corruption Vulnerability (CVE-2010-2868)

CVE Category Price Severity
CVE-2010-2868 CWE-119 Not specified High
Author Risk Exploitation Type Date
Unspecified High Remote 2010-09-03
CPE
cpe:cpe:/a:adobe:shockwave_player
CVSS EPSS EPSSP
CVSS:4.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2010080172

Below is a copy:

I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability.

Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/

Memory corruption when Adobe Shockwave Player parses .dir media file
CVE-2010-2868

INTRODUCTION

Adobe Shockwave Player is the Adobe plugin to many different browsers to view rich-media content on the web including animations, interactive presentations, and online entertainment.

Adobe Shockwave player does not properly parse .dir media file, which causes a corruption in module IML32.dll by opening a malformed file with an invalid value located in PoC repro04.dir at offset 0x320D.

This problem was confirmed in the following versions of Adobe Shockwave Player, other versions may be also affected.

Shockwave Player version 11.5.7.609 and older for Windows and MacOS

CVSS Scoring System

The CVSS score is: 9
Base Score: 10
Temporal Score: 9
We used the following values to calculate the scores:
Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal score is: E:POC/RL:U/RC:C

TRIGGERING THE PROBLEM

To trigger the problem PoC files (repro04.dir, repro05.dir, repro06.dir, repro07.dir, repro08.dir and repro09.dir) are available to interested parts.

DETAILS

Disassembly:

69081240   74 46            JE SHORT IML32.69081288
69081242   8B16             MOV EDX,DWORD PTR DS:[ESI]
69081244   8B46 08          MOV EAX,DWORD PTR DS:[ESI+8]
69081247   83E2 02          AND EDX,2
6908124A   0BD5             OR EDX,EBP
6908124C   83CA 01          OR EDX,1
6908124F   8916             MOV DWORD PTR DS:[ESI],EDX
69081251   8B56 04          MOV EDX,DWORD PTR DS:[ESI+4]
69081254   8950 04          MOV DWORD PTR DS:[EAX+4],EDX
69081257   8B46 04          MOV EAX,DWORD PTR DS:[ESI+4]
6908125A   8B56 08          MOV EDX,DWORD PTR DS:[ESI+8]
6908125D   8950 08          MOV DWORD PTR DS:[EAX+8],EDX
69081260   8BFE             MOV EDI,ESI
69081262   03F5             ADD ESI,EBP
69081264   894C31 FC        MOV DWORD PTR DS:[ECX+ESI-4],ECX <--- Problem

ECX = 0x616CF240
ESI = 0x06C94038

CREDITS

This vulnerability was discovered and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT).

Best Regards,
 
Rodrigo.
 
--
Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies



Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.