The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
None
PR
The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability.
Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/
Memory corruption when Adobe Shockwave Player parses .dir media file
CVE-2010-2868
INTRODUCTION
Adobe Shockwave Player is the Adobe plugin to many different browsers to view rich-media content on the web including animations, interactive presentations, and online entertainment.
Adobe Shockwave player does not properly parse .dir media file, which causes a corruption in module IML32.dll by opening a malformed file with an invalid value located in PoC repro04.dir at offset 0x320D.
This problem was confirmed in the following versions of Adobe Shockwave Player, other versions may be also affected.
Shockwave Player version 11.5.7.609 and older for Windows and MacOS
CVSS Scoring System
The CVSS score is: 9
Base Score: 10
Temporal Score: 9
We used the following values to calculate the scores:
Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal score is: E:POC/RL:U/RC:C
TRIGGERING THE PROBLEM
To trigger the problem PoC files (repro04.dir, repro05.dir, repro06.dir, repro07.dir, repro08.dir and repro09.dir) are available to interested parts.
DETAILS
Disassembly:
69081240 74 46 JE SHORT IML32.69081288
69081242 8B16 MOV EDX,DWORD PTR DS:[ESI]
69081244 8B46 08 MOV EAX,DWORD PTR DS:[ESI+8]
69081247 83E2 02 AND EDX,2
6908124A 0BD5 OR EDX,EBP
6908124C 83CA 01 OR EDX,1
6908124F 8916 MOV DWORD PTR DS:[ESI],EDX
69081251 8B56 04 MOV EDX,DWORD PTR DS:[ESI+4]
69081254 8950 04 MOV DWORD PTR DS:[EAX+4],EDX
69081257 8B46 04 MOV EAX,DWORD PTR DS:[ESI+4]
6908125A 8B56 08 MOV EDX,DWORD PTR DS:[ESI+8]
6908125D 8950 08 MOV DWORD PTR DS:[EAX+8],EDX
69081260 8BFE MOV EDI,ESI
69081262 03F5 ADD ESI,EBP
69081264 894C31 FC MOV DWORD PTR DS:[ECX+ESI-4],ECX <--- Problem
ECX = 0x616CF240
ESI = 0x06C94038
CREDITS
This vulnerability was discovered and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT).
Best Regards,
Rodrigo.
--
Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies