SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
SecurityReason
IT News
Search
SecurityAlert Database
About SecurityAlert
ExploitAlert Database
SecurityReason Research
WLB
WLB Database
Send to WLB
About WLB
Services
Security Audit
Schedule
Prices of services
Contact
RSS
SecurityReason IT News
SecurityAlert
World Laboratory of Bugtraq
ExploitAlert
Apache
PHP
Corporate
Contact
About SecurityReason
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com
Home arrow SecurityAlert Database

Arrow  Topic :

Adobe Shockwave Player Memory Corruption Vulnerability 2


Arrow  SecurityAlert : 7716
Arrow  CVE : CVE-2010-2882
Arrow  CWE : CWE-119
Arrow  SecurityRisk : High  Security Risk High  (About)
Arrow  Remote Exploit : Yes
Arrow  Local Exploit : No
Arrow  Victim interaction required : Yes
Arrow  Exploit Available : Yes
Arrow  Credit : Rodrigo Branco
Arrow  Published : 01.09.2010

Arrow  Affected Software : adobe:shockwave_player:1.0
adobe:shockwave_player:10.1.0.11
adobe:shockwave_player:2.0
adobe:shockwave_player:9
adobe:shockwave_player:3.0
adobe:shockwave_player:4.0
adobe:shockwave_player:5.0
adobe:shockwave_player:6.0
adobe:shockwave_player:8.5.1
adobe:shockwave_player:8.0
adobe:shockwave_player:11.5.0.596
adobe:shockwave_player:11.5.1.601
adobe:shockwave_player:11.5.2.602
adobe:shockwave_player:11.5.6.606
adobe:shockwave_player:11.5.7.609 and previous versions
adobe:shockwave_player:10.2.0.023
adobe:shockwave_player:10.2.0.022
adobe:shockwave_player:10.2.0.021
adobe:shockwave_player:10.1.4.020
adobe:shockwave_player:10.1.1.016
adobe:shockwave_player:10.1.0.011
adobe:shockwave_player:10.0.1.004
adobe:shockwave_player:10.0.0.210
adobe:shockwave_player:9.0.432
adobe:shockwave_player:8.5.1.106
adobe:shockwave_player:8.5.1.105
adobe:shockwave_player:8.5.1.103
adobe:shockwave_player:8.5.1.100
adobe:shockwave_player:9.0.383
adobe:shockwave_player:8.5.325
adobe:shockwave_player:8.5.323
adobe:shockwave_player:8.5.324
adobe:shockwave_player:8.5.321
adobe:shockwave_player:8.0.205
adobe:shockwave_player:8.0.204
adobe:shockwave_player:8.0.196a
adobe:shockwave_player:8.0.196
adobe:shockwave_player:11.0.0.456
adobe:shockwave_player:11.0.3.471



Arrow  Advisory Content :  

I'm writing on behalf of the Check Point Vulnerability Discovery Team to
publish the following vulnerability.

Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/

Memory corruption when Adobe Shockwave Player parses .dir media file
CVE-2010-2882

INTRODUCTION

Adobe Shockwave Player is the Adobe plugin to many different browsers to
view rich-media content on the web including animations, interactive
presentations, and online entertainment.

Adobe Shockwave player does not properly parse .dir media file, which
causes a corruption in module DIRAPI.dll by opening a malformed file with
an invalid value located in PoC repro.dir at offset 0x3812.

This problem was confirmed in the following versions of Adobe Shockwave
Player, other versions may be also affected.

Shockwave Player version 11.5.7.609 and older for Windows and MacOS

CVSS Scoring System

The CVSS score is: 9
Base Score: 10
Temporal Score: 9
We used the following values to calculate the scores:
Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal score is: E:POC/RL:U/RC:C

TRIGGERING THE PROBLEM

To trigger the problem a PoC file (repro11.dir) is available to interested
parts.

DETAILS

Disassembly:

68113255 8B4C24 24 MOV ECX,DWORD PTR SS:[ESP+24]
68113259 8B01 MOV EAX,DWORD PTR DS:[ECX]
6811325B FF48 04 DEC DWORD PTR DS:[EAX+4]
6811325E 8B01 MOV EAX,DWORD PTR DS:[ECX]
68113260 8B48 04 MOV ECX,DWORD PTR DS:[EAX+4]
68113263 85C9 TEST ECX,ECX
68113265 ^0F8F 95EEFFFF JG DIRAPI.68112100
6811326B 8B5424 24 MOV EDX,DWORD PTR SS:[ESP+24]
6811326F 8B08 MOV ECX,DWORD PTR DS:[EAX]
68113271 52 PUSH EDX
68113272 56 PUSH ESI
68113273 FF51 0C CALL DWORD PTR DS:[ECX+C] <--- Problem

ECX = 0x00000000

CREDITS

This vulnerability was discovered and researched by Rodrigo Rubira Branco
from Check Point Vulnerability Discovery Team (VDT).

Best Regards,

Rodrigo.

--
Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies



Arrow  References :

http://www.adobe.com/support/security/bulletins/apsb10-20.html
http://www.securityfocus.com/archive/1/archive/1/513339/100/0/threaded




Arrow  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

libc/fnmatch(3) DoS

Security Risk Medium- 2011-05-13

Allow attacker to denial of service apache 2.2.17 server
Apache RSS Apache Alert

» Apache HTTP Server Denial
   of Service Vulnerability

» Multiple Vendors
   libc/fnmatch(3) DoS (incl
   apache poc)

» Apache Continuum
   cross-site scripting
   vulnerability

» Apache Tomcat DoS
   Vulnerability
PHP RSS PHP Alert

» PHP Hashtables Denial of
   Service

» PHP 5.3.6 multiple null
   pointer dereference

» PHP 5.3.6 ZipArchive
   invalid use glob(3)

» libzip 0.9.3
   _zip_name_locate NULL
   Pointer Dereference (incl
   PHP 5.3.5)
ADT

Protect your family and valuables with Home Security Systems
Copyright © SecurityReason.com. All Rights Reserved.