LOM: Multiple vulnerabilities in Macromedia Flash ActiveX
| Дата публикации: | 22.11.2002 |
| Всего просмотров: | 1466 |
| Опасность: | |
| Наличие исправления: | |
| Количество уязвимостей: | 1 |
| CVE ID: | Нет данных |
| Вектор эксплуатации: | |
| Воздействие: | |
| CWE ID: | Нет данных |
| Наличие эксплоита: | Нет данных |
| Уязвимые продукты: | |
| Описание: | Author: LOM <lom at lom.spb.ru> Product: Macromedia Flash ActiveX 6.0 (6,0,47,0) for Microsoft Internet Explorer Vendor: Macromedia was contacted on 23 Oct 2002. Risk: High Remote: Yes Exploitable: Yes Into: Macromedia flash ActiveX plugin displays .swf files under Internet Explorer. Quoting www.macromedia.com: "Over 97.8% of all web users have the Macromedia Flash Player". Vulnerabilities: Few vulnerabilities were identified: protected memory reading, memory consumption DoS and more serious: 1. zlib 1.1.3 double free() bug 2. Buffer overflow in SWRemote parameter for flash object. Details: Last bug is very close to one reported by eEye in May [2]. Probably it was not found by eEye because overflow is heap based, so exception is triggered on free(). It may be achieved by setting and changing property with Javascript, for example. This kind of overflows (heap based Unicode overflow) is exploitable under Internet Explorer. Attached proof of concept (by LOM)[1] demonstrates exception triggered in free(). See [3] for exploiting heap overflows, [4] for exploiting Unicode overflows under Internet Explorer. Credits: Vulnerabilities were discovered by LOM <lom at lom.spb.ru> Vendor: Macromedia was contacted on 23 Oct 2002. The only reply was received on 29 Oct 2002 that Macromedia will look into these issues. Workaround: Disable ActiveX in Internet Explorer or uninstall flash ActiveX. References: 1. Macromedia Shockwave proof of concept http://www.security.nnov.ru/files/swfexpl.zip 2. eEye, Macromedia Flash Activex Buffer overflow http://www.eeye.com/html/Research/Advisories/AD20020502.html 3. w00w00 on Heap Overflows http://www.w00w00.org/files/articles/heaptut.txt 4. 3APA3A, Details and exploitation of buffer overflow in mshtml.dll (and few sidenotes on Unicode overflows in general) http://www.security.nnov.ru/search/document.asp?docid=2554 5. Additional or updated information on this issue http://www.security.nnov.ru/search/news.asp?binid=1982 -- http://www.security.nnov.ru /\_/ { , . } |+--oQQo->{ ^ }<-----+ | ZARAZA U 3APA3A } +-------------o66o--+ / |/ You know my name - look up my number (The Beatles) |
| Ссылки: | Re: LOM: Multiple vulnerabilities in Macromedia Flash ActiveX |