Security Lab

LOM: Multiple vulnerabilities in Macromedia Flash ActiveX

Дата публикации:22.11.2002
Всего просмотров:1443
Наличие исправления:
Количество уязвимостей:1
CVE ID: Нет данных
Вектор эксплуатации:
CWE ID: Нет данных
Наличие эксплоита: Нет данных
Уязвимые продукты:
Описание: Author: LOM <lom at>
Product:  Macromedia Flash ActiveX 6.0 (6,0,47,0) for Microsoft Internet
Vendor: Macromedia was contacted on 23 Oct 2002.
Risk: High
Remote: Yes
Exploitable: Yes


Macromedia  flash  ActiveX  plugin  displays  .swf  files under Internet
Explorer.  Quoting "Over 97.8% of all web users have
the Macromedia Flash Player".


Few  vulnerabilities  were  identified: protected memory reading, memory
consumption DoS and more serious:
1. zlib 1.1.3 double free() bug
2. Buffer overflow in SWRemote parameter for flash object.


Last  bug  is very close to one reported by eEye in May [2]. Probably it
was  not  found  by eEye because overflow is heap based, so exception is
triggered on free(). It may be achieved by setting and changing property
with Javascript, for example. This kind of overflows (heap based Unicode
overflow)  is  exploitable  under  Internet  Explorer. Attached proof of
concept  (by LOM)[1] demonstrates exception triggered in free(). See [3]
for  exploiting  heap  overflows,  [4]  for exploiting Unicode overflows
under Internet Explorer.


Vulnerabilities were discovered by LOM <lom at>


Macromedia  was contacted on 23 Oct 2002. The only reply was received on
29 Oct 2002 that Macromedia will look into these issues.


Disable ActiveX in Internet Explorer or uninstall flash ActiveX.


1. Macromedia Shockwave proof of concept
2. eEye, Macromedia Flash Activex Buffer overflow
3. w00w00 on Heap Overflows
4. 3APA3A, Details and exploitation of buffer overflow in mshtml.dll (and
   few sidenotes on Unicode overflows in general)
5. Additional or updated information on this issue

         /\_/        { , . }     |+--oQQo->{ ^ }<-----+ |  ZARAZA  U  3APA3A   }
+-------------o66o--+ /
You know my name - look up my number (The Beatles)
Ссылки: Re: LOM: Multiple vulnerabilities in Macromedia Flash ActiveX