Adobe Director DIRAPI.DLL Memory Corruption Vulnerability

Core Security - CoreLabs


Adobe Director DIRAPI.DLL Memory Corruption Vulnerability

1.
Advisory Information

Title: Adobe Director DIRAPI.DLL Memory Corruption Vulnerability
Advisory Id: CORE-2010-0405
Advisory URL: http://www.coresecurity.com/content/adobe-director-memory-corruption

Date published: 2010-05-11
Date of last update: 2010-05-11
Vendors contacted: Adobe
Release mode: Coordinated release

2.
Vulnerability Information

Class: Input validation error [CWE-20]

Impact: Denial of service
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
CVE Name: CVE-2010-0128

Bugtraq ID: N/A

3.
Vulnerability Description

Adobe Director is prone to a memory corruption vulnerability due to an invalid write in dirapi.dll, when opening a malformed .dir file. This vulnerability could be used by a remote attacker to execute arbitrary code, by enticing the user of Adobe Director to open a specially crafted file.

4.
Vulnerable packages

  • Adobe Director 11.5
  • Adobe Director 11 (Version: 11.0.0.426)

5.
Non-vulnerable packages

  • Adobe Director 11.5 (Version: 11.5.7.609)

6.
Solutions and Workarounds

See the Adobe Security Bulletin [1] available at
http://www.adobe.com/go/apsb10-12/.

7.
Credits

This vulnerability was discovered and researched by Nahuel Riva, from Core Security Technologies. Additional research was performed by Francisco Falcon. Publication was coordinated by Jorge Lucangeli Obes.

8.
Technical Description

The vulnerability occurs at offset 0x68174813 of the dirapi.dll module of Adobe Director. Improper validation of the input data leads to a crash in the memory write instruction. This vulnerability could result in arbitrary code execution, although it was not verified.

App: Adobe Director 11
Version: 11.0.0.426 
Module crash: Dirapi.dll Version: 11.0.0.426

Crash:
68174813  |.  8906          |MOV DWORD PTR DS:[ESI],EAX
68174815  |>  8B4C24 14     |MOV ECX,DWORD PTR SS:[ESP+14]
68174819  |.  51            |PUSH ECX
6817481A  |.  E8 3197F5FF   |CALL <JMP.&IML32.#1414>
6817481F  |.  8946 04       |MOV DWORD PTR DS:[ESI+4],EAX
68174822  |.  83C6 08       |ADD ESI,8
68174825  |.  4D            |DEC EBP
68174826  |.^ 75 C8         \JNZ SHORT DIRAPI.681747F0

EAX=00000000
DS:[02889B20]=???

Registers:
EAX 00000000
ECX 00000068
EDX 00000001
EBX FFE4B4D4
ESP 0012DFB8
EBP 0000373D
ESI 02889B20
EDI 01BC9964
EIP 68174813 DIRAPI.68174813
C 0  ES 0023 32bit 0(FFFFFFFF)
P 1  CS 001B 32bit 0(FFFFFFFF)
A 0  SS 0023 32bit 0(FFFFFFFF)
Z 1  DS 0023 32bit 0(FFFFFFFF)
S 0  FS 003B 32bit 7FFDD000(FFF)
T 0  GS 0000 NULL
D 0
O 0  LastErr ERROR_NEGATIVE_SEEK (00000083)
EFL 00250246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty -??? FFFF 00000000 00000000
ST1 empty -??? FFFF 00000000 00000000
ST2 empty -??? FFFF 00000000 00000000
ST3 empty -??? FFFF 00000000 00000000
ST4 empty 0.0000106994366433355
ST5 empty 0.6322773098945617676
ST6 empty -0.0034003453329205513
ST7 empty 1041416.9375000000000
               3 2 1 0      E S P U O Z D I
FST 4220  Cond 1 0 1 0  Err 0 0 1 0 0 0 0 0  (EQ)
FCW 007F  Prec NEAR,24  Mask    1 1 1 1 1 1

Stack Trace:
Call stack of main thread
Address    Stack      Procedure / arguments                 Called from                   Frame
0012DFC4   68175563   DIRAPI.681747A0                       DIRAPI.6817555E
0012DFE4   6817003B   DIRAPI.68175290                       DIRAPI.68170036
0012E018   6817020D   DIRAPI.6816FF40                       DIRAPI.68170208
0012E01C   00A923C8     Arg1 = 00A923C8
0012E020   00000011     Arg2 = 00000011
0012E024   00000003     Arg3 = 00000003
0012E028   0012E050     Arg4 = 0012E050
0012E02C   00001100     Arg5 = 00001100
0012E048   680F6D50   DIRAPI.681701A0                       DIRAPI.680F6D4B
0012E04C   00000000     Arg1 = 00000000
0012E050   00000003     Arg2 = 00000003
0012E054   00000091     Arg3 = 00000091
0012E058   0012E07C     Arg4 = 0012E07C
0012E05C   00001100     Arg5 = 00001100
0012E068   6800CFC0   DIRAPI.680F6D30                       DIRAPI.6800CFBB
0012E088   680817EC   DIRAPI.6800CF80                       DIRAPI.680817E7
0012E0B4   680823E3   DIRAPI.68081760                       DIRAPI.680823DE
0012E0C8   680836A7   DIRAPI.68082380                       DIRAPI.680836A2
0012E638   680839E2   DIRAPI.68082EA0                       DIRAPI.680839DD               0012E634
0012E63C   00A86E8C     Arg1 = 00A86E8C
0012E640   0012F5EC     Arg2 = 0012F5EC
0012E644   00000000     Arg3 = 00000000
0012E648   00000000     Arg4 = 00000000
0012E64C   0000001A     Arg5 = 0000001A
0012E674   68042D8C   DIRAPI.68083970                       DIRAPI.68042D87               0012F5EC
0012E678   00A86E8C     Arg1 = 00A86E8C
0012E67C   0012F5EC     Arg2 = 0012F5EC
0012E680   00000000     Arg3 = 00000000
0012E684   00000000     Arg4 = 00000000
0012E688   0000001A     Arg5 = 0000001A
0012E6B0   6800A111   DIRAPI.68042C90                       DIRAPI.#88+7C
0012E6B4   00A92588     Arg1 = 00A92588
0012E6B8   0012F5EC     Arg2 = 0012F5EC
0012E6BC   00000000     Arg3 = 00000000
0012E6C0   0000001A     Arg4 = 0000001A
0012E6DC   2018BB23   <JMP.&DIRAPI.#88>                     Director.2018BB1E
0012E83C   2027E776   ? Director.2018BAB0                   Director.2027E771

The vulnerable module dirapi.dll takes the two-byte word at offset 0x41B82 of the .dir file, and uses it as a counter for a loop that performs memory writes. The value is used without being verified:

68177D86  |.  85ED          TEST EBP,EBP                             ; EBP is the loop counter = word at offset 0x41B82
68177D88  |.  7E 3E         JLE SHORT DIRAPI.68177DC8
68177D8A  |.  8D9B 00000000 LEA EBX,DWORD PTR DS:[EBX]
68177D90  |>  8B4424 10     /MOV EAX,DWORD PTR SS:[ESP+10]
68177D94  |.  85C0          |TEST EAX,EAX
68177D96  |.  74 11         |JE SHORT DIRAPI.68177DA9
68177D98  |.  8B4C24 14     |MOV ECX,DWORD PTR SS:[ESP+14]
68177D9C  |.  51            |PUSH ECX
68177D9D  |.  E8 786EF5FF   |CALL <JMP.&IML32.#1412>
68177DA2  |.  0FBFD0        |MOVSX EDX,AX
68177DA5  |.  8916          |MOV DWORD PTR DS:[ESI],EDX
68177DA7  |.  EB 0C         |JMP SHORT DIRAPI.68177DB5
68177DA9  |>  8B4424 14     |MOV EAX,DWORD PTR SS:[ESP+14]
68177DAD  |.  50            |PUSH EAX
68177DAE  |.  E8 796EF5FF   |CALL <JMP.&IML32.#1414>
68177DB3  |.  8906          |MOV DWORD PTR DS:[ESI],EAX              ; memory write
68177DB5  |>  8B4C24 14     |MOV ECX,DWORD PTR SS:[ESP+14]
68177DB9  |.  51            |PUSH ECX
68177DBA  |.  E8 6D6EF5FF   |CALL <JMP.&IML32.#1414>
68177DBF  |.  8946 04       |MOV DWORD PTR DS:[ESI+4],EAX            ; memory write
68177DC2  |.  83C6 08       |ADD ESI,8                               ; update the write destination address
68177DC5  |.  4D            |DEC EBP                                 ; decrement the counter
68177DC6  |.^ 75 C8         \JNZ SHORT DIRAPI.68177D90               ; loop until the counter is 0



If the word at offset 0x41B82 has a sufficiently
high value, the application will loop more times than it should, thus corrupting
memory beyond limits.

Moreover, after reading said word, this value is sign-extended into a four-byte
dword, using the MOVSX instruction. If the most
significant bit of the word is set, the resulting dword will be of the form
0xFFFFXXXX, thus being a negative number if interpreted as a signed integer,
and a very large number if interpreted as an unsigned integer:

68178A3E  |.  E8 D761F5FF   CALL <JMP.&IML32.#1412>
68178A43  |.  0FBFC0        MOVSX EAX,AX                             ; Move with sign extension. AX = dword @ offset 0x41B82
68178A46  |.  8986 88000000 MOV DWORD PTR DS:[ESI+88],EAX


When the dword is negative, the application does not enter the loop. However,
the application does calculate a value using this dword, which can be controlled
by the attacker.


68177D72  |>  8D04EB        LEA EAX,DWORD PTR DS:[EBX+EBP*8]         ; EBP= word @ offset 14B82 converted to dword with MOVSX


This value is stored and later, after stepping over the loop, added to a
pointer. This pointer is subsequently used as a destination operand
for a memory write instruction inside another loop, thus making the attacker
able to partially control the destination instruction of the memory copy,
allowing for memory corruption.


68178104  |>  8B3B          MOV EDI,DWORD PTR DS:[EBX]               ; load a pointer into EDI
68178106  |.  037C24 78     ADD EDI,DWORD PTR SS:[ESP+78]            ; add a value that partially depends on user-controlled data to that pointer
6817810A  |.  33F6          XOR ESI,ESI
6817810C  |.  85ED          TEST EBP,EBP
6817810E  |.  7E 15         JLE SHORT DIRAPI.68178125
68178110  |>  8B5424 7C     /MOV EDX,DWORD PTR SS:[ESP+7C]
68178114  |.  52            |PUSH EDX
68178115  |.  E8 006BF5FF   |CALL <JMP.&IML32.#1412>
6817811A  |.  0FBFC0        |MOVSX EAX,AX
6817811D  |.  8904B7        |MOV DWORD PTR DS:[EDI+ESI*4],EAX        ; memory write
68178120  |.  46            |INC ESI                                 ; update the destination address
68178121  |.  3BF5          |CMP ESI,EBP
68178123  |.^ 7C EB         \JL SHORT DIRAPI.68178110

9.
Report Timeline

  • 2010-04-14: Vendor contacted.
  • 2010-04-14: Vendor requests PoC file.
  • 2010-04-14: Core replies with the PoC file and the draft advisory.
  • 2010-04-14: Adobe replies that will investigate the issue and sets a preliminary release date for June/July.
  • 2010-04-15: Core agrees with the preliminary release date.
  • 2010-04-28: Core requests an update on the situation, and asks whether Adobe was able to confirm if the bug is exploitable.
  • 2010-04-28: Adobe replies that the issue was investigated and is scheduled to be fixed in the next release of Adobe Shockwave Player, planned for May; they did not carry out further exploitability research.
  • 2010-04-28: Core requests a specific publication date for the fix.
  • 2010-05-06: Adobe informs Core that the release date for the fix has been set to May 11th.
  • 2010-05-07: Core asks Adobe if they want to provide the text for the "Solutions and Workarounds" section of the advisory.
  • 2010-05-07: Adobe replies with the text for the "Solutions and Workarounds" section of the advisory.
  • 2010-05-11: Advisory published.
  • 2010-07-01: Additional research performed.

10.
References

[1] Adobe Security Bulletin http://www.adobe.com/go/apsb10-12/.

11.
About CoreLabs

CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs.

12.
About Core Security Technologies

Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com.

13.
Disclaimer

The contents of this advisory are copyright (c) 2010 Core Security Technologies and (c) 2010 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) Licence: http://creativecommons.org/licenses/by-nc-sa/3.0/us/.

14.
PGP/GPG Keys

This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at /legacy/files/attachments/core_security_advisories.asc.

Locally Exploitable: 
no
Remotely Exploitable: 
no
  • Request Info

Research Blog