Adobe Shockwave Player TextXtra.x32 vulnerability

Advisory ID Internal
CORE-2011-0825

1. Advisory Information

Title: Adobe Shockwave Player TextXtra.x32 vulnerability
Advisory ID: CORE-2011-0825
Advisory URL: http://www.coresecurity.com/content/adobe-shockwave-textxtra-vulnerability
Date published: 2011-11-08
Date of last update: 2011-11-08
Vendors contacted: Adobe
Release mode: Coordinated release

2. Vulnerability Information

Class: Input validation error [CWE-20]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2011-2447

 

3. Vulnerability Description

A memory corruption vulnerability in Adobe Shockwave Player can be leveraged to execute arbitrary code on vulnerable systems by enticing users to visit a malicious web site with a specially crafted .dir file. This vulnerability could be used by a remote attacker to execute arbitrary code with the privileges of the user that opened the malicious file.

4. Vulnerable packages

  • Adobe Shockwave Player 11.6.1.629 and earlier versions for Windows and Macintosh.

5. Non-vulnerable packages

  • Adobe Shockwave Player 11.6.3.633 [2]

6. Vendor Information, Solutions and Workarounds

Adobe recommends users of Adobe Shockwave Player 11.6.1.629 and earlier versions upgrade to the newest version 11.6.3.633 available at: http://get.adobe.com/shockwave/

Adobe categorizes this as a critical update and recommends that users apply the latest update for their product installation by following the instructions in the Security Bulletin [1].

7. Credits

This vulnerability was discovered and researched by Pablo Santamaria from Core Security Technologies. The publication of this advisory was coordinated by Carlos Sarraute.

 

8. Technical Description / Proof of Concept Code

A memory corruption vulnerability can be triggered when Adobe Shockwave parses a specially crafted .dir file. As we can see in the following code, it reads data from the file [3], and then it saves the result in the ESI register [4]. This register is then used to end a loop [5]. While this loop is executed, the sub_69774E23 function is called any number of times the attacker wants, leading to a heap-based memory corruption and possibly to arbitrary code execution.

 

.text:69774E8C push esi .text:69774E8D push edi .text:69774E8E push [esp+8+arg_4] .text:69774E92 call sub_6976C9F7 ; [3] .text:69774E97 push [esp+8+arg_4] .text:69774E9B mov esi, eax ; [4] .text:69774E9D call sub_6976CBC8 ; .text:69774EA2 mov edi, eax .text:69774EA4 jmp short loc_69774EB4 ; .text:69774EA6 ; --------------------------------------------------------------------------- .text:69774EA6 .text:69774EA6 loc_69774EA6: ; .text:69774EA6 push edi .text:69774EA7 push [esp+0Ch+arg_0] .text:69774EAB call sub_69774E23 ; .text:69774EB0 add edi, 10h ; .text:69774EB3 dec esi ; [5] .text:69774EB4 .text:69774EB4 loc_69774EB4: ; .text:69774EB4 test esi, esi ; [5] .text:69774EB6 jg short loc_69774EA6 ;

 

 

9. Report Timeline

  • 2011-09-19: Core Security Technologies notifies the Adobe PSIRT team of the vulnerability. Preliminary publication date is set to October 10, 2011.
  • 2011-09-19: The vendor requests a technical description of the vulnerability.
  • 2011-09-20: Core sends to Adobe PSIRT the technical details and a PoC file to reproduce the vulnerability.
  • 2011-09-20: Vendor acknowledges the receipt of the technical information, and assigns Adobe tracking number 1065 to this case.
  • 2011-10-12: Core requests an update concerning this issue, and reschedules the publication of its advisory for November 7, 2011, as an effort to coordinate it with the release of fixes.
  • 2011-10-12: Vendor replies that the release of a fix is currently scheduled for the next update of Adobe Shockwave on November 8th, 2011.
  • 2011-10-12: Core acknowledges the vendor response, and asks whether a CVE name has been assigned to the vulnerability.
  • 2011-10-12: Vendor responds that CVE names are assigned closer to the release date.
  • 2011-11-03: Core asks the vendor whether it is still on track to release fixes on November 8th, and requests a CVE name and a list of affected versions.
  • 2011-11-03: Vendor confirms the release date, and states that affected versions of Adobe Shockwave Player are 11.6.1.629 and earlier versions.
  • 2011-11-04: Vendor asks whether the acknowledgements text of its upcoming security bulletin [1] is accurate.
  • 2011-11-07: Core confirms the text.
  • 2011-11-08: The advisory CORE-2011-0825 is published.

10. References

[1] Security bulletin for Adobe Shockwave Player http://www.adobe.com/support/security/bulletins/apsb11-27.html

[2] Upgrade Adobe Shockwave Player http://get.adobe.com/shockwave/

11. About CoreLabs

CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.

12. About Core Security Technologies

Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.

Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com.

13. Disclaimer

The contents of this advisory are copyright (c) 2011 Core Security Technologies and (c) 2011 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/

14. PGP/GPG Keys

This advisory has been signed with the GPG key of Core Security Technologies advisories team.