RE: EEYE: Macromedia Shockwave Flash Malformed Header Overflow

From: Drew (dcopleyat_private)
Date: Mon Aug 12 2002 - 15:11:59 PDT

Next message: Ed Reed: "NOVL-2002-FAQ - Novell Security Alerts Facts Sheet"

Previous message: Jeff Mcadams: "New l2tpd release 0.68"
In reply to: Carlos Laviola: "Re: EEYE: Macromedia Shockwave Flash Malformed Header Overflow"
Next in thread: Tim Jackson: "Re: EEYE: Macromedia Shockwave Flash Malformed Header Overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is very similiar to one of the other crashes we have found.
(Breaking
into it reveals the same instruction as one of them). The current
revision
does not fix any of these other potentially exploitable crashes
mentioned
in the advisory.

The difficulty is really in making these crashes exploitable. The
one which we posted about was absolutely exploitable and which we wrote
exploit code for. This involved running bit combinations of the header
and built in stack tracing where key EIP changes were alerted and
logged to a file. Since it is nearly impossible to crack 27 bytes with
combinations between 00 and FF, we made some educated jumps at
key junctures... over a period of several weeks.

This said, running tests against other filetypes have revealed
similiar issues which we are trying to find the time to fully work
out. (The actual primary testing method does not involve so much
of bit shifting as it does going through the file systematically,
looking for memory write issues, so that every error condition might
at least be caught).

And, some filetypes are far more difficult to test in this automated
manner than Flash. For instance, pdf files involve a lengthy loading
of the slow running pdf module, and numerous office applications open
outside windows which must be automatically closed... still not giving
a solid oppourtunity to use the automated exception handler and
debugger.

Hopefully, in the not too distant future Macromedia will have all
of these potentially exploitable conditions removed from their file
type, as their software is exceedingly popular and would make for
a very bad method of attack against users. 

> -----Original Message-----
> From: Carlos Laviola [mailto:carlosat_private] 
> Sent: Sunday, August 11, 2002 3:14 AM
> To: 'BUGTRAQ'
> Subject: Re: EEYE: Macromedia Shockwave Flash Malformed 
> Header Overflow
> 
> 
> On Fri, Aug 09, 2002 at 05:44:27PM -0400, Mike Chambers wrote:
> > The linux and solaris updates will be avaliable later today.
> > 
> > You will be able to download it at: 
> > www.macromedia.com/go/getflashplayer/
> 
> I've downloaded this fixed version, but it seems to be 
> vulnerable to something I've discovered last week: if you 
> take a .swf and rot13 encode it (not all of it, so the 
> headers are not messed up), you can crash the user's browser. 
>  I've tested it on Netscape 4.77 with Flash 4.0 r12 and 
> Galeon 1.2.5, which is based on Mozilla 1.0, with Flash 5.0 
> r50 (both running on Debian unstable) and IE 6.0 (on Windows 
> 2000) and all of them crash instantly when I try to open the 
> rot13-garbled file.
> 
> Check it out:
> 
http://alternex.com.br/~claviola/sample1.swf (original)
http://alternex.com.br/~claviola/sample2.swf (modified)

-- 
Carlos Laviola <carlosat_private>

Next message: Ed Reed: "NOVL-2002-FAQ - Novell Security Alerts Facts Sheet"
Previous message: Jeff Mcadams: "New l2tpd release 0.68"
In reply to: Carlos Laviola: "Re: EEYE: Macromedia Shockwave Flash Malformed Header Overflow"
Next in thread: Tim Jackson: "Re: EEYE: Macromedia Shockwave Flash Malformed Header Overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 13 2002 - 10:21:47 PDT