CVE-2011-2448 Adobe ShockwaveDirector File Parsing data of rcsl chunk multiple DOS vulnerabilities

最新推荐文章于 2024-08-14 10:38:26 发布

instruder

最新推荐文章于 2024-08-14 10:38:26 发布

阅读量498

点赞数

分类专栏：漏洞挖掘文章标签： parsing adobe file dos exception security

本文链接：https://blog.csdn.net/instruder/article/details/6953737

版权

漏洞挖掘专栏收录该内容

15 篇文章 0 订阅

订阅专栏

Adobe Shockwave Player Director File Parsing data of rcsl chunk multiple DOS vulnerabilities

CAL_ID: CAL-2011-0054
CVE ID: CVE-2011-2448
Discover: instruder of code audit labs of vulnhunt.com

http://www.adobe.com/support/security/bulletins/apsb11-27.html

1 Affected Products
=================
Test Version：Adobe Shockwave Player 11.6.1.629(last version)

2 Vulnerability Details
=====================

When adobe shockwave player parsing data of rcsl chunk of Director File,
because of the wrong Calculate, you can bypass the check.This will cause a
crash,In the handle of rcsl chunk,this problem exists in dispatcher for
case 0xD2,0xCB,0xcc,0xD1 .

3 Exploitable?
============

Successfully exploiting this issue cause denial-of-service conditions.
but according to adobe security Bulletins they mark it as could lead to
code execution.

4 Crash info:
===============
(3cc.1e0): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0319f7c0 ebx=7ffffff8 ecx=026101fc edx=0319f7b0 esi=032b2fd4 edi=0310c34b
eip=68109402 esp=0012d684 ebp=0319f81c iopl=0         nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000             efl=00210206
DIRAPI+0×109402:
68109402 8b1418          mov     edx,dword ptr [eax+ebx] ds:0023:8319f7b8=????????
0:000> KB
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0012d69c 6810bad5 026101fc 00000003 001d554c DIRAPI+0×109402
00000000 00000000 00000000 00000000 00000000 DIRAPI+0x10bad5

5 Timeline
=========
2011-9-27 report to adobe
2011-9-28 vendor ask poc file
2011-9-28 we sent the poc file.
2011-9-30 vendor comfirm the issue.
2011-11-8 Coordinated public release of advisory.

6 About Code Audit Labs:
=====================
Code Audit Labs secure your software,provide Professional include source
code audit and binary code audit service.
Code Audit Labs:” You create value for customer,We protect your value”

http://www.VulnHunt.com