Memory corruption when Adobe Shockwave Player parses .dir media file  (CVE-2012-2029)

Document created by Robert Dell'Immagine Employee on May 7, 2012Last modified by Robert Dell'Immagine Employee on May 8, 2012
Version 5Show Document
  • View in full screen mode

INTRODUCTION

Adobe Shockwave Player is the Adobe plugin to many different browsers to view rich-media content on the web including animations, interactive presentations, and online entertainment.

 

Adobe Shockwave Player does not properly parse .dir media file, which causes a corruption in module IMLLib by opening a malformed file with an invalid value located in PoC repro01.dir at offset 0x2306. 

 

This problem was confirmed in the following versions of Adobe Shockwave Player and MacOS X, other versions may be also affected.

 

Shockwave Player version 11.6.3r633, Module IMLLib.framework on MacOS X 10.7.2 (11C74)

 

CVSS Scoring System

 

The CVSS score is: 9

    Base Score: 10

    Temporal Score: 9

We used the following values to calculate the scores:

    Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C

    Temporal score is: E:POC/RL:U/RC:C

 

TRIGGERING THE PROBLEM

To trigger the problem a PoC file (repro01.dir) is available to interested parties.  Use Firefox or Safari to open the file and reproduce the vulnerability.

 

DETAILS

Disassembly:

 

(gdb) disas $pc        

Dump of assembler code for function memmove$VARIANT$sse42:

0x991539bd <memmove$VARIANT$sse42+0>:    push   %ebp

0x991539be <memmove$VARIANT$sse42+1>:    mov    %esp,%ebp

0x991539c0 <memmove$VARIANT$sse42+3>:    push   %esi

0x991539c1 <memmove$VARIANT$sse42+4>:    push   %edi

0x991539c2 <memmove$VARIANT$sse42+5>:    mov    0x8(%ebp),%edi

0x991539c5 <memmove$VARIANT$sse42+8>:    mov    0xc(%ebp),%esi

0x991539c8 <memmove$VARIANT$sse42+11>:    mov    0x10(%ebp),%ecx

0x991539cb <memmove$VARIANT$sse42+14>:    mov    %edi,%edx

0x991539cd <memmove$VARIANT$sse42+16>:    sub    %esi,%edx

0x991539cf <memmove$VARIANT$sse42+18>:    cmp    %ecx,%edx

0x991539d1 <memmove$VARIANT$sse42+20>:    jb     0x99153a01 <memmove$VARIANT$sse42+68>

0x991539d3 <memmove$VARIANT$sse42+22>:    cmp    $0x50,%ecx

0x991539d6 <memmove$VARIANT$sse42+25>:    ja     0x99153a06 <memmove$VARIANT$sse42+73>

0x991539d8 <memmove$VARIANT$sse42+27>:    mov    %ecx,%edx

0x991539da <memmove$VARIANT$sse42+29>:    shr    $0x2,%ecx

0x991539dd <memmove$VARIANT$sse42+32>:    je     0x991539ec <memmove$VARIANT$sse42+47>

0x991539df <memmove$VARIANT$sse42+34>:    mov    (%esi),%eax <----- Crash here

 

Program received signal EXC_BAD_ACCESS, Could not access memory.

Reason: KERN_INVALID_ADDRESS at address: 0x3f5d8935

0x991539df in memmove$VARIANT$sse42 ()

(gdb) bt

#0  0x991539df in memmove$VARIANT$sse42 ()

#1  0x0452eb61 in imPostQuitMessage ()

#2  0x045079f5 in imMemCopy ()

#3  0x070f414d in VListGetNumEntries ()

#4  0x0700b93a in TELscriptRef_GetPropertyInitsAsHandle ()

#5  0x0709b6b3 in MovieMemoryDispose ()

#6  0x0703d409 in TELscriptRef_GetPropertyInitsAsHandle ()

#7  0x0703db71 in TELscriptRef_GetPropertyInitsAsHandle ()

#8  0x0705e4f5 in mmpRewind ()

#9  0x06fa1970 in MovieInstLoadMovie ()

#10 0x01f51f89 in main ()

#11 0x01f526fa in main ()

#12 0x04531a64 in imNPMessageHandleMacEvent ()

#13 0x01f507cf in main ()

#14 0x01f535d0 in main ()

#15 0x01f48bcc in dyld_stub_Gestalt ()

#16 0x996bedd9 in CAOpenGLLayerDraw ()

#17 0x996be842 in -[CAOpenGLLayer _display] ()

#18 0x9968dff5 in CA::Layer::display ()

#19 0x9968df11 in -[CALayer display] ()

#20 0x99685aec in CA::Layer::display_if_needed ()

#21 0x99684883 in CA::Context::commit_transaction ()

#22 0x99684594 in CA::Transaction::commit ()

#23 0x996843f8 in +[CATransaction commit] ()

#24 0x010838dd in nsCARenderer::Render ()

Previous frame inner to this frame (gdb could not unwind past this frame)

(gdb) x/i $pc

0x991539df <memmove$VARIANT$sse42+34>:    mov    (%esi),%eax

(gdb) i r $esi $eax

esi            0x3f5d8935    1063094581

eax            0x4    4

 

CREDITS

This vulnerability was discovered by Rodrigo Rubira Branco (https://twitter.com/bsdaemon) from the Qualys Vulnerability & Malware Research Labs (VMRL).

Attachments

    Outcomes