August 8, 2002 Security Advisory

Macromedia Shockwave Flash Malformed Header OverflowT

This exploit and the corresponding fix were made public earlier today.

Release Date: August 8, 2002

Severity:
High (Remote Code Execution)

Systems Affected:
Macromedia Shockwave Flash - All Versions;
Unix and Windows; Netscape and Internet Explorer

Description:
As exploitable condition was discovered within the Shockwave Flash file format called SWF
(pronounced "SWIF").

This exploit was discovered a few days ago and Macromedia immediately fixed the bug
and released a patch available at the main download center (simply download the
latest version of the Flash player). This exploit allows a hacker to remotely run
code on the victim's computer. For those of you interested in technical details, read on.
For anyone else, please go to 
http://www.macromedia.com/shockwave/download/frameset.fhtml?P1_Prod_Version=ShockwaveFlash
to download the latest FIXED version of Flash Player 6.

Since this is a browser based bug, it makes it trivial to bypass firewalls
and attack the user at his desktop. Also, application browser bugs allow you
to target users based on the websites they visit, the newsgroups they read,
or the mailing lists they frequent. It is a "one button" push attack, and
using anonymous remailers or proxies for these attacks is possible.

This vulnerability has been proven to work with all versions of Macromedia
Flash on Windows and Unix, through IE and Netscape. It may be run wherever
Shockwave files may be displayed or attached, including: websites, email,
news postings, forums, Instant Messengers, and within applications utilizing
web-browsing functionality.

Technical Description:
The data header is roughly made out to:

[Flash signature][version (1)][File Length(A number of bytes too
short)][frame size (malformed)][Frame Rate (malformed)][Frame Count
(malformed)][Data]

By creating a malformed header we can supply more frame data than the
decoder is expecting. By supplying enough data we can overwrite a function
pointer address and redirect the flow of control to a specified location as
soon as this address is used. At the moment the overwritten address takes
control flow, an address pointing to a portion of our data is 8 bytes back
from the stack pointer. By using a relative jump we redirect flow into a
"call dword ptr [esp+N]", where N is the number of bytes from the stack
pointer. These "jump points" can be located in multiple loaded dll's. By
creating a simple tool using the debugging API and ReadMemory, you can
examine a process's virtual address space for useful data to help you with
your exploitation.

This is not to say other potentially vulnerable situations have not been
found in Macromedia's Flash. We discovered about seventeen others before we
ended our testing. We are working with Macromedia on these issues.

Vendor Status:
Macromedia has released a patch for this vulnerability, available at:
http://www.macromedia.com/v1/handlers/index.cfm?ID=23293&Method=Full&Title=M
PSB02%2D09%20%2D%20Macromedia%20Flash%20Malformed%20Header%20Vulnerability%2
0Issue&Cache=False

Discovery: Drew Copley from eEye Digital Security

* To ensure your privacy, your address is not visible to the recipients of this
message. 
* If you would like to be removed from this list, please reply to this email
* with "remove" in the body of the email. 

Scan your computer for viruses every week and don't forget to back up your files! 

Fredo
http://www.workingarts.com/infosecarchives