Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Marc Maiffret (marc_at_eeye.com)
Date: Mon Dec 16 2002 - 19:28:22 CST
Macromedia Shockwave Flash Malformed Header Overflow #2
December 16, 2002
High (Remote Code Execution)
Macromedia Flash Player versions less than 188.8.131.52
While working on some pre-release Retina® CHAM tools, multiple exploitable
conditions were discovered within the Shockwave Flash file format SWF
There exists a vulnerability within Macromedia's Flash software and its
handling of malformed Flash files. Attackers can use this vulnerability to
compromise users of Macromedia's Flash software. A corrupt file may be
placed on a website or in some cases within an HTML email.
We provided Macromedia with various corrupt Flash files, a few of which we
verified for exploitability. Macromedia has since fixed the exploitable
conditions as well as various other bugs that were found.
The primary danger of exploiting Macromedia Flash is its extensive user base
and portability across operating systems. Further, it is "version frozen" on
operating system installation set-ups, so issues may linger for sometime.
Regardless, Macromedia has fixed all of the known issues.
The data header is roughly made out as:
[Flash Signature][version (1)][File Length(a number of bytes too
short)][Frame Size (malformed)][Frame Rate (malformed)][Frame Count
While the diagram may remain the same for this issue as in the previous
issue (http://www.eeye.com/html/Research/Advisories/AD20020808b.html), there
are variations in the malformed data which are very specific to this issue.
In this case, EBP is completely controlled, so exploitation is
straight-forward. EDI is also directly controlled as well as EDX and EDI
which all give attackers the ability to easily exploit the vulnerable
Retina® Network Security Scanner (http://www.eeye.com/Retina) has been
updated to identify this latest Macromedia Flash vulnerability.
Macromedia has been notified and released a patch for this vulnerability,
Drew Copley, Research Engineer, eEye Digital Security
StoneFisk, the Shrug, Zonetripper, Die Liu Yu, Dror Shalev, Malware.
Copyright (c) 1998-2002 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express consent of
eEye. If you wish to reprint the whole or any part of this alert in any
other medium excluding electronic medium, please e-mail alerteEye.com for
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.
Please send suggestions, updates, and comments to:
eEye Digital Security