Macromedia Flash Null Pointer Assignment in LoadMovie() Lets Remote Users Deny Service
|
|
SecurityTracker Alert ID: 1009674 |
|
SecurityTracker URL: http://securitytracker.com/id/1009674
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Apr 6 2004
|
Impact:
Denial of service via network
|
Exploit Included: Yes
|
Version(s): 7.0 r19
|
Description:
Rafel Ivgi (The-Insider) reported a null pointer vulnerability in the Macromedia Flash Player. A remote user can cause a target user's player to crash.
It is reported that a remote user can create code that calls the LoadMovie() function with a non-zero layer index to cause the target user's player to crash.
Some demonstration exploit content is provided:
<script language=vbscript>
Set mymy2= CreateObject("ShockwaveFlash.ShockwaveFlash.1")
mymy2.LoadMovie 1,"c6ool.swf"
</script>
|
Impact:
A remote user can create Flash content that, when loaded by the target user, will cause the target user's player to crash.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.macromedia.com/ (Links to External Site)
|
Cause:
Boundary error, Input validation error
|
Underlying OS:
Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 6 Apr 2004 10:32:41 +0200
Subject: Macromedia Flash Player 7.0 r19 - Null Pointer Assignment(Remote
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application: Macromedia Flash Player
Vendors: http://www.macromedia.com
Version: 7.0 r19
Platforms: WindowsXP Professional,SP1,SP2
Bug: Null Pointer Assignment
Risk: Medium - Denial Of Service
Exploitation: Remote with browser
Date: 1 Apr 2004
Author: Rafel Ivgi, The-Insider
e-mail: the_insider@mail.com
web: http://theinsider.deep-ice.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1) Introduction
2) Bugs
3) The Code
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===============
1) Introduction
===============
Macromedia Flash Player is a module/plugin that comes by default with
windows installation.
It is widely used accross website all around the world. It is stable and its
designers took
made a few efforts to make it secure.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
======
2) Bug
======
Marcromedia Flash Player has a flaw at the "LoadMovie" function.
The function is designed the following way: LoadMovie(layer as long, url as
string).
This functions handles long strings, non-alphabetic chars and even an
overflow at high layer num.
The only thing it crashes upon is loading a flash movie into a non-zero
layer index.
This means that"
LoadMovie 1,"c6ool.swf"
Will Crash Internet Explorer Window because of a null pointer assignment by
the flash module.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===========
3) The Code
===========
This is Proof Of Concept Code:
------------------- CUT HERE -------------------
<script language=vbscript>
Set mymy2= CreateObject("ShockwaveFlash.ShockwaveFlash.1")
mymy2.LoadMovie 1,"c6ool.swf"
</script>
------------------- CUT HERE -------------------
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
---
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com
"Only the one who sees the invisible , Can do the Impossible."
|
|
