Are these for flash 5 or flash 6 or both? ~~ Stephenie
-----Original Message----- From: Haggerty, Mike [mailto:[EMAIL PROTECTED]] Sent: Friday, August 09, 2002 1:16 PM To: CF-Community Subject: RE: At least 18 security flaws discovered in Flash Do you one better: .---. .---------- / \ __ / ------ / / \( )/ ----- ////// ' \/ ` --- //// / // : : --- // / / /` '-- // //..\\ ====UU====UU==== '//||\\` Macromedia Flash plugin can read local files Description : Macromedia Flash Player is the leading rich client for Internet content and applications across the broadest range of platforms and devices. According to Macromedia more than 90% of web users are able to view Macromedia Flash content. Macromedia Flash Player is available for all major browsers on Windows, Mac OS, and Linux as well as well as on device platforms such as Pocket PC and Nokia Communicator. There is a bug in Macromedia Flash Player that allows reading and sending of local files This can be achieved in three ways. 1. force a http redirect to a local file 2. place a <base href="file:///C:/"> in the document then use a relative url 3. embed the flash object in a web archive (mht file) and make it seem as though its been saved from a location on the users hard drive, then use a relative url. Systems affected : The vulnerability has been confirmed to work on Macromedia Flash Player 6 in Internet Explorer 6 but I feel it's safe to assume that at least some other configurations are affected as well (naturally the mht file trick is IE specific) Example : Demonstrations of the issue's described are available at : 1. redirect issue http://kuperus.xs4all.nl/flash.htm 2. base tag http://www.xs4all.nl/~jkuperus/flash.htm 3. mht file embedding http://www.xs4all.nl/~jkuperus/flash.mht It reads and displays the contents of c:\jelmer.txt The exploits use the Macromedia Flash xml object, first introduced in Macromedia Flash Player 5 to read the local files. There may be other ways to achieve the same effect. Vendor status : Macromedia was notified on July 12th 2002. The latest build fixes the problem Workaround : Update to the latest player (6,0,47,0). It should be available at http://www.macromedia.com/go/getflashplayer/ References : http://www.netmag.co.uk/ie5/save-page.htm http://www.wdvl.com/Authoring/HTML/Head/base.html http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.3 http://www.macromedia.com/support/flash/action_scripts/objects/xml_objec t.ht ml http://www.macromedia.com/software/player_census/flashplayer/version_pen etra tion.html Previous vulnerablilities : "MSIE + Winamp allows execution of arbitrary code" http://online.securityfocus.com/archive/1/283018 "MSIE + ICQ allows execution of arbitrary code" http://online.securityfocus.com/archive/1/282631 "Windows media player allows execution of arbitrary code" http://online.securityfocus.com/bid/5107 "MS XMLHTTP component allows local file reading" http://online.securityfocus.com/archive/1/245687 -----Original Message----- From: jon hall [mailto:[EMAIL PROTECTED]] Sent: Friday, August 09, 2002 1:17 PM To: CF-Community Subject: At least 18 security flaws discovered in Flash >From Bugtraq: Macromedia Shockwave Flash Malformed Header Overflow Release Date: August 8, 2002 Severity: High (Remote Code Execution) Systems Affected: Macromedia Shockwave Flash - All Versions; Unix and Windows; Netscape and Internet Explorer Description: While working on some pre-release eEye Retina CHAM tools, an exploitable condition was discovered within the Shockwave Flash file format called SWF (pronounced "SWIF"). Since this is a browser based bug, it makes it trivial to bypass firewalls and attack the user at his desktop. Also, application browser bugs allow you to target users based on the websites they visit, the newsgroups they read, or the mailing lists they frequent. It is a "one button" push attack, and using anonymous remailers or proxies for these attacks is possible. This vulnerability has been proven to work with all versions of Macromedia Flash on Windows and Unix, through IE and Netscape. It may be run wherever Shockwave files may be displayed or attached, including: websites, email, news postings, forums, Instant Messengers, and within applications utilizing web-browsing functionality. Technical Description: The data header is roughly made out to: [Flash signature][version (1)][File Length(A number of bytes too short)][frame size (malformed)][Frame Rate (malformed)][Frame Count (malformed)][Data] By creating a malformed header we can supply more frame data than the decoder is expecting. By supplying enough data we can overwrite a function pointer address and redirect the flow of control to a specified location as soon as this address is used. At the moment the overwritten address takes control flow, an address pointing to a portion of our data is 8 bytes back from the stack pointer. By using a relative jump we redirect flow into a "call dword ptr [esp+N]", where N is the number of bytes from the stack pointer. These "jump points" can be located in multiple loaded dll's. By creating a simple tool using the debugging API and ReadMemory, you can examine a process's virtual address space for useful data to help you with your exploitation. This is not to say other potentially vulnerable situations have not been found in Macromedia's Flash. We discovered about seventeen others before we ended our testing. We are working with Macromedia on these issues. Protection: Retina(R) Network Security Scanner already scans for this latest version of Flash on users' systems. Ensure all users within your control upgrade their systems. Vendor Status: Macromedia has released a patch for this vulnerability, available at: http://www.macromedia.com/v1/handlers/index.cfm?ID=23293&Method=Full&Tit le=M PSB02%2D09%20%2D%20Macromedia%20Flash%20Malformed%20Header%20Vulnerabili ty%2 0Issue&Cache=False Discovery: Drew Copley Exploitation: Riley Hassell Greetings: Hacktivismo!, Centra Spike Copyright (c) 1998-2002 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail [EMAIL PROTECTED] for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. Feedback Please send suggestions, updates, and comments to: eEye Digital Security http://www.eEye.com [EMAIL PROTECTED] -- jon mailto:[EMAIL PROTECTED] ______________________________________________________________________ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
