Re: EEYE: Macromedia Shockwave Flash Malformed Header Overflow
>I've downloaded this fixed version, but it seems to be vulnerable to >something I've discovered last week: if you take a .swf and rot13 encode >it (not all of it, so the headers are not messed up), you can crash the >user's browser. There are quite literally a thousand ways to crash the Macromedia Flash player (at least the version in use a year ago, when I was dealing with it). The majority of mistakes one makes, and bugs one finds, when attempting to create an SWF-writing application will kill the player: about a quarter of them will crash the player (and browser), the remainder mostly cause the player's memory usage to shoot up to about 40-70mb and then hang. A surprisingly large number of these faults can be triggered just using the Macromedia SWF SDK, without any mucking around with the binary SWF files, although you do have to fix a number of bugs in the SDK before you can get to that stage (which I won't go into here - Macromedia seem to have made a habit of suing anyone who tries to distribute bugfixes for their SDK). Anyway, getting back to the security issues, while crashing the browser is definitely unacceptable I'm not yet sure if any of those crashes would be exploitable, as most of them seem to be due to problems with their algorithms (as opposed to say simple string buffer overflows) - stack overflows due to recursion, null pointer violations, that kind of thing. Further experimentation would be warranted. I'd recommend starting with the audio compression, image compression, and font handling, as since they involve buffer decompression etc. there's a better chance they're susceptible to buffer overflows. Cheers, Will ___ Will Bryant, [EMAIL PROTECTED]cell +64 21 655 443 http://www.core-dev.co.nz/ Personal: http://carcino.gen.nz/ [PGP 0x96A7F40A, FP 827F A2A9 C718 106D 8F80 E16E A244 D5F2 96A7 F40A]
RE: EEYE: Macromedia Shockwave Flash Malformed Header Overflow
This is very similiar to one of the other crashes we have found. (Breaking into it reveals the same instruction as one of them). The current revision does not fix any of these other potentially exploitable crashes mentioned in the advisory. The difficulty is really in making these crashes exploitable. The one which we posted about was absolutely exploitable and which we wrote exploit code for. This involved running bit combinations of the header and built in stack tracing where key EIP changes were alerted and logged to a file. Since it is nearly impossible to crack 27 bytes with combinations between 00 and FF, we made some educated jumps at key junctures... over a period of several weeks. This said, running tests against other filetypes have revealed similiar issues which we are trying to find the time to fully work out. (The actual primary testing method does not involve so much of bit shifting as it does going through the file systematically, looking for memory write issues, so that every error condition might at least be caught). And, some filetypes are far more difficult to test in this automated manner than Flash. For instance, pdf files involve a lengthy loading of the slow running pdf module, and numerous office applications open outside windows which must be automatically closed... still not giving a solid oppourtunity to use the automated exception handler and debugger. Hopefully, in the not too distant future Macromedia will have all of these potentially exploitable conditions removed from their file type, as their software is exceedingly popular and would make for a very bad method of attack against users. > -Original Message- > From: Carlos Laviola [mailto:[EMAIL PROTECTED]] > Sent: Sunday, August 11, 2002 3:14 AM > To: 'BUGTRAQ' > Subject: Re: EEYE: Macromedia Shockwave Flash Malformed > Header Overflow > > > On Fri, Aug 09, 2002 at 05:44:27PM -0400, Mike Chambers wrote: > > The linux and solaris updates will be avaliable later today. > > > > You will be able to download it at: > > www.macromedia.com/go/getflashplayer/ > > I've downloaded this fixed version, but it seems to be > vulnerable to something I've discovered last week: if you > take a .swf and rot13 encode it (not all of it, so the > headers are not messed up), you can crash the user's browser. > I've tested it on Netscape 4.77 with Flash 4.0 r12 and > Galeon 1.2.5, which is based on Mozilla 1.0, with Flash 5.0 > r50 (both running on Debian unstable) and IE 6.0 (on Windows > 2000) and all of them crash instantly when I try to open the > rot13-garbled file. > > Check it out: > http://alternex.com.br/~claviola/sample1.swf (original) http://alternex.com.br/~claviola/sample2.swf (modified) -- Carlos Laviola <[EMAIL PROTECTED]>
Re: EEYE: Macromedia Shockwave Flash Malformed Header Overflow
On Fri, Aug 09, 2002 at 05:44:27PM -0400, Mike Chambers wrote: > The linux and solaris updates will be avaliable later today. > > You will be able to download it at: > www.macromedia.com/go/getflashplayer/ I've downloaded this fixed version, but it seems to be vulnerable to something I've discovered last week: if you take a .swf and rot13 encode it (not all of it, so the headers are not messed up), you can crash the user's browser. I've tested it on Netscape 4.77 with Flash 4.0 r12 and Galeon 1.2.5, which is based on Mozilla 1.0, with Flash 5.0 r50 (both running on Debian unstable) and IE 6.0 (on Windows 2000) and all of them crash instantly when I try to open the rot13-garbled file. Check it out: http://alternex.com.br/~claviola/sample1.swf (original) http://alternex.com.br/~claviola/sample2.swf (modified) -- Carlos Laviola <[EMAIL PROTECTED]>
RE: EEYE: Macromedia Shockwave Flash Malformed Header Overflow
Is there anyway to turn off the Flash ActiveX control for Windows? I've tried removing it from my system and Web sites just keep downloading it again. If I turn off ActiveX completely, then Internet Explorer is constantly warning me that Web pages that use Flash-based banner ads will not be displayed properly. All I want to do is a surf the Web with a little less motion on the screen. I've already turned off animated GIFs which partially solves the problem. The ability to turn Flash is also important given the recent spate of Flash security holes. Richard M. Smith http://www.ComputerBytesMan.com -Original Message- From: Mike Chambers [mailto:[EMAIL PROTECTED]] Sent: Friday, August 09, 2002 5:44 PM To: 'BUGTRAQ' Subject: RE: EEYE: Macromedia Shockwave Flash Malformed Header Overflow The linux and solaris updates will be avaliable later today. You will be able to download it at: www.macromedia.com/go/getflashplayer/ mike chambers [EMAIL PROTECTED] > -Original Message- > From: Scott Lampert [mailto:[EMAIL PROTECTED]] > Sent: Friday, August 09, 2002 3:45 PM > To: BUGTRAQ > Subject: Re: EEYE: Macromedia Shockwave Flash Malformed > Header Overflow > > > On Thu, Aug 08, 2002 at 05:26:20PM -0700, Marc Maiffret wrote: > > Vendor Status: > > Macromedia has released a patch for this vulnerability, > available at: > > > http://www.macromedia.com/v1/handlers/index.cfm?ID=23293&Metho d=Full&Title=M > PSB02%2D09%20%2D%20Macromedia%20Flash%20Malformed%20Header%20Vulnerabili ty%2 > 0Issue&Cache=False > > Discovery: Drew Copley > Exploitation: Riley Hassell > As far as I can see there is no update to the UNIX versions. The files are all dated March 25. The bulletin describes version 6 of the Flash player as the fix, however that doesn't seem to be available for anything other than Windows and Mac. Am I missing something? -Scott -- Scott Lampert <[EMAIL PROTECTED]> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, 1759 Public Key: http://www.lampert.org/public_key.asc
Re: EEYE: Macromedia Shockwave Flash Malformed Header Overflow
On Fri, 9 Aug 2002 12:44:38 -0700 Scott Lampert wrote: > As far as I can see there is no update to the UNIX versions. The files > are all dated March 25. The bulletin describes version 6 of the Flash > player as the fix, however that doesn't seem to be available for > anything other than Windows and Mac. Am I missing something? I asked Macromedia the same thing, and Troy Evans (Flash Player Product Manager) replied: TE> Flash Player for Linux and Solaris will be updated this afternoon (by TE> the end of the day), the new player will be available at TE> www.macromedia.com/go/getflashplayer/ It seems they kept to this, as Flash Player 5.0r50 (at least for Linux; other OS's not checked) is now available from that URL. Tim
RE: EEYE: Macromedia Shockwave Flash Malformed Header Overflow
The linux and solaris updates will be avaliable later today. You will be able to download it at: www.macromedia.com/go/getflashplayer/ mike chambers [EMAIL PROTECTED] > -Original Message- > From: Scott Lampert [mailto:[EMAIL PROTECTED]] > Sent: Friday, August 09, 2002 3:45 PM > To: BUGTRAQ > Subject: Re: EEYE: Macromedia Shockwave Flash Malformed > Header Overflow > > > On Thu, Aug 08, 2002 at 05:26:20PM -0700, Marc Maiffret wrote: > > Vendor Status: > > Macromedia has released a patch for this vulnerability, > available at: > > > http://www.macromedia.com/v1/handlers/index.cfm?ID=23293&Metho d=Full&Title=M > PSB02%2D09%20%2D%20Macromedia%20Flash%20Malformed%20Header%20Vulnerabili ty%2 > 0Issue&Cache=False > > Discovery: Drew Copley > Exploitation: Riley Hassell > As far as I can see there is no update to the UNIX versions. The files are all dated March 25. The bulletin describes version 6 of the Flash player as the fix, however that doesn't seem to be available for anything other than Windows and Mac. Am I missing something? -Scott -- Scott Lampert <[EMAIL PROTECTED]> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, 1759 Public Key: http://www.lampert.org/public_key.asc
Re: EEYE: Macromedia Shockwave Flash Malformed Header Overflow
On Thu, Aug 08, 2002 at 05:26:20PM -0700, Marc Maiffret wrote: > Vendor Status: > Macromedia has released a patch for this vulnerability, available at: > http://www.macromedia.com/v1/handlers/index.cfm?ID=23293&Method=Full&Title=M > PSB02%2D09%20%2D%20Macromedia%20Flash%20Malformed%20Header%20Vulnerability%2 > 0Issue&Cache=False > > Discovery: Drew Copley > Exploitation: Riley Hassell > As far as I can see there is no update to the UNIX versions. The files are all dated March 25. The bulletin describes version 6 of the Flash player as the fix, however that doesn't seem to be available for anything other than Windows and Mac. Am I missing something? -Scott -- Scott Lampert <[EMAIL PROTECTED]> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, 1759 Public Key: http://www.lampert.org/public_key.asc msg08785/pgp0.pgp Description: PGP signature
Re: EEYE: Macromedia Shockwave Flash Malformed Header Overflow
Unix version is still vulnerable as Macromedia didnt updated its Flash plugin for Unix systems. __ Do You Yahoo!? HotJobs - Search Thousands of New Jobs http://www.hotjobs.com
EEYE: Macromedia Shockwave Flash Malformed Header Overflow
Macromedia Shockwave Flash Malformed Header Overflow Release Date: August 8, 2002 Severity: High (Remote Code Execution) Systems Affected: Macromedia Shockwave Flash - All Versions; Unix and Windows; Netscape and Internet Explorer Description: While working on some pre-release eEye Retina CHAM tools, an exploitable condition was discovered within the Shockwave Flash file format called SWF (pronounced "SWIF"). Since this is a browser based bug, it makes it trivial to bypass firewalls and attack the user at his desktop. Also, application browser bugs allow you to target users based on the websites they visit, the newsgroups they read, or the mailing lists they frequent. It is a "one button" push attack, and using anonymous remailers or proxies for these attacks is possible. This vulnerability has been proven to work with all versions of Macromedia Flash on Windows and Unix, through IE and Netscape. It may be run wherever Shockwave files may be displayed or attached, including: websites, email, news postings, forums, Instant Messengers, and within applications utilizing web-browsing functionality. Technical Description: The data header is roughly made out to: [Flash signature][version (1)][File Length(A number of bytes too short)][frame size (malformed)][Frame Rate (malformed)][Frame Count (malformed)][Data] By creating a malformed header we can supply more frame data than the decoder is expecting. By supplying enough data we can overwrite a function pointer address and redirect the flow of control to a specified location as soon as this address is used. At the moment the overwritten address takes control flow, an address pointing to a portion of our data is 8 bytes back from the stack pointer. By using a relative jump we redirect flow into a "call dword ptr [esp+N]", where N is the number of bytes from the stack pointer. These "jump points" can be located in multiple loaded dll's. By creating a simple tool using the debugging API and ReadMemory, you can examine a process's virtual address space for useful data to help you with your exploitation. This is not to say other potentially vulnerable situations have not been found in Macromedia's Flash. We discovered about seventeen others before we ended our testing. We are working with Macromedia on these issues. Protection: Retina(R) Network Security Scanner already scans for this latest version of Flash on users' systems. Ensure all users within your control upgrade their systems. Vendor Status: Macromedia has released a patch for this vulnerability, available at: http://www.macromedia.com/v1/handlers/index.cfm?ID=23293&Method=Full&Title=M PSB02%2D09%20%2D%20Macromedia%20Flash%20Malformed%20Header%20Vulnerability%2 0Issue&Cache=False Discovery: Drew Copley Exploitation: Riley Hassell Greetings: Hacktivismo!, Centra Spike Copyright (c) 1998-2002 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail [EMAIL PROTECTED] for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. Feedback Please send suggestions, updates, and comments to: eEye Digital Security http://www.eEye.com [EMAIL PROTECTED]