ADVISORY 1: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Qualys Vulnerability & Malware Research Labs (VMRL) http://www.dissect.pe Memory corruption when Adobe Shockwave Player parses .dir media file CVE-2012-2029 INTRODUCTION Adobe Shockwave Player is the Adobe plugin to many different browsers to view rich-media content on the web including animations, interactive presentations, and online entertainment. Adobe Shockwave Player does not properly parse .dir media file, which causes a corruption in module IMLLib by opening a malformed file with an invalid value located in PoC repro01.dir at offset 0x2306. This problem was confirmed in the following versions of Adobe Shockwave Player and MacOS X, other versions may be also affected. Shockwave Player version 11.6.3r633, Module IMLLib.framework on MacOS X 10.7.2 (11C74) CVSS Scoring System The CVSS score is: 9 Base Score: 10 Temporal Score: 9 We used the following values to calculate the scores: Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C Temporal score is: E:POC/RL:U/RC:C TRIGGERING THE PROBLEM To trigger the problem a PoC file (repro01.dir) is available to interested parties. Use Firefox or Safari to open the file and reproduce the vulnerability. DETAILS Disassembly: (gdb) disas $pc Dump of assembler code for function memmove$VARIANT$sse42: 0x991539bd : push %ebp 0x991539be : mov %esp,%ebp 0x991539c0 : push %esi 0x991539c1 : push %edi 0x991539c2 : mov 0x8(%ebp),%edi 0x991539c5 : mov 0xc(%ebp),%esi 0x991539c8 : mov 0x10(%ebp),%ecx 0x991539cb : mov %edi,%edx 0x991539cd : sub %esi,%edx 0x991539cf : cmp %ecx,%edx 0x991539d1 : jb 0x99153a01 0x991539d3 : cmp $0x50,%ecx 0x991539d6 : ja 0x99153a06 0x991539d8 : mov %ecx,%edx 0x991539da : shr $0x2,%ecx 0x991539dd : je 0x991539ec 0x991539df : mov (%esi),%eax <----- Crash here Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0x3f5d8935 0x991539df in memmove$VARIANT$sse42 () (gdb) bt #0 0x991539df in memmove$VARIANT$sse42 () #1 0x0452eb61 in imPostQuitMessage () #2 0x045079f5 in imMemCopy () #3 0x070f414d in VListGetNumEntries () #4 0x0700b93a in TELscriptRef_GetPropertyInitsAsHandle () #5 0x0709b6b3 in MovieMemoryDispose () #6 0x0703d409 in TELscriptRef_GetPropertyInitsAsHandle () #7 0x0703db71 in TELscriptRef_GetPropertyInitsAsHandle () #8 0x0705e4f5 in mmpRewind () #9 0x06fa1970 in MovieInstLoadMovie () #10 0x01f51f89 in main () #11 0x01f526fa in main () #12 0x04531a64 in imNPMessageHandleMacEvent () #13 0x01f507cf in main () #14 0x01f535d0 in main () #15 0x01f48bcc in dyld_stub_Gestalt () #16 0x996bedd9 in CAOpenGLLayerDraw () #17 0x996be842 in -[CAOpenGLLayer _display] () #18 0x9968dff5 in CA::Layer::display () #19 0x9968df11 in -[CALayer display] () #20 0x99685aec in CA::Layer::display_if_needed () #21 0x99684883 in CA::Context::commit_transaction () #22 0x99684594 in CA::Transaction::commit () #23 0x996843f8 in +[CATransaction commit] () #24 0x010838dd in nsCARenderer::Render () Previous frame inner to this frame (gdb could not unwind past this frame) (gdb) x/i $pc 0x991539df : mov (%esi),%eax (gdb) i r $esi $eax esi 0x3f5d8935 1063094581 eax 0x4 4 CREDITS This vulnerability was discovered by Rodrigo Rubira Branco (http://twitter.com/bsdaemon) from the Qualys Vulnerability & Malware Research Labs (VMRL). -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+qncAACgkQRpuC3B/O3qGHDwCeIT4yhw741QM5TRwH1WSD7bHF 0dYAn2IUJG6ADX9vOF5sreWRXmPO3fTO =O1Ew -----END PGP SIGNATURE----- ADVISORY 2: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Qualys Vulnerability & Malware Research Labs (VMRL) http://www.dissect.pe Memory corruption when Adobe Shockwave Player parses .dir media file CVE-2012-2030 INTRODUCTION Adobe Shockwave Player is the Adobe plugin to many different browsers to view rich-media content on the web including animations, interactive presentations, and online entertainment. Adobe Shockwave Player does not properly parse .dir media file, which causes a corruption in module DPLib by opening a malformed file with an invalid value located in PoC repro02.dir at offset 0x36A4. This problem was confirmed in the following versions of Adobe Shockwave Player and MacOS X, other versions may be also affected. Shockwave Player version 11.6.3r633, Module DPLib.framework on MacOS X 10.7.2 (11C74) CVSS Scoring System The CVSS score is: 9 Base Score: 10 Temporal Score: 9 We used the following values to calculate the scores: Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C Temporal score is: E:POC/RL:U/RC:C TRIGGERING THE PROBLEM To trigger the problem a PoC file (repro02.dir) is available to interested parties. Use Firefox or Safari to open the file and reproduce the vulnerability. DETAILS Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x90000004 0x0714b9db in MovieMemoryDispose () (gdb) bt #0 0x0714b9db in MovieMemoryDispose () #1 0x0714d329 in MovieMemoryDispose () #2 0x0715b778 in MovieMemoryDispose () #3 0x0715be15 in MovieMemoryDispose () #4 0x0706964a in TELscriptRef_GetPropertyInitsAsHandle () #5 0x070697e8 in TELscriptRef_GetPropertyInitsAsHandle () #6 0x0706a579 in TELscriptRef_GetPropertyInitsAsHandle () #7 0x0706b82d in TELscriptRef_GetPropertyInitsAsHandle () #8 0x07065691 in TETourGetCpuHogTicks () #9 0x0700c684 in MovieInstAnimIdle () #10 0x01f524f4 in main () #11 0x01f526fa in main () #12 0x055e8a64 in imNPMessageHandleMacEvent () #13 0x01f507cf in main () #14 0x01f535d0 in main () #15 0x01f48bcc in dyld_stub_Gestalt () #16 0x996bedd9 in CAOpenGLLayerDraw () #17 0x996be842 in -[CAOpenGLLayer _display] () #18 0x9968dff5 in CA::Layer::display () #19 0x9968df11 in -[CALayer display] () #20 0x99685aec in CA::Layer::display_if_needed () #21 0x99684883 in CA::Context::commit_transaction () #22 0x99684594 in CA::Transaction::commit () #23 0x99683b29 in CA::Transaction::observer_callback () #24 0x96f697be in __CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ () #25 0x96f696fd in __CFRunLoopDoObservers () #26 0x96f3b917 in CFRunLoopRunSpecific () #27 0x96f3b798 in CFRunLoopRunInMode () #28 0x95638a7f in RunCurrentEventLoopInMode () #29 0x9563fd9b in ReceiveNextEventCommon () #30 0x9563fc0a in BlockUntilNextEventMatchingListInMode () #31 0x95c8c040 in _DPSNextEvent () #32 0x95c8b8ab in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] () #33 0x95c87c22 in -[NSApplication run] () #34 0x01036dd9 in nsXPTCStubBase::Stub249 () (gdb) x/i $pc 0x714b9db : incl 0x4(%eax) (gdb) i r $eax eax 0x90000000 -1879048192 CREDITS This vulnerability was discovered by Rodrigo Rubira Branco (http://twitter.com/bsdaemon) from the Qualys Vulnerability & Malware Research Labs (VMRL). -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+qncsACgkQRpuC3B/O3qEWNwCfQQcZjDDOTzZTu3W1DrfMs7eN /NYAnjXnpMpH/hgaAQRGa1huDADRERDI =UIh/ -----END PGP SIGNATURE----- ADVISORY 3: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Qualys Vulnerability & Malware Research Labs (VMRL) http://www.dissect.pe Memory corruption when Adobe Shockwave Player parses .dir media file CVE-2012-2031 INTRODUCTION Adobe Shockwave Player is the Adobe plugin to many different browsers to view rich-media content on the web including animations, interactive presentations, and online entertainment. Adobe Shockwave Player does not properly parse .dir media file, which causes a corruption in module IMLLib by opening a malformed file with an invalid value located in PoC repro03.dir at offset 0x3AD1 and 0x3AD5. This problem was confirmed in the following versions of Adobe Shockwave Player and MacOS X, other versions may be also affected. Shockwave Player version 11.6.3r633, Module IMLLib.framework on MacOS X 10.7.2 (11C74) CVSS Scoring System The CVSS score is: 9 Base Score: 10 Temporal Score: 9 We used the following values to calculate the scores: Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C Temporal score is: E:POC/RL:U/RC:C TRIGGERING THE PROBLEM To trigger the problem a PoC file (repro03.dir) is available to interested parties. Use Firefox or Safari to open the file and reproduce the vulnerability. DETAILS Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x00000009 0x045081fb in imMemDisposalCallbackControl () (gdb) bt #0 0x045081fb in imMemDisposalCallbackControl () #1 0x070f47fd in VListGetNumEntries () #2 0x070e9aa7 in MovieMemoryDispose () #3 0x070e22d4 in MovieMemoryDispose () #4 0x070e2329 in MovieMemoryDispose () #5 0x070f0778 in MovieMemoryDispose () #6 0x070f0e15 in MovieMemoryDispose () #7 0x06ffe64a in TELscriptRef_GetPropertyInitsAsHandle () #8 0x06ffe7e8 in TELscriptRef_GetPropertyInitsAsHandle () #9 0x06fff579 in TELscriptRef_GetPropertyInitsAsHandle () #10 0x0700082d in TELscriptRef_GetPropertyInitsAsHandle () #11 0x06ffa691 in TETourGetCpuHogTicks () #12 0x06fa1684 in MovieInstAnimIdle () #13 0x01f524f4 in main () #14 0x01f526fa in main () #15 0x04531a64 in imNPMessageHandleMacEvent () #16 0x01f507cf in main () #17 0x01f535d0 in main () #18 0x01f48bcc in dyld_stub_Gestalt () #19 0x996bedd9 in CAOpenGLLayerDraw () #20 0x996be842 in -[CAOpenGLLayer _display] () #21 0x9968dff5 in CA::Layer::display () #22 0x9968df11 in -[CALayer display] () #23 0x99685aec in CA::Layer::display_if_needed () #24 0x99684883 in CA::Context::commit_transaction () #25 0x99684594 in CA::Transaction::commit () #26 0x99683b29 in CA::Transaction::observer_callback () #27 0x96f697be in __CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ () #28 0x96f696fd in __CFRunLoopDoObservers () #29 0x96f3b917 in CFRunLoopRunSpecific () #30 0x96f3b798 in CFRunLoopRunInMode () #31 0x95638a7f in RunCurrentEventLoopInMode () #32 0x9563fd9b in ReceiveNextEventCommon () #33 0x9563fc0a in BlockUntilNextEventMatchingListInMode () #34 0x95c8c040 in _DPSNextEvent () #35 0x95c8b8ab in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] () #36 0x95c87c22 in -[NSApplication run] () #37 0x01036dd9 in nsXPTCStubBase::Stub249 () (gdb) x/i $pc 0x45081fb : movzwl 0x8(%edx),%eax (gdb) i r $edx $eax edx 0x1 1 eax 0xbfffaa0c -1073763828 CREDITS This vulnerability was discovered by Rodrigo Rubira Branco (http://twitter.com/bsdaemon) from the Qualys Vulnerability & Malware Research Labs (VMRL). -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+qnc8ACgkQRpuC3B/O3qEJswCfduYDmABYcfBoIKXoNDWNEoDO LY4An2uIfhYjkcTg/zAw5khcFK96IRm4 =SZCB -----END PGP SIGNATURE-----