CVE-2012-0758 Adobe Shockwave Player Parsing cupt atom heap overflow

Discover: instruder of code audit labs of vulnhunt.com
CAL: CAL-2011-0071
CVE: CVE-2012-0758

1 Affected Products

=================
adobe shockwave 11.6.3.633
adobe Shockwave 11.6.1.629 and prior

2 Vulnerability Details

=====================
When adobe shockwave player parsing a dir type file,
it takes a dword from the dir file,and then take some
Computing this computing will leding to Integer overflow,
allocate a small memory,this Cause a heap overflow.

3 Analysis

=========
asm in dirapi.dll 11.6.1.629

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33

.text:6809FC7A                 push    esi .text:6809FC7B                 push    edi .text:6809FC7C                 push    ebp .text:6809FC7D                 call    IML32_1414_get_a_dword       //get a dword form dir file .text:6809FC82                 mov     esi, eax             //if eax=66666680 some like this,after esi+esi*4 Will cause a heap overflow .text:6809FC84                 lea     eax, [esi+esi*4]         // Integrated  overflow .text:6809FC87                 push    1 .text:6809FC89                 lea     ecx, ds:24h[eax*8] .text:6809FC90                 push    ecx .text:6809FC91                 call    IML32_1111      ; .text:6809FC96                 push    eax .text:6809FC97                 mov     [esp+14h+arg_4], eax .text:6809FC9B                 call    IML32_1114           //allocate memory .text:6809FCA0                 mov     edi, eax .text:6809FCA2                 test    edi, edi .text:6809FCA4                 jz      short loc_6809FD03 .text:6809FCA6                 mov     [edi+1Ch], esi .text:6809FCA9                 test    esi, esi .text:6809FCAB                 jbe     short loc_6809FCCB .text:6809FCAD                 lea     esi, [edi+28h] .text:6809FCB0 .text:6809FCB0 loc_6809FCB0:                           ; CODE XREF: sub_6809FC60+69j .text:6809FCB0                 push    ebp .text:6809FCB1                 call    IML32_1414_get_a_dword       ////write the dword to the heap .text:6809FCB6                 push    20h .text:6809FCB8                 push    esi .text:6809FCB9                 push    ebp .text:6809FCBA                 mov     [esi-4], eax .text:6809FCBD                 call    IML32_1409 .text:6809FCC2                 inc     ebx .text:6809FCC3                 add     esi, 28h             ////heap buffer overflow .text:6809FCC6                 cmp     ebx, [edi+1Ch] .text:6809FCC9                 jb      short loc_6809FCB0       //Cycle

c code like
==================

1 2 3 4 5 6 7 8 9

v6 = v4 + 40; do { *(_DWORD *)(v6 - 4) = IML32_1414_get_a_dword(v3); v4 = IML32_1409(); ++v2; v6 += 40; } while ( v2 < *(_DWORD *)(v5 + 0x1C) );

4 Exploitable?

============
Successfully exploited this vulnerability could lead to arbitrary code execution.

5 Crash info:

===============

1 2 3 4 5

eax=00000000 ebx=00002a63 ecx=07916058 edx=08980028 esi=07981008 edi=07917068 eip=0754fd5a esp=09e9ef28 ebp=08250bd8 iopl=0         nv up ei pl zr na pe nc cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210246 *** ERROR: Module load completed but symbols could not be loaded for C:\WINDOWS\system32\Adobe\Shockwave 11\DIRAPI.dll DIRAPI+0x9fd5a: 0754fd5a 8946fc          mov     dword ptr [esi-4],eax ds:0023:07981004=????????0:028> 0:023> kb ChildEBP RetAddr  Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 09e9ef40 0755028c 07894154 08250bb0 07894154 DIRAPI+0x9fd5a 00000000 00000000 00000000 00000000 00000000 DIRAPI+0xa028c

6 About Code Audit Labs:

=====================
Code Audit Labs secure your software,provide Professional include source
code audit and binary code audit service.
Code Audit Labs:” You create value for customer,We protect your value”

http://www.VulnHunt.com

http://blog.vulnhunt.com

http://t.qq.com/vulnhunt

http://weibo.com/vulnhunt