Discover: instruder of code audit labs of vulnhunt.com
CAL: CAL-2011-0071
CVE: CVE-2012-0758
1 Affected Products
=================
adobe shockwave 11.6.3.633
adobe Shockwave 11.6.1.629 and prior
2 Vulnerability Details
=====================
When adobe shockwave player parsing a dir type file,
it takes a dword from the dir file,and then take some
Computing this computing will leding to Integer overflow,
allocate a small memory,this Cause a heap overflow.
3 Analysis
=========
asm in dirapi.dll 11.6.1.629
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
.text:6809FC7A
push esi .text:6809FC7B
push edi .text:6809FC7C
push ebp .text:6809FC7D
call IML32_1414_get_a_dword //get a dword form dir file .text:6809FC82
mov esi, eax //if eax=66666680 some like this,after esi+esi*4 Will cause a heap overflow .text:6809FC84
lea eax, [esi+esi*4] // Integrated overflow .text:6809FC87
push 1 .text:6809FC89
lea ecx, ds:24h[eax*8] .text:6809FC90
push ecx .text:6809FC91
call IML32_1111 ; .text:6809FC96
push eax .text:6809FC97
mov [esp+14h+arg_4], eax .text:6809FC9B
call IML32_1114 //allocate memory .text:6809FCA0
mov edi, eax .text:6809FCA2
test edi, edi .text:6809FCA4
jz short loc_6809FD03 .text:6809FCA6
mov [edi+1Ch], esi .text:6809FCA9
test esi, esi .text:6809FCAB
jbe short loc_6809FCCB .text:6809FCAD
lea esi, [edi+28h] .text:6809FCB0 .text:6809FCB0
loc_6809FCB0: ; CODE XREF: sub_6809FC60+69j .text:6809FCB0
push ebp .text:6809FCB1
call IML32_1414_get_a_dword ////write the dword to the heap .text:6809FCB6
push 20h .text:6809FCB8
push esi .text:6809FCB9
push ebp .text:6809FCBA
mov [esi-4], eax .text:6809FCBD
call IML32_1409 .text:6809FCC2
inc ebx .text:6809FCC3
add esi, 28h ////heap buffer overflow .text:6809FCC6
cmp ebx, [edi+1Ch] .text:6809FCC9
jb short loc_6809FCB0 //Cycle |
c code like
==================
1
2
3
4
5
6
7
8
9
|
v6
= v4 + 40; do { *(_DWORD
*)(v6 - 4) = IML32_1414_get_a_dword(v3); v4
= IML32_1409(); ++v2; v6
+= 40; } while
( v2 < *(_DWORD *)(v5 + 0x1C) ); |
4 Exploitable?
============
Successfully exploited this vulnerability could lead to arbitrary code execution.
5 Crash info:
===============
1
2
3
4
5
|
eax=00000000
ebx=00002a63 ecx=07916058 edx=08980028 esi=07981008 edi=07917068 eip=0754fd5a esp=09e9ef28 ebp=08250bd8 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246 *** ERROR: Module load completed but
symbols could not be loaded for C:\WINDOWS\system32\Adobe\Shockwave 11\DIRAPI.dll DIRAPI+0x9fd5a: 0754fd5a 8946fc mov dword ptr [esi-4],eax ds:0023:07981004=????????0:028> 0:023> kb ChildEBP
RetAddr Args to Child WARNING:
Stack unwind information not available. Following frames may be wrong. 09e9ef40
0755028c 07894154 08250bb0 07894154 DIRAPI+0x9fd5a 00000000
00000000 00000000 00000000 00000000 DIRAPI+0xa028c |
6 About Code Audit Labs:
=====================
Code Audit Labs secure your software,provide Professional include source
code audit and binary code audit service.
Code Audit Labs:” You create value for customer,We protect your value”
http://www.VulnHunt.com
http://blog.vulnhunt.com
http://t.qq.com/vulnhunt
http://weibo.com/vulnhunt