Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Multiple vulnerabilities in Macromedia Flash ActiveX

Multiple vulnerabilities in Macromedia Flash ActiveX

by Nikola Strahija on November 18th, 2002 Macromedia flash ActiveX plugin displays .swf files under Internet Explorer. Quoting www.macromedia.com: "Over 97.8% of all web users have the Macromedia Flash Player".


Vulnerabilities:

Few vulnerabilities were identified: protected memory reading, memory
consumption DoS and more serious:
1. zlib 1.1.3 double free() bug
2. Buffer overflow in SWRemote parameter for flash object.

Details:

Last bug is very close to one reported by eEye in May [2]. Probably it
was not found by eEye because overflow is heap based, so exception is
triggered on free(). It may be achieved by setting and changing property
with Javascript, for example. This kind of overflows (heap based Unicode
overflow) is exploitable under Internet Explorer. Attached proof of
concept (by LOM)[1] demonstrates exception triggered in free(). See [3]
for exploiting heap overflows, [4] for exploiting Unicode overflows
under Internet Explorer.

Credits:

Vulnerabilities were discovered by LOM

Vendor:

Macromedia was contacted on 23 Oct 2002. The only reply was received on
29 Oct 2002 that Macromedia will look into these issues.

Workaround:

Disable ActiveX in Internet Explorer or uninstall flash ActiveX.

References:

1. Macromedia Shockwave proof of concept
http://www.security.nnov.ru/files/swfexpl.zip
2. eEye, Macromedia Flash Activex Buffer overflow
http://www.eeye.com/html/Research/Advisories/AD20020502.html
3. w00w00 on Heap Overflows
http://www.w00w00.org/files/articles/heaptut.txt
4. 3APA3A, Details and exploitation of buffer overflow in mshtml.dll (and
few sidenotes on Unicode overflows in general)
http://www.security.nnov.ru/search/document.asp?docid=2554
5. Additional or updated information on this issue
http://www.security.nnov.ru/search/news.asp?binid=1982




Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »