[PCWorks] Adobe Shockwave Player Multiple Vulnerabilities
- From: "Clint Hamilton-PCWorks Admin" <PCWorks@xxxxxxxxxxxxxxxxxxxxxxxx>
- To: "PCWorks@xxxxxxxxxxxxx" <pcworks@xxxxxxxxxxxxx>
- Date: Thu, 16 Jun 2011 05:19:55 -0500
TITLE:
Adobe Shockwave Player Multiple Vulnerabilities
Criticality level: Highly critical
Impact: System access
Where: From remote
Software: Adobe Shockwave Player 11.x
SECUNIA ADVISORY ID:
http://secunia.com/advisories/43811/
DESCRIPTION:
Multiple vulnerabilities have been reported in Adobe Shockwave
Player, which can be exploited by malicious people to
compromise a
user's system.
1) An unspecified error in dirapi.dll can be exploited to
corrupt
memory.
2) An unspecified error in dirapi.dll can be exploited to
corrupt
memory.
3) An unspecified error in dirapi.dll can be exploited to
corrupt
memory.
4) An unspecified error in dirapi.dll can be exploited to
corrupt
memory.
5) Unspecified errors in dirapi.dll can be exploited to corrupt
memory.
6) An input validation error in dirapi.dll when calculating
offsets
into buffers based on various 16-bit values in rcsL chunks can
be
exploited to corrupt memory.
7) A logic error in dirapi.dll when a xtcL chunk is not present
as
expected results in use of uninitialised memory.
8) An integer overflow error in dirapi.dll when parsing certain
16-bit fields in rcsL chunks can be exploited to cause
heap-based
buffer overflows.
9) An error in dirapi.dll when parsing rcsL chunks can be
exploited
to cause a heap-based buffer overflow as a size value is
calculating
based on two pointer values without ensuring that the first
pointer
value is greater than the second pointer value.
10) An unspecified design flaw exists in an unspecified
component.
11) An integer overflow error in dirapi.dll when parsing rcsL
chunks
can be exploited to cause a heap-based buffer overflow.
12) A boundary error in "Font Asset.x32" when parsing
font-related
structures can be exploited to cause stack-based buffer
overflows.
13) Multiple unspecified errors exist in IML32.dll.
14) Integer overflow errors in a function used to calculate how
much
space is required for storing a specified amount of DEMX data
of a
specified type can be exploited to cause buffer overflows.
15) An integer overflow error in a function used to create a
structure for storing DEMX data can be exploited to cause
heap-based
buffer overflows.
16) An error when allocating buffers based on sizes obtained
from
KEY* chunks can be exploited to cause a heap-based buffer
overflow as
an allocated buffer may not be sufficiently sized to contain
the
minimum amount of data being copied.
17) An integer underflow error in IML32.dll when e.g.
decompressing
embedded GIF images can be exploited to corrupt memory.
18) Missing input validation in TextXtra.x32 within a function
designed to read data into a buffer based on size values
obtained
from DEMX chunks can be exploited to cause buffer overflows.
19) An error when extracting strings from embedded media
objects can
be exploited to write a NULL byte to an arbitrary memory
location.
20) An error in dirapi.dll when parsing CASt chunks can be
exploited
to cause buffer overflows as size values are not properly
checked
before being used in a call to memmove().
21) An integer overflow error in IML32.dll when allocating
buffers to
e.g. contain data from rcsL chunks can be exploited to cause a
heap-based buffer overflow.
22) An integer overflow error in TextXtra.x32 when parsing text
elements can be exploited to cause heap-based buffer overflows.
23) An integer overflow error when allocating memory for
substructures within xtcL chunks can be exploited to cause
heap-based
buffer overflows.
24) An integer overflow error in the Shockwave3DAsset component
when
parsing DEMX chunks can be exploited to cause a heap-based
buffer
overflow.
25) Missing input validation within the parsing of certain
structures
in rcsL chunks can be exploited to corrupt memory as an offset
is
trusted when calculating a pointer value.
26) Multiple unspecified errors in IML32.dll can be exploited
to
corrupt memory.
27) An unspecified error in IML32.dll can be exploited to
corrupt
memory.
28) A logic error when attempting to reallocate memory based on
DEMX
data may result in memory not being reallocated as expected and
can
be exploited to cause heap-based buffer overflows.
29) An input validation error exists in the FLV ASSET Xtra
component.
30) A logic error in dirapi.dll when parsing substructures
within
rcsL chunks can be exploited to trigger misallocation of
buffers and
cause heap-based buffer overflows.
31) An integer overflow error in the CursorAsset x32 component
when
parsing cursor structures can be exploited to cause a
heap-based
buffer overflow.
32) An integer overflow error in AudioMixer.x32 when parsing
mixer
structures can be exploited to cause a heap-based buffer
overflow.
33) An unspecified error in dirapi.dll can be exploited to
corrupt
memory.
34) An integer overflow error exists in the Shockwave 3D Asset
x32
component.
35) A logic error when attempting to allocate memory for DEMX
data
using overly large sizes may result in memory not being
allocated as
expected and can be exploited to corrupt memory.
36) An error in Dirapix.dll can be exploited to cause a buffer
overflow.
37) An unspecified error can be exploited to cause a buffer
overflow.
38) An unspecified error can be exploited to corrupt memory.
39) An input validation error when parsing DEMX chunks causes
an
invalid value to be used as a loop counter when writing data,
which
can be exploited to corrupt memory.
Successful exploitation of the vulnerabilities allows execution
of
arbitrary code.
The vulnerabilities are reported in version 11.5.9.620. Other
versions may also be affected.
SOLUTION:
Update to version 11.6.0.626.
ORIGINAL ADVISORY:
Adobe:
http://www.adobe.com/support/security/bulletins/apsb11-17.html
Secunia Research:
http://secunia.com/secunia_research/2011-40/
http://secunia.com/secunia_research/2011-42/
http://secunia.com/secunia_research/2011-43/
http://secunia.com/secunia_research/2011-44/
http://secunia.com/secunia_research/2011-45/
http://secunia.com/secunia_research/2011-46/
http://secunia.com/secunia_research/2011-47/
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-11-200/
http://www.zerodayinitiative.com/advisories/ZDI-11-201/
http://www.zerodayinitiative.com/advisories/ZDI-11-202/
http://www.zerodayinitiative.com/advisories/ZDI-11-203/
http://www.zerodayinitiative.com/advisories/ZDI-11-204/
http://www.zerodayinitiative.com/advisories/ZDI-11-205/
http://www.zerodayinitiative.com/advisories/ZDI-11-206/
http://www.zerodayinitiative.com/advisories/ZDI-11-207/
http://www.zerodayinitiative.com/advisories/ZDI-11-208/
http://www.zerodayinitiative.com/advisories/ZDI-11-209/
http://www.zerodayinitiative.com/advisories/ZDI-11-210/
http://www.zerodayinitiative.com/advisories/ZDI-11-211/
http://www.zerodayinitiative.com/advisories/ZDI-11-212/
http://www.zerodayinitiative.com/advisories/ZDI-11-213/
http://www.zerodayinitiative.com/advisories/ZDI-11-214/
http://www.zerodayinitiative.com/advisories/ZDI-11-215/
http://www.zerodayinitiative.com/advisories/ZDI-11-216/
http://www.zerodayinitiative.com/advisories/ZDI-11-217/
=========================
The list's FAQ's can be seen by sending an email to
PCWorks-request@xxxxxxxxxxxxx with FAQ in the subject line.
To unsubscribe, subscribe, set Digest or Vacation to on or off, go to
//www.freelists.org/list/pcworks . You can also send an email to
PCWorks-request@xxxxxxxxxxxxx with Unsubscribe in the subject line. Your
member list settings can be found at
//www.freelists.org/cgi-bin/lsg2.cgi/l=pcworks . Once logged in, you have
access to numerous other email options.
The list archives are located at //www.freelists.org/archives/pcworks/ .
All email posted to the list will be placed there in the event anyone needs to
look for previous posts.
-zxdjhu-
Other related posts:
