This is very similiar to one of the other crashes we have found. (Breaking into it reveals the same instruction as one of them). The current revision does not fix any of these other potentially exploitable crashes mentioned in the advisory. The difficulty is really in making these crashes exploitable. The one which we posted about was absolutely exploitable and which we wrote exploit code for. This involved running bit combinations of the header and built in stack tracing where key EIP changes were alerted and logged to a file. Since it is nearly impossible to crack 27 bytes with combinations between 00 and FF, we made some educated jumps at key junctures... over a period of several weeks. This said, running tests against other filetypes have revealed similiar issues which we are trying to find the time to fully work out. (The actual primary testing method does not involve so much of bit shifting as it does going through the file systematically, looking for memory write issues, so that every error condition might at least be caught). And, some filetypes are far more difficult to test in this automated manner than Flash. For instance, pdf files involve a lengthy loading of the slow running pdf module, and numerous office applications open outside windows which must be automatically closed... still not giving a solid oppourtunity to use the automated exception handler and debugger. Hopefully, in the not too distant future Macromedia will have all of these potentially exploitable conditions removed from their file type, as their software is exceedingly popular and would make for a very bad method of attack against users. > -----Original Message----- > From: Carlos Laviola [mailto:carlos@laviola.org] > Sent: Sunday, August 11, 2002 3:14 AM > To: 'BUGTRAQ' > Subject: Re: EEYE: Macromedia Shockwave Flash Malformed > Header Overflow > > > On Fri, Aug 09, 2002 at 05:44:27PM -0400, Mike Chambers wrote: > > The linux and solaris updates will be avaliable later today. > > > > You will be able to download it at: > > www.macromedia.com/go/getflashplayer/ > > I've downloaded this fixed version, but it seems to be > vulnerable to something I've discovered last week: if you > take a .swf and rot13 encode it (not all of it, so the > headers are not messed up), you can crash the user's browser. > I've tested it on Netscape 4.77 with Flash 4.0 r12 and > Galeon 1.2.5, which is based on Mozilla 1.0, with Flash 5.0 > r50 (both running on Debian unstable) and IE 6.0 (on Windows > 2000) and all of them crash instantly when I try to open the > rot13-garbled file. > > Check it out: > http://alternex.com.br/~claviola/sample1.swf (original) http://alternex.com.br/~claviola/sample2.swf (modified) -- Carlos Laviola <carlos@laviola.org>
