In-Reply-To: <118-2136623052.20021118134327@SECURITY.NNOV.RU> Status on the below posting regarding: 1. zlib 1.1.3 double free() bug 2. Buffer overflow in SWRemote parameter for flash object. 1. zlib 1.1.4 double free() bug ===================== Flash Player 6 was released with the fix for the double free() bug back in March 2002, the player ships with the latest version 1.1.4. We have not found any exploit of this to date, since we ship with the latest version 2. SW Remote parameter tag ===================== We investigated this issue and worked with LOM <lom at lom.spb.ru> to try and reproduce this buffer overflow. In all of our testing we could NOT reproduce a buffer overflow, but there is indeed a crash bug which we have a fix for in our public beta at <http://www.macromedia.com/software/flashplayer/special/beta/> In all of these cases we worked directly with the reporter and resolved these issues, to be either an issue or a non issue. Macromedia is committed to security, we take security very seriously. Regards Troy Evans Flash Player Product Manager >Author: LOM <lom at lom.spb.ru> >Product: Macromedia Flash ActiveX 6.0 (6,0,47,0) for Microsoft Internet > Explorer >Vendor: Macromedia was contacted on 23 Oct 2002. >Risk: High >Remote: Yes >Exploitable: Yes > >Into: > >Macromedia flash ActiveX plugin displays .swf files under Internet >Explorer. Quoting www.macromedia.com: "Over 97.8% of all web users have >the Macromedia Flash Player". > >Vulnerabilities: > >Few vulnerabilities were identified: protected memory reading, memory >consumption DoS and more serious: > 1. zlib 1.1.3 double free() bug > 2. Buffer overflow in SWRemote parameter for flash object. > >Details: > >Last bug is very close to one reported by eEye in May [2]. Probably it >was not found by eEye because overflow is heap based, so exception is >triggered on free(). It may be achieved by setting and changing property >with Javascript, for example. This kind of overflows (heap based Unicode >overflow) is exploitable under Internet Explorer. Attached proof of >concept (by LOM)[1] demonstrates exception triggered in free(). See [3] >for exploiting heap overflows, [4] for exploiting Unicode overflows >under Internet Explorer. > >Credits: > >Vulnerabilities were discovered by LOM <lom at lom.spb.ru> > >Vendor: > >Macromedia was contacted on 23 Oct 2002. The only reply was received on >29 Oct 2002 that Macromedia will look into these issues. > >Workaround: > >Disable ActiveX in Internet Explorer or uninstall flash ActiveX. > >References: > >1. Macromedia Shockwave proof of concept > http://www.security.nnov.ru/files/swfexpl.zip >2. eEye, Macromedia Flash Activex Buffer overflow > http://www.eeye.com/html/Research/Advisories/AD20020502.html >3. w00w00 on Heap Overflows > http://www.w00w00.org/files/articles/heaptut.txt >4. 3APA3A, Details and exploitation of buffer overflow in mshtml.dll (and > few sidenotes on Unicode overflows in general) > http://www.security.nnov.ru/search/document.asp?docid=2554 >5. Additional or updated information on this issue > http://www.security.nnov.ru/search/news.asp?binid=1982 >
