Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Adobe/Macromedia Flash Player Code Execution (Action Script)

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Adobe/Macromedia Flash Player Code Execution (Action Script)
Date: 13 Sep 2006 09:11:13 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Adobe/Macromedia Flash Player Code Execution (Action Script)
------------------------------------------------------------------------


SUMMARY

Adobe/Macromedia Flash Player is "the world's most ubiquitous Browser 
plug-in for Microsoft, Mozilla and Apple technologies. The plug-in claims 
to facilitate high-impact web interfaces and interactive online 
advertising for circa 98% of desktops globally".

Unfortunately, it transpires that Adobe Flash Player is prone to a remote 
arbitrary code execution vulnerability, that allows an attacker to gain 
control of a target system through the simple invocation of a maliciously 
constructed web page.

DETAILS

Vulnerable Systems:
 * Adobe Flash Player 8.0.24.0 and earlier versions
 * Adobe Flash Professional 8, Flash Basic
 * Adobe Flash MX 2004
 * Adobe Flex 1.5

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3311> 
CVE-2006-3311

The vulnerability originates out of Flash's failure to sufficiently handle 
large dynamically generated strings at run time. As a result, it is 
possible (using rudimentary Action Script) to create a .swf movie in such 
a way that when processed by the Plug-in, will overwrite system memory at 
an explicit location.

More specifically, the aforementioned location can (with a certain degree 
of accuracy) be attacker controlled via the direct manipulation of the 
overall length of the generated string.

The net result is that of a partially controllable condition, which opens 
the door to a multitude of differing exploitation vectors, including but 
not limited to heap/stack overwrites, and/or 3rd party race conditions.

Vendor response:
The vendor security bulletin and corresponding patches are available at 
the following location:  <http://www.adobe.com/go/apsb06-11/> 
http://www.adobe.com/go/apsb06-11/

Disclosure Timeline:
12/05/2006 - Preliminary Vendor notification.
18/05/2006 - Vulnerability confirmed in pre-release Flash 9, and earlier 
versions
28/06/2006 - Flash Player 9 released (Fixed)
31/07/2006 - Public Disclosure deferred by Vendor.
12/09/2006 - Coordinated public release.

Total Time to Fix: 4 months (123 days)


ADDITIONAL INFORMATION

The information has been provided by Stuart Pearson.
The original article can be found at:  
<http://www.computerterrorism.com/research/ct12-09-2006.htm> 
http://www.computerterrorism.com/research/ct12-09-2006.htm



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] Adobe/Macromedia Flash Player Code Execution (Action Script), SecuriTeam <=
Previous by Date:  [NT] Vulnerability in Microsoft Publisher Allows Code Execution (MS06-054), SecuriTeam
Next by Date:  [NT] Microsoft Publisher Font Parsing Vulnerability, SecuriTeam
Previous by Thread:  [NT] Vulnerability in Microsoft Publisher Allows Code Execution (MS06-054), SecuriTeam
Next by Thread:  [NT] Microsoft Publisher Font Parsing Vulnerability, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]