Thursday, October 21, 2010

ZeroDay: Adobe Shockwave Player rcsL Chunk Memory Corruption

Advisory Information

Title: Adobe Shockwave player rcsL chunk memory corruption
Version: Adobe Shockwave player (latest on writing time)
Impact: Critical
Contact: shahin[at], info[at]
Twitter: @abysssec
CVE: ZeroDay Not Patched

Vulnerability Information

Class - Memory corruption allow command execute
Impact - Successfully exploiting this issue allows remote attackers to execute arbitrary code or cause denial-of-service conditions.
Remotely Exploitable - Yes
Locally Exploitable - Yes


Shockwave player is a plug in for loading Adobe Director video files in to the browser. Director movies have DIR or compressed format of DCR. DIR file format is based on RIFF based formats. RIFF formats start with a 4byte RIFX identifier and length of the file. And subsequently chunks come together with format of 4byte chunk identifier + size of chunk + data. Some of the chunk identifiers are tSAC, pami, rcsL.

By help of our simple fuzzer we have manipulated a director movie file and found a vulnerability in part of an existing rcsL chunk.


PS1: This vulnerability is not [the] patched bug released by ZDI


Offensive Security has released a high-quality PoC video (MP4) of the exploit, featuring music by Dual Core.

The video shows the "attacker" setting up a local netcat listener, then the "victim" navigates to a website and a specially-crafted (malicious) shockwave file is loaded into the Adobe Shockwave player (via the browser)...resulting in a command shell being pushed back to the attacker. pwnage. game, set, match.

No comments:

Post a Comment