Document Title: =============== Flashplayer npswf32.dll - Memory Corruption Vulnerability Date: ===== 2011-06-18 VL-ID: ===== 179 Common Vulnerability Scoring System: ==================================== 8.1 Introduction: ============= Adobe® Flash® Player ist eine auf unterschiedlichen Plattformen einsetzbare, im Browser laufende Laufzeitanwendung, die eine unbeeinträchtigte Anzeige von ausdrucksstarken Multimedia-Anwendungen, Inhalten und Videos auf unterschiedlichen Displays und Browsern ermöglicht. Flash Player 10.3 wurde für optimale Anzeige auf Displays von Mobilgeräten ausgelegt und nutzt systemeigene Funktionen des jeweiligen Geräts, damit der Benutzer eine detailreichere und fesselndere Darstellung erhält. (Copy of the Vendor Homepage: http://get.adobe.com/de/flashplayer/) Abstract: ========= The Vulnerability-Lab Team identified a critical memory corruption on the new Shockwave Flashplayer & Browser Addon. Report-Timeline: ================ 2011-04-06: Vendor Notification 2011-00-00: Vendor Response/Feedback 2011-00-00: Vendor Fix/Patch 2011-06-16: Public or Non-Public Disclosure Status: ======== Published Affected Products: ================== Exploitation-Technique: ======================= Remote Severity: ========= Critical Details: ======== A new critical vulnerability has been identified in Adobe SW Flash Player, which may be exploited by remote attackers to execute arbitrary commands. This issue is due to a memory corruption error when embedding a specially crafted .swf file through a xul on browser players. Adobe Flash crashes (NPSWF32.dll) due to an null pointer exception, which allows an attacker to overwrite & read a pointer in memory. The result is an arbitrary code execution. The victim need to visit a specially crafted embed HTML or XUL Web page with player for execution or need to open a malicious & manipulated stream via player. Vulnerable Module(s): [+] NPSWF32.dll --- Error Logs --- Version=1 EventType=APPCRASH EventTime=129489977043370414 ReportType=2 Consent=1 ReportIdentifier=f144b1d9-7665-11e0-8892-e88c0453f9c7 IntegratorReportIdentifier=f144b1d8-7665-11e0-8892-e88c0453f9c7 WOW64=1 Response.type=4 Sig[0].Name=Anwendungsname Sig[0].Value=plugin-container.exe Sig[1].Name=Anwendungsversion Sig[1].Value=2.0.1.4120 Sig[2].Name=Anwendungszeitstempel Sig[2].Value=4da6a99c Sig[3].Name=Fehlermodulname Sig[3].Value=NPSWF32.dll Sig[4].Name=Fehlermodulversion Sig[4].Value=10.2.152.26 Sig[5].Name=Fehlermodulzeitstempel Sig[5].Value=4d4b5b5c Sig[6].Name=Ausnahmecode Sig[6].Value=c0000005 Sig[7].Name=Ausnahmeoffset Sig[7].Value=00178b8a DynamicSig[1].Name=Betriebsystemversion DynamicSig[1].Value=6.1.7600.2.0.0.768.3 DynamicSig[2].Name=Gebietsschema-ID DynamicSig[2].Value=1031 DynamicSig[22].Name=Zusatzinformation 1 DynamicSig[22].Value=ca57 DynamicSig[23].Name=Zusatzinformation 2 DynamicSig[23].Value=ca57f4d2c38c7795b111e2ddddad5066 DynamicSig[24].Name=Zusatzinformation 3 DynamicSig[24].Value=2466 DynamicSig[25].Name=Zusatzinformation 4 DynamicSig[25].Value=2466efe0a69899023df82e3bd3889773 UI[2]=C:\\\\\\\\Program Files(x86)\\\\\\\\Mozilla Firefox\\\\\\\\\\\\\\\\plugin-container.exe LoadedModule[0]=C:\\\\\\\\plugin-container.exe LoadedModule[1]=C:/Windows\\\\\\\\SysWOW64/ntdll.dll ... ... ... LoadedModule[78]=C:\\\\\\\\Windows\\\\\\\\\\\\\\\\system32\\\\\\\\midimap.dll FriendlyEventName=Nicht mehr funktionsfähig ConsentKey=APPCRASH AppName=Plugin Container for Firefox AppPath=C:\\\\\\\\Program Files (x86)\\\\\\\\\\\\\\\\Mozilla Firefox\\\\\\\\\\\\\\\\plugin-container.exe --- Exception Log --- > .? eax=7f0c1855 ebx=00000000 ecx=00000000 edx=00000000 esi=00619400 edi=02dd6a14 eip=688a8b8a esp=0031ea64 ebp=0031eaf0 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 Unable to load image C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\Macromed\\\\\\\\Flash\\\\\\\\NPSWF32.dll, Win32 error 0n2 *** WARNING: Unable to verify timestamp for NPSWF32.dll *** ERROR: Module load completed but symbols could not be loaded for NPSWF32.dll NPSWF32+0x178b8a: 688a8b8a 8b01 mov eax,dword ptr [ecx] ds:002b:00000000=???????? --- Debug Log --- FAULTING_IP: NPSWF32+178b8a 688a8b8a 8b01 mov eax,dword ptr [ecx] EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 688a8b8a (NPSWF32+0x00178b8a) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 00000000 Attempt to read from address 00000000 PROCESS_NAME: plugin-container.exe FAULTING_MODULE: 75140000 kernel32 DEBUG_FLR_IMAGE_TIMESTAMP: 4d4b5b5c MODULE_NAME: NPSWF32 ERROR_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%08lx verweist auf Speicher 0x%08lx. Der Vorgang %s konnte nicht im Speicher durchgef hrt werden. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%08lx verweist auf Speicher 0x%08lx. Der Vorgang %s konnte nicht im Speicher durchgef hrt werden. EXCEPTION_PARAMETER1: 00000000 EXCEPTION_PARAMETER2: 00000000 READ_ADDRESS: 00000000 FOLLOWUP_IP: NPSWF32+178b8a 688a8b8a 8b01 mov eax,dword ptr [ecx] FAULTING_THREAD: 000009ac BUGCHECK_STR: APPLICATION_FAULT_NULL_POINTER_READ_WRONG_SYMBOLS PRIMARY_PROBLEM_CLASS: NULL_POINTER_READ DEFAULT_BUCKET_ID: NULL_POINTER_READ IP_ON_STACK: +6d2e952f0505d890 0031eb78 0000 add byte ptr [eax],al FRAME_ONE_INVALID: 1 LAST_CONTROL_TRANSFER: from 0031eb78 to 688a8b8a STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. 0031eaf0 0031eb78 00000002 0031eb74 c0150008 NPSWF32+0x178b8a 00000000 00000000 00000000 00000000 00000000 0x31eb78 STACK_COMMAND: ~0s; .ecxr ; kb SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: NPSWF32+178b8a FOLLOWUP_NAME: MachineOwner IMAGE_NAME: NPSWF32.dll BUCKET_ID: WRONG_SYMBOLS FAILURE_BUCKET_ID: NULL_POINTER_READ_c0000005_NPSWF32.dll!Unknown Followup: MachineOwner --------- 0:000> .exr 0xffffffffffffffff ExceptionAddress: 688a8b8a (NPSWF32+0x00178b8a) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 00000000 Attempt to read from address 00000000 --------- Pictures: ../1.png ../2.png ../3.png ../4.png ../5.png ../6.png ../7.png ../8.png Proof of Concept: ================= The memory corruption vulnerability can be exploited by local & remote attackers. For demonstration or reproduce ... Required for Reproduction: Microsoft Windows7 x64; Mozilla Firefox; AntToolbar + Player & the famous Shockwave Flashplayer 10.3.181.14 with NPSWF32.dll Manually but remote reproduce ... follow the steps 1:1! 1. Install Mozilla Firefox & the addon Ant Toolbar with the nice player 2. To catch the bug use windbg, immunity or ollydbg under win7 x64 3. Open http://th3-0utl4ws.com with our .swf PoC 4. Down in the Browser Status Bar click on the Download or Player Button 5. Startup the SWF file of the website & open it for example 2 times 6. The crash happens when the security-check is asking the user for his acceptance, when processing the .swf file. PoC: ../video-demo.wmv PoC: ../intro.swf Analyses: (Reports) ../AppCrash_plugin-container_1a70e13d391b60691e57e8a02eb38b46a893a1d_003d8c2b ../AppCrash_plugin-container_8d691233d77f2d079a51d6433658a5c9a5de58_04e19f4f ../AppCrash_plugin-container_8d691233d77f2d079a51d6433658a5c9a5de58_11e6e7b0 ../AppCrash_plugin-container_8d691233d77f2d079a51d6433658a5c9a5de58_cab_1303fae3 ../AppCrash_plugin-container_6080e4526ed4385e53e8431a6d8a65a91178d77_114ed366 ../AppCrash_plugin-container_6080e4526ed4385e53e8431a6d8a65a91178d77_cab_0cb4ab67 ../Flash ../Video-PoC && ../PoC Risk: ===== The security risk of the remote memory corruption vulnerability is estimated as critical. Credits: ======== Vulnerability Research Laboratory Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory