Check Point Software Technologies - Vulnerability Discovery Team (VDT) http://www.checkpoint.com/defense/ Memory corruption when Adobe Shockwave Player parses .dir media file CVE-2010-2868 INTRODUCTION Adobe Shockwave Player is the Adobe plugin to many different browsers to view rich-media content on the web including animations, interactive presentations, and online entertainment. Adobe Shockwave player does not properly parse .dir media file, which causes a corruption in module IML32.dll by opening a malformed file with an invalid value located in PoC repro04.dir at offset 0x320D. This problem was confirmed in the following versions of Adobe Shockwave Player, other versions may be also affected. Shockwave Player version 11.5.7.609 and older for Windows and MacOS CVSS Scoring System The CVSS score is: 9 Base Score: 10 Temporal Score: 9 We used the following values to calculate the scores: Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C Temporal score is: E:POC/RL:U/RC:C TRIGGERING THE PROBLEM To trigger the problem PoC files (repro04.dir, repro05.dir, repro06.dir, repro07.dir, repro08.dir and repro09.dir) are available to interested parts. DETAILS Disassembly: 69081240 74 46 JE SHORT IML32.69081288 69081242 8B16 MOV EDX,DWORD PTR DS:[ESI] 69081244 8B46 08 MOV EAX,DWORD PTR DS:[ESI+8] 69081247 83E2 02 AND EDX,2 6908124A 0BD5 OR EDX,EBP 6908124C 83CA 01 OR EDX,1 6908124F 8916 MOV DWORD PTR DS:[ESI],EDX 69081251 8B56 04 MOV EDX,DWORD PTR DS:[ESI+4] 69081254 8950 04 MOV DWORD PTR DS:[EAX+4],EDX 69081257 8B46 04 MOV EAX,DWORD PTR DS:[ESI+4] 6908125A 8B56 08 MOV EDX,DWORD PTR DS:[ESI+8] 6908125D 8950 08 MOV DWORD PTR DS:[EAX+8],EDX 69081260 8BFE MOV EDI,ESI 69081262 03F5 ADD ESI,EBP 69081264 894C31 FC MOV DWORD PTR DS:[ECX+ESI-4],ECX <--- Problem ECX = 0x616CF240 ESI = 0x06C94038 CREDITS This vulnerability was discovered and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT).