by RSS Peixue Li  |  Oct 30, 2015  |  Filed in: Security Research
Overview
Despite a number of recent vulnerabilities discovered in Adobe Shockwave and a general move to other multimedia platforms, Adobe reports that over 450 million Internet-enabled computers have Adobe Shockwave installed.  Shockwave remains a powerful legacy platform that supports raster graphics, basic vector graphics, 3D graphics, audio, and an embedded scripting language called Lingo. 
 
Recently, researchers at FortiGuard Labs discovered a memory corruption vulnerability (CVE-2015-7649) in Shockwave that could lead to an unexpected application termination or arbitrary code execution.
 
Analysis
Movies and animations created with Macromedia Director (later known as Adobe Director) have a .dir file extension. As with many multimedia formats, DIR files contain an array of atoms, particularly so-called “rcsL” atoms. The rcsL atom is 20 bytes in size and has the following structure:
Name:   4 bytes, must be ‘rcsL’
Length:  DWORD, in little endian
Offset:   DWORD, in little endian
Unused: 8 bytes
The value of (Offset + Length + 8) is the address of data of the ‘rcsL’ atom in the DIR file, which starts with the tag ‘rcsL’. For example, the Length and Offset of the following ‘rcsL’ atom are 0x02C0 and 0x85A8 respectively. Then the address of its data in the DIR file should be 0x8870 (0x02C0 + 0x85A8 + 8).
As you can see from following figure, at the address 0x8870 in the DIR file, we do find its data, which starts with the tag ‘rcsL’.
But an attacker could exploit this vulnerability with a specially crafted DIR file. In the case shown below, the 2nd ‘rcsL’ atom contains an incorrect Offset value. As you can see from following figure, the Length and Offset of the ‘rcsL’ atom are 0x03EC and 0x8878 respectively. Then the address of its data in the DIR file should be 0x8C6C (0x03EC + 0x8878 + 8).
 
However, the real address of the data of the 2nd ‘rcsL’ atom is 0x8c64 as shown in following figure.  
 
The correct Offset value should be 0x8870. Then 0x03EC + 0x8870 + 8 = 0x8c64. Due to the incorrect Offset value, an incorrect address is calculated and accessed. This results in the memory corruption which, as noted in Adobe’s security bulletin on this vulnerability, “could potentially allow an attacker to take control of the affected system.”
 
Mitigation
Networks and users that have deployed Fortinet IPS solutions are already protected from this vulnerability with IPS Signature Adobe.Shockwave.Player.rcsL.Atom.Handling.Memory.Corruption.
 
Adobe patched this vulnerability this week with version 12.2.1.171 of Shockwave Player. Users of Adobe Shockwave Player 12.2.0.162 and earlier (on both Windows and Mac) should upgrade as soon as possible.
 
Thanks to the FortiGuard Labs team for discovering this vulnerability.
by RSS Peixue Li  |  Oct 30, 2015  |  Filed in: Security Research