----------------------------------------------------------------------


Join Secunia @ FIRST Conference, 12-17 June, Hilton Vienna, Austria
See to the presentation "The Dynamics and Threats of End-Point Software Portfolios" by Secunia's Research Analyst Director, Stefan Frei.
Read more:
http://conference.first.org/ 


----------------------------------------------------------------------

TITLE:
Adobe Shockwave Player Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA43811

VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43811/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43811

RELEASE DATE:
2011-06-15

DISCUSS ADVISORY:
http://secunia.com/advisories/43811/#comments

AVAILABLE ON SITE AND IN CUSTOMER AREA:
 * Last Update
 * Popularity
 * Comments
 * Criticality Level
 * Impact
 * Where
 * Solution Status
 * Operating System / Software
 * CVE Reference(s)

http://secunia.com/advisories/43811/

ONLY AVAILABLE IN CUSTOMER AREA:
 * Authentication Level
 * Report Reliability
 * Secunia PoC
 * Secunia Analysis
 * Systems Affected
 * Approve Distribution
 * Remediation Status
 * Secunia CVSS Score
 * CVSS

https://ca.secunia.com/?page=viewadvisory&vuln_id=43811

ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
 * AUTOMATED SCANNING

http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/

DESCRIPTION:
Multiple vulnerabilities have been reported in Adobe Shockwave
Player, which can be exploited by malicious people to compromise a
user's system.

1) An unspecified error in dirapi.dll can be exploited to corrupt
memory.

2) An unspecified error in dirapi.dll can be exploited to corrupt
memory.

3) An unspecified error in dirapi.dll can be exploited to corrupt
memory.

4) An unspecified error in dirapi.dll can be exploited to corrupt
memory.

5) Unspecified errors in dirapi.dll can be exploited to corrupt
memory.

6) An input validation error in dirapi.dll when calculating offsets
into buffers based on various 16-bit values in rcsL chunks can be
exploited to corrupt memory.

7) A logic error in dirapi.dll when a xtcL chunk is not present as
expected results in use of uninitialised memory.

8) An integer overflow error in dirapi.dll when parsing certain
16-bit fields in rcsL chunks can be exploited to cause heap-based
buffer overflows.

9) An error in dirapi.dll when parsing rcsL chunks can be exploited
to cause a heap-based buffer overflow as a size value is calculating
based on two pointer values without ensuring that the first pointer
value is greater than the second pointer value.

10) An unspecified design flaw exists in an unspecified component.

11) An integer overflow error in dirapi.dll when parsing rcsL chunks
can be exploited to cause a heap-based buffer overflow.

12) A boundary error in "Font Asset.x32" when parsing font-related
structures can be exploited to cause stack-based buffer overflows.

13) Multiple unspecified errors exist in IML32.dll.

14) Integer overflow errors in a function used to calculate how much
space is required for storing a specified amount of DEMX data of a
specified type can be exploited to cause buffer overflows.

15) An integer overflow error in a function used to create a
structure for storing DEMX data can be exploited to cause heap-based
buffer overflows.

16) An error when allocating buffers based on sizes obtained from
KEY* chunks can be exploited to cause a heap-based buffer overflow as
an allocated buffer may not be sufficiently sized to contain the
minimum amount of data being copied.

17) An integer underflow error in IML32.dll when e.g. decompressing
embedded GIF images can be exploited to corrupt memory.

18) Missing input validation in TextXtra.x32 within a function
designed to read data into a buffer based on size values obtained
from DEMX chunks can be exploited to cause buffer overflows.

19) An error when extracting strings from embedded media objects can
be exploited to write a NULL byte to an arbitrary memory location.

20) An error in dirapi.dll when parsing CASt chunks can be exploited
to cause buffer overflows as size values are not properly checked
before being used in a call to memmove().

21) An integer overflow error in IML32.dll when allocating buffers to
e.g. contain data from rcsL chunks can be exploited to cause a
heap-based buffer overflow.

22) An integer overflow error in TextXtra.x32 when parsing text
elements can be exploited to cause heap-based buffer overflows.

23) An integer overflow error when allocating memory for
substructures within xtcL chunks can be exploited to cause heap-based
buffer overflows.

24) An integer overflow error in the Shockwave3DAsset component when
parsing DEMX chunks can be exploited to cause a heap-based buffer
overflow.

25) Missing input validation within the parsing of certain structures
in rcsL chunks can be exploited to corrupt memory as an offset is
trusted when calculating a pointer value.

26) Multiple unspecified errors in IML32.dll can be exploited to
corrupt memory.

27) An unspecified error in IML32.dll can be exploited to corrupt
memory.

28) A logic error when attempting to reallocate memory based on DEMX
data may result in memory not being reallocated as expected and can
be exploited to cause heap-based buffer overflows.

29) An input validation error exists in the FLV ASSET Xtra
component.

30) A logic error in dirapi.dll when parsing substructures within
rcsL chunks can be exploited to trigger misallocation of buffers and
cause heap-based buffer overflows.

31) An integer overflow error in the CursorAsset x32 component when
parsing cursor structures can be exploited to cause a heap-based
buffer overflow.

32) An integer overflow error in AudioMixer.x32 when parsing mixer
structures can be exploited to cause a heap-based buffer overflow.

33) An unspecified error in dirapi.dll can be exploited to corrupt
memory.

34) An integer overflow error exists in the Shockwave 3D Asset x32
component.

35) A logic error when attempting to allocate memory for DEMX data
using overly large sizes may result in memory not being allocated as
expected and can be exploited to corrupt memory.

36) An error in Dirapix.dll can be exploited to cause a buffer
overflow.

37) An unspecified error can be exploited to cause a buffer
overflow.

38) An unspecified error can be exploited to corrupt memory.

39) An input validation error when parsing DEMX chunks causes an
invalid value to be used as a loop counter when writing data, which
can be exploited to corrupt memory.

Successful exploitation of the vulnerabilities allows execution of
arbitrary code.

The vulnerabilities are reported in version 11.5.9.620. Other
versions may also be affected.

SOLUTION:
Update to version 11.6.0.626.

Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/

PROVIDED AND/OR DISCOVERED BY:
1-4, 36-38) Reported by the vendor.
5) The vendor credits Honggang Ren of Fortinet's Fortiguard Labs,
Mark Yason of IBM X-Force Research, Aaron Portnoy and Logan Brown of
TippingPoint DVLabs, Aniway via ZDI, Luigi Auriemma via iDefense.
6, 14, 15, 18, 28, 35, 39) Carsten Eiram, Secunia Research.
7, 8, 9, 11, 16, 17, 21, 22, 23, 30) Luigi Auriemma via ZDI.
10) The vendor credits Will Dormann, CERT/CC.
12, 31, 32) Sebastian Apelt via ZDI.
13) The vendor credits Aaron Portnoy and Logan Brown, TippingPoint
DVLabs.
18) Binaryproof via ZDI.
19, 20) Luigi Auriemma and Donato Ferrante via ZDI.
24, 25) Aniway via ZDI.
26) The vendor credits Luigi Auriemma via iDefense and Rodrigo Rubira
Branco of Qualys Vulnerability & Malware Research Team (VMRT).
27) The vendor credits Aaron Portnoy and Logan Brown, TippingPoint
DVLabs.
29) The vendor credits Donato Ferrante via ZDI.
33) The vendor credits Celil Ünüver, SignalSEC and BGA.
34) The vendor credits Luigi Auriemma via iDefense.

ORIGINAL ADVISORY:
Adobe:
http://www.adobe.com/support/security/bulletins/apsb11-17.html

Secunia Research:
http://secunia.com/secunia_research/2011-40/
http://secunia.com/secunia_research/2011-42/
http://secunia.com/secunia_research/2011-43/
http://secunia.com/secunia_research/2011-44/
http://secunia.com/secunia_research/2011-45/
http://secunia.com/secunia_research/2011-46/
http://secunia.com/secunia_research/2011-47/

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-11-200/
http://www.zerodayinitiative.com/advisories/ZDI-11-201/
http://www.zerodayinitiative.com/advisories/ZDI-11-202/
http://www.zerodayinitiative.com/advisories/ZDI-11-203/
http://www.zerodayinitiative.com/advisories/ZDI-11-204/
http://www.zerodayinitiative.com/advisories/ZDI-11-205/
http://www.zerodayinitiative.com/advisories/ZDI-11-206/
http://www.zerodayinitiative.com/advisories/ZDI-11-207/
http://www.zerodayinitiative.com/advisories/ZDI-11-208/
http://www.zerodayinitiative.com/advisories/ZDI-11-209/
http://www.zerodayinitiative.com/advisories/ZDI-11-210/
http://www.zerodayinitiative.com/advisories/ZDI-11-211/
http://www.zerodayinitiative.com/advisories/ZDI-11-212/
http://www.zerodayinitiative.com/advisories/ZDI-11-213/
http://www.zerodayinitiative.com/advisories/ZDI-11-214/
http://www.zerodayinitiative.com/advisories/ZDI-11-215/
http://www.zerodayinitiative.com/advisories/ZDI-11-216/
http://www.zerodayinitiative.com/advisories/ZDI-11-217/

OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/

DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/

EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/

EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/

EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/advisories/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------

Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org

----------------------------------------------------------------------