5907475 2000-12-29 18:25 +0000  /108 rader/ Krawetz, Neal <nealk@VERINET.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-01-02  18:24  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: nealk@VERINET.COM
Mottagare: Bugtraq (import) <14553>
Ärende: Shockwave Flash buffer overflow
------------------------------------------------------------
From: "Krawetz, Neal" <nealk@VERINET.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20001229182557.12660.qmail@www5>

I have identified a buffer overflow condition in the Shockwave Flash
plugin for web browsers.

Although this is "yet another buffer overrun", Macromedia's web page
claims that 90% of all web browsers have the plugins installed.
Since this overflow can be used to run arbitrary code, it impacts 90%
of all "web" enabled systems.


=====
Area of affect:
All SWF plugins on all platforms.
I have validated it with the Shockwave Flash plugins versions 2 through 8.
I have validated it on Windows 95, 98, NT, MacOS 9, Solaris 2.6 and 2.7, and RedHat Linux 6.0.
I have validated it using Netscape (4.04, 4.7) and Internet Explorer.

The buffer overflows are consistent per platform, but vary between
plaforms.  (Or in english:  A corrupt SWF may crash Netscape on
Windows 95, but only screw up the graphics under Linux.  This SWF
will always crash Netscape on Win95 the same way and it will always
screw up the Linux graphics the same way.  A different corrupt SWF
file could crash the browser on all platforms.)


=====
Root cause:
(Keep in mind -- I have not actually seen the source code for the plugins -- I have only determined this from the symptoms.)

Bounds checking is not being performed on the SWF data.

The SWF file is in the format:
  tag length data tag length data ...
Where "tag" tells what action to perform and "length" is the size of the data for the tag.  ("data" is the data for the tag.)
For example:
  Define_Picture "40 bytes" data_for_the_picture

Some tags have more complex data formats, where data contains:
  subtag sublength subdata subtag sublength subdata "0"
The "0" means "end of data".
So, the entire tag looks like:
  tag length (subtag1 sublength1 subdata1 subtag2 sublength2 subdata2 "0")

Sample tags with complex data are Define_Sprite (tag 39) and
Do_Action (tag 12).  If the "0" is missing, or appears beyond
"length" bytes, then a buffer overflow occurs.

Or in other words:  If the lengths or sublengths are wrong, then the
shockwave flash plugin will overflow.


=====
Impact of risk:
The buffer overflow can be used to execute arbitrary code stored in the SWF file.
"Bad" arbitrary code causes the plugin to crash the browser.
"Good" arbitrary code can execute a program on the browser's computer.
This can be used to propogate a virus, worm, or do other harmful tasks.

It is possible to write a single SWF file that contains
platform-specific overflow/opcodes for multiple systems (Solaris,
Linux, Windows, Irix, etc.).


=====
Worst case:
I'll leave this for you to decide.
I believe a multi-platform (Windows/Unix) self-modifying virus is possible.  ("Self-modifying" would be hard part.)


=====
What can you do:
1. Hope that Macromedia corrects the problem.  Download the corrected version when/if it becomes available.

2. The anti-virus vendors can write modules to check the bounds on
SWF files from web pages.  (If data should be null terminated,
validate that there is a null.  For some tags (like tag 83), make
sure there are two nulls in the data.  Make sure there are no illegal
tags.)

3. Hope the issue is addressed before someone writes something nasty.
Until then, disable (remove) the Shockwave Flash plugin.


=====
Reporting history:
(I am including this in case someone decides to sue me.)

Early July 2000:
 - Identified the defect.

July 25, 2000:
 - Reported defect to Macromedia (call number TWL2000072500018060)

July 26, 2000:
 - Reported the defect to CERT, NIPC, and CIAC.

July 30, 2000:
 - Conact from "Chris" at Macromedia asking for more information.  I
provided details.

August 2000:
 - Taked with "Chris" from CERT at Usenix Security conference.  He
called it a "sleeper" and said he would look into it.  (I know...
There were two guys named "Chris from CERT" -- this was the
dark-haired guy.)  [As an aside, isn't there some risk about
everybody being named "Chris"?]

December 15, 2000:
 - No advisories or notice from Macromedia, CERT, NIPC, or CIAC.
 - Macromeda has, during this time, released updates to Shockwave
Flash and these are still vulnerable.  (Evidence that they are not
invesitigating or addressing the issue.)
 - Decided to post to BugTraq.
 - By dumb luck, met a guy at a party who knew a guy who was the
sister of a "senior manager" at Macromedia.  Decided to hold off
posting.

December 18, 2000:
 - Made contact with the manager's brother.  Left phone message for
sister at Macromedia.

December 19, 2000:
 - Provided details of exploit to Macromedia.  Also provided sample
SWF files that perform buffer overflows on various platforms.

December 20, 2000:
 - Received the same reply from Macromedia that I did on July 30.
(It has been forwarded to the engineers for investigation.)
 - Decided to give them one week to respond before posting to Bugtraq.

December 29, 2000:
 - Post to Bugtraq.  (In hindsight, I should have done this back in
August.)
(5907475) --------------------------------(Ombruten)
Kommentar i text 5907490 av Bellman -- The Recursive Hacker