Adobe Shockwave Player CVE-2010-2876 RCE via Integer Overflow in .dir/.dcr Parsing

Vulnerability Details Basic Information Title: Adobe Shockwave Player Director File FFFFFFF8 Record Processing Remote Code Execution Vulnerability ID: - ZDI-10-164 - ZDI-CAN-864 CVE ID: CVE-2010-2876 CVSS Score: 9.0, AV:N/AC:L/Au:N/C:P/I:P/A:C Affected Scope Affected Vendor: Adobe Affected Product: Shockwave Player Vulnerability Details Description: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Shockwave Player. User interaction with a malicious page or file is required to exploit this vulnerability. Technical Details: A specific flaw exists in the code that processes the unrecorded record type when parsing and files. During the arithmetic operation to calculate heap buffer size, the code trusts two user-supplied word values. By specifying sufficiently large values, an integer overflow may occur. The allocated heap buffer may then be overwritten with user-supplied data. Attackers can exploit this to execute remote code in the context of the user running the browser. Additional Details Remediation: Adobe has released an update to address this vulnerability. More details can be found in Adobe's security bulletin: http://www.adobe.com/support/security/bulletins/apsb10-20.html Disclosure Timeline: - 2010-07-20 - Vulnerability reported to vendor - 2010-08-24 - Coordinated vulnerability announcement released Discoverer: Anonymous Mitigation Trend Micro Customer Protection: Trend Micro TippingPoint IPS customers are protected by Digital Vaccine filter ID ['10285'] against this vulnerability. For further product information on TippingPoint IPS, visit: http://www.tippingpoint.com

Goal Reached Thanks to every supporter — we hit 100%!

Adobe Shockwave Player CVE-2010-2876 RCE via Integer Overflow in .dir/.dcr Parsing