Signature Detail

HTTP: Adobe Shockwave Director tSAC Chunk String Termination Memory Corruption

A memory corruption vulnerability has been identified in Adobe Shockwave Player. The vulnerability is due to the software blindly using a string-size value, which is provided in the file, to null-terminate a string. This allows an attacker to write a null-byte at a controlled offset from the beginning of the string buffer. A remote attacker can exploit this vulnerability by enticing a target user to visit a maliciously crafted web site containing a specially crafted Adobe Director file. Successful exploitation could result in execution of arbitrary code within the security context of the currently logged on user. An unsuccessful exploit attempt may terminate the affected application abnormally.

Extended Description

Adobe Shockwave Player is prone to a remote memory-corruption vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. Versions prior to Adobe Shockwave Player 11.6.0.626 are vulnerable. NOTE: This issue was previously documented in BID 48270 (Adobe Shockwave Player APSB11-17 Multiple Remote Vulnerabilities) but has been given its own record to better document it.

Affected Products

• Adobe Shockwave Player 11
• Adobe Shockwave Player 11.0.0.456
• Adobe Shockwave Player 11.0.3.471
• Adobe Shockwave Player 11.5.0.595
• Adobe Shockwave Player 11.5.0.596
• Adobe Shockwave Player 11.5.0.600
• Adobe Shockwave Player 11.5.0.601
• Adobe Shockwave Player 11.5.1.601
• Adobe Shockwave Player 11.5.2.602
• Adobe Shockwave Player 11.5.2.606
• Adobe Shockwave Player 11.5.6.606
• Adobe Shockwave Player 11.5.7.609
• Adobe Shockwave Player 11.5.8.612
• Adobe Shockwave Player 11.5.9.615
• Adobe Shockwave Player 11.5.9.620

References

• BugTraq: 48304
• CVE: CVE-2011-2118