Adobe Shockwave Player tSAC chunk code execution (RIFF_Shockwave_tSAC_Exec)

About this signature or vulnerability

IBM Security Host Protection for Servers (Windows), RealSecure Server Sensor, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology, Proventia Network IPS, IBM Security Host Protection for Servers (Unix), Proventia-G 1.1 and earlier, Proventia Network IDS, IBM Security Host Protection for Desktops, Proventia Network MFS:

This signature detects RIFX content having an invalid value within the 'tSAC' chunk (actually a 'CASt' chunk in a reverse file order) that may cause a signedness error in Adobe Shockwave Player and lead to remote code execution or memory corruption.


Default risk level

High risk vulnerability  High

Sensors that have this signature

IBM Security Host Protection for Servers (Windows): 2.1.14.2730, RealSecure Server Sensor: XPU 32.020, Virtual Server Protection for Vmware: XPU 32.020, Proventia Server IPS for Linux technology: 32.020, Proventia Network IPS: XPU 32.020, IBM Security Host Protection for Servers (Unix): 2.2.2, Proventia-G 1.1 and earlier: XPU 32.020, Proventia Network IDS: XPU 32.020, IBM Security Host Protection for Desktops: 2730, Proventia Network MFS: XPU 32.020

Systems affected

Adobe Shockwave Player: 11.5.7.609

Type

Unauthorized Access Attempt

Vulnerability description

Adobe Shockwave Player could allow a remote attacker to execute arbitrary code on the system, caused by a signedness error while parsing the tSAC RIFF chunk in the DIRAPI module. By persuading a victim to open a specially-crafted Shockwave file, a remote attacker could corrupt memory to execute arbitrary code on the system or cause the application to crash.

How to remove this vulnerability

Refer to APSB10-20 for patch, upgrade or suggested workaround information. See References.

References

Adobe Product Security Bulletin APSB10-20
Security update available for Shockwave Player
http://www.adobe.com/support/security/bulletins/apsb10-20.html

TPTI-10-13
Adobe Shockwave Director tSAC Chunk Remote Code Execution Vulnerability
http://dvlabs.tippingpoint.com/advisory/TPTI-10-13

Offensive Security Exploit Database [09-22-2010]
MOAUB #22 - Adobe Shockwave Director tSAC Chunk Memory Corruption
http://www.exploit-db.com/exploits/15076/

ISS X-Force
Adobe Shockwave Player tSAC chunk code execution
http://www.iss.net/security_center/static/61352.php

CVE
CVE-2010-2866
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2866