COMMAND
Shockwave
SYSTEMS AFFECTED
Shockwave
PROBLEM
Neal found following. The Flash file format (SWF) uses the form:
tag length data tag length data ....
Where "Tag" defines a task (define image, do action, etc.),
"length" is the size of the data for the tag, and data contains
tag-specific information.
Many of the tags expect the data to contain a null-terminator "0".
For example, strings or complex actions (the "0" means "no more
actions for this tag").
In most cases, if the terminating "0" is missing, a read-overflow
is created.
The Flash plugin crashes, and crashes the browser with it. We
suspect that MS Outlook may also crash if the Flash animation
runs in the preview pane, but this is only in theory and has not
been tested.
If a corrupt SWF file is placed on a web server, it can cause a
buffer-overflow and crash all visiting browsers. This is a DoS.
Neal came across another SWF risk. The problem seems to be with
tag 8 length 1 (action toggle quality, length should be zero).
When tag 8 has a length of 1 (actual 1 byte of data is ignored),
the browser hangs.
Under Win98 on a Dell Latitude Cp (laptop):
- CPU pegs at 100%
- Netscape is unresponsive
- If we kill the unresponsive Netscape, our laptop hangs after
a suspend/restore and requires power cycling.
Under MacOS 9 on an iMac:
- CPU load program stops running (appears to hang)
- Netscape hangs. We cannot switch tasks (Command-. and other
keyboard strokes are ignored). The system must be power
cycled.
- Only the mouse pointer moves, but it cannot click on
anything.
This has not been tested on other platforms. Working example SWF
code:
46 57 53 05 19 00 00 00 78 00 04 e2 00 00 0c e4 00 00 0a 03 00 01 02 00 00
This is a worse DoS than the read-overflow because the browser
does not die and all CPU cycles are consumed. MacOS requires
power-cycling and Win98 should be rebooted (ok, no surprise for
Win98...).
SOLUTION
Macromedia have validated the read-buffer-overflow. This causes
the browser to crash, but does not permit arbitrary code to be
executed.