PDA

View Full Version : CVE-2011-2111 shockwave vulnerability


blahh
June 18th, 2011, 04:15
Hey everyone,
This is the first CVE I am analyzing so Id love to have some help with this. The vulnerability is about an integer overflow in IM32.dll file. The concerned advisory can be found here at http://www.zerodayinitiative.com/advisories/ZDI-11-206/.

In order to analyze the vulnerability, downloaded the latest and the version just before that, got the IM32.DLL files and did a binary diff. I cannot afford to get myself a copy of BinDiff so I'm using the PatchDiff plugin with IDA.

So, the number of identical and unmatched functions is really huge(which is understandable, one can see that a large number of security advisories are being taken care of in this update).

As mentioned in the DLL, this vulnerability is triggered when a GIF file with a certain offset is changed.

I'd like to do load a GIF file, trace the execution and list all the functions called. This way I could look at the corresponding diffs and figure out the exact vulnerability.

If you were in my shoes, how would you go about doing this? Any recommended reading?

Thanks in advance.

ZaiRoN
June 20th, 2011, 12:53
I don't know exactly, but without any other information I would start from the beginning, where the file is opened... from that point you have to identify the piece of code used to parse each field of the gif structure...

blahh
June 20th, 2011, 20:42
Hmm, is there any way I could trace the execution as it opens an animated GIF? Im on an XP box, btw.

disavowed
June 25th, 2011, 20:29
http://www.woodmann.com/collaborative/tools/index.php/Conditional_Branch_Logger

http://www.woodmann.com/collaborative/tools/index.php/Process_Stalker