CVE-2010-3653
published 2010-10-26CVE-2010-3653: The Director module (dirapi.dll) in Adobe Shockwave Player before 11.5.9.615 allows remote attackers to execute arbitrary code or cause a denial of service…
PriorityP273critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
74.63%
99.4th percentile
The Director module (dirapi.dll) in Adobe Shockwave Player before 11.5.9.615 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a Director movie with a crafted rcsL chunk containing a field whose value is used as a pointer offset, as exploited in the wild in October 2010. NOTE: some of these details are obtained from third party information.
Affected
40 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | shockwave_player | <= 11.5.8.612 | — |
| adobe | shockwave_player | — | — |
| adobe | shockwave_player | — | — |
| adobe | shockwave_player | — | — |
| adobe | shockwave_player | — | — |
| adobe | shockwave_player | — | — |
| adobe | shockwave_player | — | — |
| adobe | shockwave_player | — | — |
| adobe | shockwave_player | — | — |
| adobe | shockwave_player | — | — |
| adobe | shockwave_player | — | — |
| adobe | shockwave_player | — | — |
| adobe | shockwave_player | — | — |
| adobe | shockwave_player | — | — |
| adobe | shockwave_player | — | — |
| adobe | shockwave_player | — | — |
| adobe | shockwave_player | — | — |
| adobe | shockwave_player | — | — |
| adobe | shockwave_player | — | — |
| adobe | shockwave_player | — | — |
| adobe | shockwave_player | — | — |
| adobe | shockwave_player | — | — |
| adobe | shockwave_player | — | — |
| adobe | shockwave_player | — | — |
| adobe | shockwave_player | — | — |
Detection & IOCsextracted from sources · hover to see the quote
otherrcsL chunk in Director movie (.DIR/.DCR) file with crafted 4-byte field at offset 0x4C4B set to 0xFFF00267↗
bytes↗
0a0a0a0a (heap spray NOP-sled using OR opcode)
bytes↗
nops=unescape('%u0a0a%u0a0a') heap spray pattern- →Detect Director movie files (.DIR/.DCR) delivered over HTTP with a crafted rcsL chunk; the RIFF-based format begins with a 4-byte RIFX identifier followed by chunk identifiers including rcsL. ↗
- →Flag heap spray patterns using 0x0a0a0a0a as the spray address/NOP-sled value in browser memory when a .DIR file is being loaded via a plugin. ↗
- →Monitor for JavaScript heap spray using repeated '%u0a0a%u0a0a' unescape patterns in pages that also embed a .DIR file (Content-Type: application/octet-stream). ↗
- →Alert on HTTP responses serving files with Content-Type application/octet-stream containing a RIFX/rcsL Director movie structure, especially when the referring page contains unescape-based heap spray JavaScript. ↗
- →The vulnerable code path is inside dirapi.dll at function sub_68122990; monitor for abnormal indirect calls via [ecx+eax*8+20h] with attacker-controlled EAX derived from the rcsL chunk field. ↗
- →The Metasploit module uses 'migrate -f' as InitialAutoRunScript post-exploitation; detect unexpected process migration activity following Shockwave Player execution. ↗
- ·The vulnerability affects Adobe Shockwave Player versions before 11.5.9.615; the advisory was written against version 11.5.8.612. ↗
- ·The rcsL chunk structure is undocumented; detection must rely on the presence of the chunk identifier and anomalous field values rather than a published specification. ↗
- ·The Metasploit payload has bad characters \x00\x09\x0a\x0d which must be avoided; shellcode encoders will be used, potentially altering byte-level signatures. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xxv5-9hqx-8g9q: The Director module (dirapi
ghsa_unreviewed·2022-05-17
CVE-2010-3653 [HIGH] CWE-119 GHSA-xxv5-9hqx-8g9q: The Director module (dirapi
The Director module (dirapi.dll) in Adobe Shockwave Player before 11.5.9.615 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a Director movie with a crafted rcsL chunk containing a field whose value is used as a pointer offset, as exploited in the wild in October 2010. NOTE: some of these details are obtained from third party information.
VulnCheck
Adobe shockwave_player Improper Restriction of Operations within the Bounds of a Memory Buffer
vulncheck·2010·CVSS 9.3
CVE-2010-3653 [CRITICAL] Adobe shockwave_player Improper Restriction of Operations within the Bounds of a Memory Buffer
Adobe shockwave_player Improper Restriction of Operations within the Bounds of a Memory Buffer
The Director module (dirapi.dll) in Adobe Shockwave Player before 11.5.9.615 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a Director movie with a crafted rcsL chunk containing a field whose value is used as a pointer offset, as exploited in the wild in October 2010. NOTE: some of these details are obtained from third party information.
Affected: Adobe shockwave_player
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.adobe.com/support/security/advisories/apsa10-04.html; https://www.cve.org/CVERe
No detection rules found.
Exploit-DB
Adobe Shockwave Player - rcsL Memory Corruption (Metasploit)
exploitdb·2010-10-22
CVE-2010-3653 Adobe Shockwave Player - rcsL Memory Corruption (Metasploit)
Adobe Shockwave Player - rcsL Memory Corruption (Metasploit)
---
##
# $Id: adobe_shockwave_rcsl_corruption.rb 10784 2010-10-22 12:21:30Z swtornio $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Adobe Shockwave rcsL Memory Corruption',
'Description' => %q{
This module exploits a weakness in the Adobe Shockwave player's handling of
Director movies (.DIR). A memory corruption vulnerability occurs through an undocumented
rcsL chunk. This vulnerability was discovered by http://www.abysssec.com.
},
'License' => MSF_LICENSE,
'Author' => [ 'David
Exploit-DB
Adobe Shockwave Player - 'rcsL chunk' Memory Corruption
exploitdb·2010-10-21
CVE-2010-3653 Adobe Shockwave Player - 'rcsL chunk' Memory Corruption
Adobe Shockwave Player - 'rcsL chunk' Memory Corruption
---
Abysssec Inc Public Advisory
1) Advisory information
Title : Adobe Shockwave player rcsL chunk memory corruption
Version : Adobe Shockwave player 11.5.8.612 (latest on writing time)
Discovery : http://www.abysssec.com
Vendor : http://www.adobe.com
Impact : Critical
Contact : shahin [at] abysssec.com , info [at] abysssec.com
Twitter : @abysssec
CVE : ZeroDay Not Patched
3) Vulnerability information
Class - Memory corruption allow command execute
Impact - Successfully exploiting this issue allows remote attackers to execute arbitrary code or cause denial-of-service conditions.
Remotely Exploitable - Yes
Locally Exploitable - Yes
4) Vulnerabilities detail
Introduction
Shockwave player is a plug in for loading Adobe Director
Metasploit
Adobe Shockwave rcsL Memory Corruption
metasploit
Adobe Shockwave rcsL Memory Corruption
Adobe Shockwave rcsL Memory Corruption
This module exploits a weakness in the Adobe Shockwave player's handling of Director movies (.DIR). A memory corruption vulnerability occurs through an undocumented rcsL chunk.
Securelist
Investigation Report for the September 2014 Equation malware detection incident in the US
blogs_securelist·2017-11-16
Investigation Report for the September 2014 Equation malware detection incident in the US
Authors
- Kaspersky
## Background
In early October, a story was published by the Wall Street Journal alleging Kaspersky Lab software was used to siphon classified data from an NSA employee’s home computer system. Given that Kaspersky Lab has been at the forefront of fighting cyberespionage and cybercriminal activities on the Internet for over 20 years now, these allegations were treated very seriously. To assist any independent investigators and all the people who have been asking us questions whether those allegations were true, we decided to conduct an internal investigation to attempt to answer a few questions we had related to the article and some others that followed it:
1. Was our software used outside of its intended functionality to pull classified information from a person’s c
Securelist
Investigation Report for the September 2014 Equation malware detection incident in the US
blogs_securelist·2017-11-16
Investigation Report for the September 2014 Equation malware detection incident in the US
Authors
Kaspersky
## Background
In early October, a story was published by the Wall Street Journal alleging Kaspersky Lab software was used to siphon classified data from an NSA employee’s home computer system. Given that Kaspersky Lab has been at the forefront of fighting cyberespionage and cybercriminal activities on the Internet for over 20 years now, these allegations were treated very seriously. To assist any independent investigators and all the people who have been asking us questions whether those allegations were true, we decided to conduct an internal investigation to attempt to answer a few questions we had related to the article and some others that followed it:
Was our software used outside of its intended functionality to pull classified information from a person’s comput
http://www.abysssec.com/blog/2010/10/adobe-shockwave-player-rcsl-chunk-memory-corruption-0day/http://www.adobe.com/support/security/bulletins/apsb10-25.htmlhttp://www.exploit-db.com/exploits/15296http://www.kb.cert.org/vuls/id/402231http://www.securityfocus.com/bid/44291http://www.securitytracker.com/id?1024635http://www.vupen.com/english/advisories/2010/2752https://exchange.xforce.ibmcloud.com/vulnerabilities/62688https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11285http://www.abysssec.com/blog/2010/10/adobe-shockwave-player-rcsl-chunk-memory-corruption-0day/http://www.adobe.com/support/security/bulletins/apsb10-25.htmlhttp://www.exploit-db.com/exploits/15296http://www.kb.cert.org/vuls/id/402231http://www.securityfocus.com/bid/44291http://www.securitytracker.com/id?1024635http://www.vupen.com/english/advisories/2010/2752https://exchange.xforce.ibmcloud.com/vulnerabilities/62688https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11285
2010-10-26
Published
Exploited in the wild