CVE-2011-2140
published 2011-08-10CVE-2011-2140: Adobe Flash Player before 10.3.183.5 on Windows, Mac OS X, Linux, and Solaris and before 10.3.186.3 on Android, and Adobe AIR before 2.7.1 on Windows and Mac…
PriorityP276critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
82.26%
99.6th percentile
Adobe Flash Player before 10.3.183.5 on Windows, Mac OS X, Linux, and Solaris and before 10.3.186.3 on Android, and Adobe AIR before 2.7.1 on Windows and Mac OS X and before 2.7.1.1961 on Android, allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-2135, CVE-2011-2417, and CVE-2011-2425.
Affected
102 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | adobe_air | <= 2.7 | — |
| adobe | adobe_air | — | — |
| adobe | adobe_air | — | — |
| adobe | adobe_air | — | — |
| adobe | adobe_air | — | — |
| adobe | adobe_air | — | — |
| adobe | adobe_air | — | — |
| adobe | adobe_air | — | — |
| adobe | adobe_air | — | — |
| adobe | adobe_air | — | — |
| adobe | flash_player | <= 10.3.181.36 | — |
| adobe | flash_player | <= 10.3.185.25 | — |
| adobe | flash_player | — | — |
| adobe | flash_player | — | — |
| adobe | flash_player | — | — |
| adobe | flash_player | — | — |
| adobe | flash_player | — | — |
| adobe | flash_player | — | — |
| adobe | flash_player | — | — |
| adobe | flash_player | — | — |
| adobe | flash_player | — | — |
| adobe | flash_player | — | — |
| adobe | flash_player | — | — |
| adobe | flash_player | — | — |
| adobe | flash_player | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit delivers a crafted MP4 file via HTTP with Content-Type 'video/mp4'; the MP4 triggers a stack buffer overflow in Flash10u.ocx via a malformed SequenceParameterSetNALUnit where pic_order_cnt_type==1 causes unbounded copy of offset_for_ref_frame data onto the stack. ↗
- →Exploit HTML page embeds a SWF media player (e.g. Longtail/JW Player SWF) pointing to an attacker-controlled MP4 URI; monitor for browser requests to .mp4 resources served from unusual hosts immediately after loading a SWF player embed. ↗
- →Heap spray using 0x0c0c0c0c as the nop-sled/shellcode landing address is characteristic of this exploit; EIP and ECX both point to 0x0c0c0c0c at crash time. ↗
- →Metasploit module uses SEH-based exit and auto-migrates the payload process; look for post-exploitation process migration activity (migrate -f) following Flash Player crashes. ↗
- →The exploit targets IE 6 on Windows XP SP3 and IE 7 on Windows XP SP3/Vista; User-Agent strings matching NT 5.1 + MSIE 6 or MSIE 7 are specifically selected for attack delivery. ↗
- →Vulnerability confirmed exploited in the wild; treat any Flash Player crash in Flash10u.ocx involving MP4 parsing as high-priority incident. ↗
- ·The Metasploit module requires an externally supplied SWF media player (e.g. Longtail SWF Player) to trigger the bug; the SWF is not bundled with the module, so the SWF_PLAYER_URI option must be configured by the attacker. ↗
- ·Stack adjustment of -3500 bytes is used by the payload; this is an unusual stack pivot value that may aid in behavioral detection. ↗
- ·JavaScript obfuscation is optional (OBFUSCATE flag); detections based solely on static JS signatures may miss obfuscated variants of the exploit HTML page. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
flash-plugin: multiple arbitrary code execution flaws (APSB-11-21)
vendor_redhat·2011-08-09·CVSS 10.0
CVE-2011-2417 [CRITICAL] flash-plugin: multiple arbitrary code execution flaws (APSB-11-21)
flash-plugin: multiple arbitrary code execution flaws (APSB-11-21)
Adobe Flash Player before 10.3.183.5 on Windows, Mac OS X, Linux, and Solaris and before 10.3.186.3 on Android, and Adobe AIR before 2.7.1 on Windows and Mac OS X and before 2.7.1.1961 on Android, allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-2135, CVE-2011-2140, and CVE-2011-2425.
Red Hat
flash-plugin: multiple arbitrary code execution flaws (APSB-11-21)
vendor_redhat·2011-08-09·CVSS 10.0
CVE-2011-2425 [CRITICAL] flash-plugin: multiple arbitrary code execution flaws (APSB-11-21)
flash-plugin: multiple arbitrary code execution flaws (APSB-11-21)
Adobe Flash Player before 10.3.183.5 on Windows, Mac OS X, Linux, and Solaris and before 10.3.186.3 on Android, and Adobe AIR before 2.7.1 on Windows and Mac OS X and before 2.7.1.1961 on Android, allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-2135, CVE-2011-2140, and CVE-2011-2417.
Red Hat
flash-plugin: multiple arbitrary code execution flaws (APSB-11-21)
vendor_redhat·2011-08-09·CVSS 10.0
CVE-2011-2135 [CRITICAL] flash-plugin: multiple arbitrary code execution flaws (APSB-11-21)
flash-plugin: multiple arbitrary code execution flaws (APSB-11-21)
Adobe Flash Player before 10.3.183.5 on Windows, Mac OS X, Linux, and Solaris and before 10.3.186.3 on Android, and Adobe AIR before 2.7.1 on Windows and Mac OS X and before 2.7.1.1961 on Android, allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-2140, CVE-2011-2417, and CVE-2011-2425.
Red Hat
flash-plugin: multiple arbitrary code execution flaws (APSB-11-21)
vendor_redhat·2011-08-09·CVSS 10.0
CVE-2011-2140 [CRITICAL] flash-plugin: multiple arbitrary code execution flaws (APSB-11-21)
flash-plugin: multiple arbitrary code execution flaws (APSB-11-21)
Adobe Flash Player before 10.3.183.5 on Windows, Mac OS X, Linux, and Solaris and before 10.3.186.3 on Android, and Adobe AIR before 2.7.1 on Windows and Mac OS X and before 2.7.1.1961 on Android, allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-2135, CVE-2011-2417, and CVE-2011-2425.
GHSA
GHSA-wrxq-xp77-xv2c: Adobe Flash Player before 10
ghsa_unreviewed·2022-05-14·CVSS 10.0
CVE-2011-2135 [CRITICAL] CWE-119 GHSA-wrxq-xp77-xv2c: Adobe Flash Player before 10
Adobe Flash Player before 10.3.183.5 on Windows, Mac OS X, Linux, and Solaris and before 10.3.186.3 on Android, and Adobe AIR before 2.7.1 on Windows and Mac OS X and before 2.7.1.1961 on Android, allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-2140, CVE-2011-2417, and CVE-2011-2425.
GHSA
GHSA-5r2p-gx4c-fqr4: Adobe Flash Player before 10
ghsa_unreviewed·2022-05-14·CVSS 10.0
CVE-2011-2425 [CRITICAL] CWE-119 GHSA-5r2p-gx4c-fqr4: Adobe Flash Player before 10
Adobe Flash Player before 10.3.183.5 on Windows, Mac OS X, Linux, and Solaris and before 10.3.186.3 on Android, and Adobe AIR before 2.7.1 on Windows and Mac OS X and before 2.7.1.1961 on Android, allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-2135, CVE-2011-2140, and CVE-2011-2417.
GHSA
GHSA-gwmg-8j97-jg68: Adobe Flash Player before 10
ghsa_unreviewed·2022-05-14·CVSS 10.0
CVE-2011-2140 [CRITICAL] CWE-119 GHSA-gwmg-8j97-jg68: Adobe Flash Player before 10
Adobe Flash Player before 10.3.183.5 on Windows, Mac OS X, Linux, and Solaris and before 10.3.186.3 on Android, and Adobe AIR before 2.7.1 on Windows and Mac OS X and before 2.7.1.1961 on Android, allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-2135, CVE-2011-2417, and CVE-2011-2425.
GHSA
GHSA-v7m5-7qjq-2hm5: Adobe Flash Player before 10
ghsa_unreviewed·2022-05-14·CVSS 10.0
CVE-2011-2417 [CRITICAL] CWE-119 GHSA-v7m5-7qjq-2hm5: Adobe Flash Player before 10
Adobe Flash Player before 10.3.183.5 on Windows, Mac OS X, Linux, and Solaris and before 10.3.186.3 on Android, and Adobe AIR before 2.7.1 on Windows and Mac OS X and before 2.7.1.1961 on Android, allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-2135, CVE-2011-2140, and CVE-2011-2425.
VulnCheck
Adobe Flash Player Improper Restriction of Operations within the Bounds of a Memory Buffer
vulncheck·2011·CVSS 10.0
CVE-2011-2140 [CRITICAL] Adobe Flash Player Improper Restriction of Operations within the Bounds of a Memory Buffer
Adobe Flash Player Improper Restriction of Operations within the Bounds of a Memory Buffer
Adobe Flash Player before 10.3.183.5 on Windows, Mac OS X, Linux, and Solaris and before 10.3.186.3 on Android, and Adobe AIR before 2.7.1 on Windows and Mac OS X and before 2.7.1.1961 on Android, allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-2135, CVE-2011-2417, and CVE-2011-2425.
Affected: Adobe Flash Player
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://packetstormsecurity.com/files/109640/Adobe-Flash-Player-MP4-SequenceParameterSetNALUnit-Buffe
No detection rules found.
Exploit-DB
Adobe Flash Player - MP4 SequenceParameterSetNALUnit Buffer Overflow (Metasploit)
exploitdb·2012-02-10
CVE-2011-2140 Adobe Flash Player - MP4 SequenceParameterSetNALUnit Buffer Overflow (Metasploit)
Adobe Flash Player - MP4 SequenceParameterSetNALUnit Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 "Adobe Flash Player MP4 SequenceParameterSetNALUnit Buffer Overflow",
'Description' => %q{
This module exploits a vulnerability found in Adobe Flash Player's Flash10u.ocx
component. When processing a MP4 file (specifically the Sequence Parameter Set),
Flash will see if pic_order_cnt_type is equal to 1, which sets the
num_ref_frames_in_pic_order_cnt_cycle field, and then blindly copies data in
offset_for_ref_frame
Exploit-DB
Adobe Flash Player - MP4 SequenceParameterSetNALUnit Remote Code Execution
exploitdb·2012-01-31·CVSS 10.0
CVE-2011-2140 [CRITICAL] Adobe Flash Player - MP4 SequenceParameterSetNALUnit Remote Code Execution
Adobe Flash Player - MP4 SequenceParameterSetNALUnit Remote Code Execution
---
# Abysssec Public Exploit
# CVE-2011-2140
# This exploit tested on Adobe Flash Player ' + spray_heap() + ''
fHtml.write(contentHTML)
fHtml.close()
fMP4 = open('exploit.mp4', 'wb+')
fMP4.write(createMP4())
fMP4.close()
print '[-] MP4 and Html files generated'
except IOError:
print '[*] Error : An IO error has occurred'
print '[-] Exiting ...'
sys.exit(-1)
if __name__ == '__main__':
main()
Exploit-DB
D.R. Software Audio Converter 8.1 - DEP Bypass
exploitdb·2011-08-13
D.R. Software Audio Converter 8.1 - DEP Bypass
D.R. Software Audio Converter 8.1 - DEP Bypass
---
#!/usr/bin/perl
#
#[+]Exploit Title: D.R. Software Audio Converter 8.1 DEP Bypass Exploit
#[+]Date: 13\08\2011
#[+]Author: C4SS!0 G0M3S
#[+]Software Link: http://download.cnet.com/Audio-Converter/3000-2140_4-10045287.html
#[+]Found By: Sud0 from Corelan Team(http://www.exploit-db.com/exploits/13760/) or also created KedAns-Dz(http://1337day.com/exploits/16248)
#[+]Version: 8.1
#[+]Tested On: WIN-XP SP3 Brazilian Portuguese
#[+]CVE: N/A
#
print q{
Created By C4SS!0 G0M3S
E-mail [email protected]
Site net-fuzzer.blogspot.com
};
print "\n\t\t[+]Creating Exploit File...\n";
sleep(2);
#####################################ROP FOR LoadLibraryA##############################
my $rop = pack('V',0x00430076); # POP ECX # RETN
$rop .= pack('V',
Metasploit
Adobe Flash Player MP4 SequenceParameterSetNALUnit Buffer Overflow
metasploit
Adobe Flash Player MP4 SequenceParameterSetNALUnit Buffer Overflow
Adobe Flash Player MP4 SequenceParameterSetNALUnit Buffer Overflow
This module exploits a vulnerability found in Adobe Flash Player's Flash10u.ocx component. When processing a MP4 file (specifically the Sequence Parameter Set), Flash will see if pic_order_cnt_type is equal to 1, which sets the num_ref_frames_in_pic_order_cnt_cycle field, and then blindly copies data in offset_for_ref_frame on the stack, which allows arbitrary remote code execution under the context of the user. Numerous reports also indicate that this vulnerability has been exploited in the wild.
http://lists.opensuse.org/opensuse-security-announce/2011-08/msg00006.htmlhttp://lists.opensuse.org/opensuse-security-announce/2011-08/msg00007.htmlhttp://lists.opensuse.org/opensuse-security-announce/2011-08/msg00008.htmlhttp://secunia.com/advisories/48308http://www.adobe.com/support/security/bulletins/apsb11-21.htmlhttp://www.redhat.com/support/errata/RHSA-2011-1144.htmlhttp://www.us-cert.gov/cas/techalerts/TA11-222A.htmlhttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14074http://lists.opensuse.org/opensuse-security-announce/2011-08/msg00006.htmlhttp://lists.opensuse.org/opensuse-security-announce/2011-08/msg00007.htmlhttp://lists.opensuse.org/opensuse-security-announce/2011-08/msg00008.htmlhttp://secunia.com/advisories/48308http://www.adobe.com/support/security/bulletins/apsb11-21.htmlhttp://www.redhat.com/support/errata/RHSA-2011-1144.htmlhttp://www.us-cert.gov/cas/techalerts/TA11-222A.htmlhttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14074
2011-08-10
Published
Exploited in the wild