Adobe Shockwave Player <= 11.5.8.612 (APSB10-25) (Mac OS X) - Nessus

High   Plugin ID: 80174

---

This page contains detailed information about the Adobe Shockwave Player <= 11.5.8.612 (APSB10-25) (Mac OS X) Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Plugin Overview

---

ID: 80174
Name: Adobe Shockwave Player <= 11.5.8.612 (APSB10-25) (Mac OS X)
Filename: macosx_shockwave_player_apsb10-25.nasl
Vulnerability Published: 2010-10-21
This Plugin Published: 2014-12-22
Last Modification Time: 2022-04-11
Plugin Version: 1.7
Plugin Type: local
Plugin Family: MacOS X Local Security Checks
Dependencies: shockwave_player_detect_macosx.nbin
Required KB Items [?]: Host/MacOSX/Version, installed_sw/Shockwave Player

Vulnerability Information

---

Severity: High
Vulnerability Published: 2010-10-21
Patch Published: 2010-10-28
CVE [?]: CVE-2010-2581, CVE-2010-2582, CVE-2010-3653, CVE-2010-3655, CVE-2010-4084, CVE-2010-4085, CVE-2010-4086, CVE-2010-4087, CVE-2010-4088, CVE-2010-4089, CVE-2010-4090
CPE [?]: cpe:/a:adobe:shockwave_player
Exploited by Malware: True

Synopsis

The remote Mac OS X host contains a web browser plugin that is affected by multiple vulnerabilities.

Description

The remote Mac OS X host contains a version of Adobe Shockwave Player that is 11.5.8.612 or earlier. It is, therefore, affected by multiple vulnerabilities :

- A memory corruption issue exists that allows code execution. Note that there are reports that this issue is being exploited in the wild. (CVE-2010-3653)

- A heap-based buffer overflow vulnerability allows code execution. (CVE-2010-2582)

- Multiple memory corruption issues in the 'dirapi.dll' module allow code execution. (CVE-2010-2581, CVE-2010-3655, CVE-2010-4084, CVE-2010-4085, CVE-2010-4086, CVE-2010-4088)

- Multiple memory corruption issues in the 'IML32.dll' module allow code execution. (CVE-2010-4087, CVE-2010-4089)

- A memory corruption issue allows code execution. (CVE-2010-4090)

Solution

Upgrade to Adobe Shockwave 11.5.9.615 or later.

Public Exploits

---

Target Network Port(s): N/A
Target Asset(s): N/A
Exploit Available: True (Metasploit Framework, Exploit-DB, Immunity Canvas)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the Adobe Shockwave Player <= 11.5.8.612 (APSB10-25) (Mac OS X) vulnerability:

1. Metasploit: exploit/windows/browser/adobe_shockwave_rcsl_corruption
   [Adobe Shockwave rcsL Memory Corruption]
2. Exploit-DB: exploits/windows/remote/16594.rb
   [EDB-16594: Adobe Shockwave Player - rcsL Memory Corruption (Metasploit)]
3. Immunity Canvas: CANVAS

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

---

CVSS V2 Vector [?]: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:H/RL:OF/RC:C

CVSS Base Score:	9.3 (High)
Impact Subscore:	10.0
Exploitability Subscore:	8.6
CVSS Temporal Score:	8.1 (High)
CVSS Environmental Score:	NA (None)
Modified Impact Subscore:	NA
Overall CVSS Score:	8.1 (High)

Go back to menu.

Plugin Source

---

This is the macosx_shockwave_player_apsb10-25.nasl nessus plugin source code. This script is Copyright (C) 2014-2022 Tenable Network Security, Inc.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(80174);
  script_version("1.7");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id(
    "CVE-2010-2581",
    "CVE-2010-2582",
    "CVE-2010-3653",
    "CVE-2010-3655",
    "CVE-2010-4084",
    "CVE-2010-4085",
    "CVE-2010-4086",
    "CVE-2010-4087",
    "CVE-2010-4088",
    "CVE-2010-4089",
    "CVE-2010-4090"
  );
  script_bugtraq_id(
    44291,
    44510,
    44512,
    44513,
    44514,
    44515,
    44516,
    44517,
    44518,
    44520,
    44521
  );
  script_xref(name:"CERT", value:"402231");

  script_name(english:"Adobe Shockwave Player <= 11.5.8.612 (APSB10-25) (Mac OS X)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Mac OS X host contains a web browser plugin that is
affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote Mac OS X host contains a version of Adobe Shockwave Player
that is 11.5.8.612 or earlier. It is, therefore, affected by multiple
vulnerabilities :

  - A memory corruption issue exists that allows code
    execution. Note that there are reports that this issue
    is being exploited in the wild. (CVE-2010-3653)

  - A heap-based buffer overflow vulnerability allows code
    execution. (CVE-2010-2582)

  - Multiple memory corruption issues in the 'dirapi.dll'
    module allow code execution. (CVE-2010-2581,
    CVE-2010-3655, CVE-2010-4084, CVE-2010-4085,
    CVE-2010-4086, CVE-2010-4088)

  - Multiple memory corruption issues in the 'IML32.dll'
    module allow code execution. (CVE-2010-4087,
    CVE-2010-4089)

  - A memory corruption issue allows code execution.
    (CVE-2010-4090)");
  script_set_attribute(attribute:"see_also", value:"http://www.adobe.com/support/security/bulletins/apsb10-25.html");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Adobe Shockwave 11.5.9.615 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Adobe Shockwave rcsL Memory Corruption');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:"CANVAS");

  script_set_attribute(attribute:"vuln_publication_date", value:"2010/10/21");
  script_set_attribute(attribute:"patch_publication_date", value:"2010/10/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/12/22");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:adobe:shockwave_player");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"MacOS X Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2014-2022 Tenable Network Security, Inc.");

  script_dependencies("shockwave_player_detect_macosx.nbin");
  script_require_keys("installed_sw/Shockwave Player", "Host/MacOSX/Version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("install_func.inc");

os = get_kb_item("Host/MacOSX/Version");
if (!os) audit(AUDIT_OS_NOT, "Mac OS X");

app = 'Shockwave Player';

get_install_count(app_name:app, exit_if_zero:TRUE);

install = get_single_install(app_name:app, exit_if_unknown_ver:TRUE);

ver = install['version'];
path = install['path'];

if (ver_compare(ver:ver, fix:'11.5.8.612', strict:FALSE) <= 0)
{
  if (report_verbosity > 0)
  {
    report =
      '\n  Path              : ' + path +
      '\n  Installed version : ' + ver +
      '\n  Fixed versions    : 11.5.9.615' +
      '\n';
    security_hole(port:0, extra:report);
  }
  else security_hole(port:0);
}
else audit(AUDIT_INST_PATH_NOT_VULN, app, ver, path);

The latest version of this script can be found in these locations depending on your platform:

• Linux / Unix:
  /opt/nessus/lib/nessus/plugins/macosx_shockwave_player_apsb10-25.nasl
• Windows:
  C:\ProgramData\Tenable\Nessus\nessus\plugins\macosx_shockwave_player_apsb10-25.nasl
• Mac OS X:
  /Library/Nessus/run/lib/nessus/plugins/macosx_shockwave_player_apsb10-25.nasl

Go back to menu.

How to Run

---

Here is how to run the Adobe Shockwave Player <= 11.5.8.612 (APSB10-25) (Mac OS X) as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

1. Click to start a New Scan.
2. Select Advanced Scan.
3. Navigate to the Plugins tab.
4. On the top right corner click to Disable All plugins.
5. On the left side table select MacOS X Local Security Checks plugin family.
6. On the right side table select Adobe Shockwave Player <= 11.5.8.612 (APSB10-25) (Mac OS X) plugin ID 80174.
7. Specify the target on the Settings tab and click to Save the scan.
8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl macosx_shockwave_player_apsb10-25.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a macosx_shockwave_player_apsb10-25.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - macosx_shockwave_player_apsb10-25.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state macosx_shockwave_player_apsb10-25.nasl -t <IP/HOST>

Go back to menu.

References

---

BID | SecurityFocus Bugtraq ID:

• 44291, 44510, 44512, 44513, 44514, 44515, 44516, 44517, 44518, 44520, 44521

CERT | Computer Emergency Response Team:

• 402231

See also:

• https://www.tenable.com/plugins/nessus/80174
• http://www.adobe.com/support/security/bulletins/apsb10-25.html
• https://vulners.com/nessus/MACOSX_SHOCKWAVE_PLAYER_APSB10-25.NASL

Similar and related Nessus plugins:

• 50387 - Shockwave Player < 11.5.9.615
• 78081 - Google Chrome < 38.0.2125.101 Multiple Vulnerabilities (Mac OS X)
• 78442 - Adobe AIR for Mac <= 15.0.0.249 Multiple Vulnerabilities (APSB14-21)
• 78443 - Flash Player for Mac <= 15.0.0.167 Multiple Vulnerabilities (APSB14-22)
• 78476 - Google Chrome < 38.0.2125.104 Multiple Vulnerabilities (Mac OS X)
• 78550 - Mac OS X < 10.10 Multiple Vulnerabilities (POODLE) (Shellshock)
• 78551 - Mac OS X Multiple Vulnerabilities (Security Update 2014-005) (POODLE) (Shellshock)
• 78599 - Mac OS X : OS X Server < 2.2.5 SSLv3 Information Disclosure (POODLE)
• 78600 - Mac OS X : OS X Server < 3.2.2 SSLv3 Information Disclosure (POODLE)
• 78601 - Mac OS X : OS X Server < 4.0 Multiple Vulnerabilities (POODLE)
• 78677 - Mac OS X : Cisco AnyConnect Secure Mobility Client < 3.1(5187) (POODLE)
• 78891 - Mac OS X : Java for OS X 2014-001
• 79142 - Adobe AIR for Mac <= 15.0.0.293 Multiple Vulnerabilities (APSB14-24)
• 79143 - Flash Player For Mac <= 15.0.0.189 Multiple Vulnerabilities (APSB14-24)
• 79144 - Google Chrome < 38.0.2125.122 Multiple Vulnerabilities (Mac OS X)
• 79662 - Firefox < 34.0 Multiple Vulnerabilities (Mac OS X)
• 79663 - Mozilla Thunderbird < 31.3 Multiple Vulnerabilities (Mac OS X)
• 80172 - Adobe Shockwave Player <= 11.5.6.606 Multiple Vulnerabilities (APSB10-12) (Mac OS X)
• 80220 - GitHub < 1.9.4 .git/config Command Execution (Mac OS X)
• 80227 - APPLE-SA-2014-12-22-1 OS X NTP Security Update (Mac OS X)
• 80520 - Firefox < 35.0 Multiple Vulnerabilities (Mac OS X)
• 80950 - Google Chrome < 40.0.2214.91 Multiple Vulnerabilities (Mac OS X)
• 80999 - Flash Player For Mac <= 16.0.0.287 Unspecified Code Execution (APSA15-01)
• 81021 - Google Chrome < 40.0.2214.93 Flash Player Multiple Remote Code Execution (Mac OS X)
• 81087 - Mac OS X 10.10.x < 10.10.2 Multiple Vulnerabilities (POODLE)
• 81088 - Mac OS X Multiple Vulnerabilities (Security Update 2015-001) (POODLE)
• 81128 - Flash Player For Mac <= 16.0.0.296 Unspecified Code Execution (APSA15-02 / APSB15-04)
• 81208 - Google Chrome < 40.0.2214.111 Multiple Vulnerabilities (Mac OS X)
• 81517 - Firefox ESR 31.x < 31.5 Multiple Vulnerabilities (Mac OS X)
• 81518 - Firefox < 36.0 Multiple Vulnerabilities (Mac OS X)
• 81519 - Mozilla Thunderbird < 31.5 Multiple Vulnerabilities (Mac OS X)
• 81648 - Google Chrome < 41.0.2272.76 Multiple Vulnerabilities (Mac OS X) (FREAK)
• 81758 - Apple Xcode < 6.2 (Mac OS X)
• 81820 - Flash Player For Mac <= 16.0.0.305 Multiple Vulnerabilities (APSB15-05)
• 81882 - Opera < 28.0.1750.40 SSL/TLS EXPORT_RSA Ciphers Downgrade MitM (Mac OS X) (FREAK)

Version

---

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file macosx_shockwave_player_apsb10-25.nasl version 1.7. For more plugins, visit the Nessus Plugin Library.

Go back to menu.