Adobe Flash Player ActionScript launch command execution

Added: 01/07/2008
CVE: CVE-2008-5499
BID: 32896
OSVDB: 50796

Background

Adobe Flash Player is a cross-platform browser plug-in providing visual enhancements for web pages.

Problem

An input validation vulnerability allows command execution when the browser loads an SWF file which contains shell metacharacters in the arguments to the ActionScript launch method.

Resolution

Upgrade to Adobe Flash Player 10.0.15.3 or higher.

References

http://www.adobe.com/support/security/bulletins/apsb08-24.html

Limitations

Exploit works on Adobe Systems Flash Player 10.0.12.36 on Red Hat Enterprise Linux 5 and requires a user to load the exploit page in a browser.

The target host must have the Adobe AIR package installed.

The target host must have PERL installed.

Platforms

Linux

Back to exploit index