Adobe Flash Player MP4 Sequence Parameter Set Processing

Added: 02/09/2012
CVE: CVE-2011-2140
BID: 49083
OSVDB: 74439

Background

Adobe Flash Player is a cross-platform browser plug-in providing visual enhancements for web pages.

Problem

The Adobe Flash Player Sub_1005B396 function allows command execution when a user opens a specially crafted .swf file. The specific vulnerability is triggered when processing data units in the MP4 Sequence Parameter Set.

Resolution

Upgrade the installed version of Adobe Flash Player as described in Adobe Security Bulletin APSB11-21.

References

http://www.adobe.com/support/security/bulletins/apsb11-21.html
http://www.abysssec.com/blog/2012/01/31/exploiting-cve-2011-2140-another-flash-player-vulnerability/

Limitations

This exploit was tested against Adobe Systems Flash Player 10.3.181.34 on Microsoft Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn).

The target host must have JRE 1.6.x installed.

The user must open the exploit page using Internet Explorer 7, 8, or 9.

Platforms

Windows

Back to exploit index