Vulnerabilities > CVE-2017-2983 - Untrusted Search Path vulnerability in Adobe Shockwave Player

CVSS 7.8 - HIGH

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

local

low complexity

adobe

CWE-426

nessus

NVD

Published: 2017-03-14

Updated: 2017-07-17

Summary

Adobe Shockwave versions 12.2.7.197 and earlier have an insecure library loading (DLL hijacking) vulnerability. Successful exploitation could lead to escalation of privilege.

Vulnerable Configurations

Part	Description	Count
Application	Adobe Adobe Shockwave Player - Adobe Shockwave Player 1.0 Adobe Shockwave Player 2.0 Adobe Shockwave Player 3.0 Adobe Shockwave Player 4.0 Adobe Shockwave Player 5.0 Adobe Shockwave Player 6.0 Adobe Shockwave Player 8.0 Adobe Shockwave Player 8.0.196 Adobe Shockwave Player 8.0.196A Adobe Shockwave Player 8.0.204 Adobe Shockwave Player 8.0.205 Adobe Shockwave Player 8.5.1 Adobe Shockwave Player 8.5.1.100 Adobe Shockwave Player 8.5.1.103 Adobe Shockwave Player 8.5.1.105 Adobe Shockwave Player 8.5.1.106 Adobe Shockwave Player 8.5.321 Adobe Shockwave Player 8.5.323 Adobe Shockwave Player 8.5.324 Adobe Shockwave Player 8.5.325 Adobe Shockwave Player 9 Adobe Shockwave Player 9.0.383 Adobe Shockwave Player 9.0.432 Adobe Shockwave Player 10.0.0.210 Adobe Shockwave Player 10.0.1.004 Adobe Shockwave Player 10.1.0.011 Adobe Shockwave Player 10.1.0.11 Adobe Shockwave Player 10.1.1.016 Adobe Shockwave Player 10.1.4.020 Adobe Shockwave Player 10.2.0.021 Adobe Shockwave Player 10.2.0.022 Adobe Shockwave Player 10.2.0.023 Adobe Shockwave Player 11 Adobe Shockwave Player 11.0.0.456 Adobe Shockwave Player 11.0.3.471 Adobe Shockwave Player 11.5.0.595 Adobe Shockwave Player 11.5.0.596 Adobe Shockwave Player 11.5.1.601 Adobe Shockwave Player 11.5.2.602 Adobe Shockwave Player 11.5.6.606 Adobe Shockwave Player 11.5.7.609 Adobe Shockwave Player 11.5.8.612 Adobe Shockwave Player 11.5.9.615 Adobe Shockwave Player 11.5.9.620 Adobe Shockwave Player 11.5.10.620 Adobe Shockwave Player 11.6.0.626 Adobe Shockwave Player 11.6.1.629 Adobe Shockwave Player 11.6.3.633 Adobe Shockwave Player 11.6.4.634 Adobe Shockwave Player 11.6.5.635 Adobe Shockwave Player 11.6.6.636 Adobe Shockwave Player 11.6.7.637 Adobe Shockwave Player 11.6.8.638 Adobe Shockwave Player 12.0.0.112 Adobe Shockwave Player 12.0.2.122 Adobe Shockwave Player 12.0.3.133 Adobe Shockwave Player 12.0.4.144 Adobe Shockwave Player 12.0.6.147 Adobe Shockwave Player 12.0.7.148 Adobe Shockwave Player 12.0.9.149 Adobe Shockwave Player 12.1.0.150 Adobe Shockwave Player 12.1.3.153 Adobe Shockwave Player 12.1.4.154 Adobe Shockwave Player 12.1.5.155 Adobe Shockwave Player 12.1.6.156 Adobe Shockwave Player 12.1.7.157 Adobe Shockwave Player 12.1.9.159 Adobe Shockwave Player 12.2.0.162 Adobe Shockwave Player 12.2.1.171 Adobe Shockwave Player 12.2.4.194 Adobe Shockwave Player 12.2.7.197	76

Common Weakness Enumeration (CWE)

CWE-426 - Untrusted Search Path

Common Attack Pattern Enumeration and Classification (CAPEC)

Leveraging/Manipulating Configuration File Search Paths
This attack loads a malicious resource into a program's standard path used to bootstrap and/or provide contextual information for a program like a path variable or classpath. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker. A standard UNIX path looks similar to this If the attacker modifies the path variable to point to a locale that includes malicious resources then the user unwittingly can execute commands on the attackers' behalf: This is a form of usurping control of the program and the attack can be done on the classpath, database resources, or any other resources built from compound parts. At runtime detection and blocking of this attack is nearly impossible, because the configuration allows execution.

Nessus

NASL family	Windows
NASL id	SHOCKWAVE_PLAYER_APSB17-08.NASL
description	The remote Windows host contains a version of Adobe Shockwave Player that is prior or equal to 12.2.7.197. It is, therefore, affected by a DLL hijacking vulnerability when loading certain dynamic link library (DLL) files due to searching an insecure path that may not be trusted or under user control. An unauthenticated, remote attacker can exploit this issue to execute arbitrary code, with the privileges of the user running the program, by placing a specially crafted file in the path and convincing the user to open a supported file type (e.g., located on a remote WebDAV share).
last seen	2020-06-01
modified	2020-06-02
plugin id	97835
published	2017-03-20
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/97835
title	Adobe Shockwave Player <= 12.2.7.197 DLL Hijacking (APSB17-08)

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Nessus

References