Untrusted search path vulnerability in Adobe Flash Player 9.x before 9.0.159.0 and 10.x before 10.0.22.87 on Linux allows local users to obtain sensitive information or gain privileges via a crafted library in a directory contained in the RPATH.

An updated Adobe Flash Player package that fixes several security issues is now available for Red Hat Enterprise Linux 3 and 4 Extras.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

The flash-plugin package contains a Firefox-compatible Adobe Flash Player Web browser plug-in.

Multiple input validation flaws were found in the way Flash Player displayed certain SWF (Shockwave Flash) content. An attacker could use these flaws to create a specially crafted SWF file that could cause flash-plugin to crash, or, possibly, execute arbitrary code when the victim loaded a page containing the specially crafted SWF content.
(CVE-2009-0520, CVE-2009-0519)

All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 9.0.159.0.

The remote Redhat Enterprise Linux 5 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2009:0332 advisory.

    The flash-plugin package contains a Firefox-compatible Adobe Flash Player     Web browser plug-in.

    Multiple input validation flaws were found in the way Flash Player     displayed certain SWF (Shockwave Flash) content. An attacker could use     these flaws to create a specially-crafted SWF file that could cause     flash-plugin to crash, or, possibly, execute arbitrary code when the victim     loaded a page containing the specially-crafted SWF content. (CVE-2009-0520,     CVE-2009-0519)

    It was discovered that Adobe Flash Player had an insecure RPATH (runtime     library search path) set in the ELF (Executable and Linking Format) header.
    A local user with write access to the directory pointed to by RPATH could     use this flaw to execute arbitrary code with the privileges of the user     running Adobe Flash Player. (CVE-2009-0521)

    All users of Adobe Flash Player should install this updated package, which     upgrades Flash Player to version 10.0.22.87.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Specially crafted swf files could cause a buffer overflow in flash-player. Attackers could potentially exploit that to execute code on the victim's machine. (CVE-2009-0519 / CVE-2009-0520 / CVE-2009-0114 / CVE-2009-0521)

Specially crafted swf files could cause a buffer overflow in flash-player. Attackers could potentially exploit that to execute code on the victim's machine (CVE-2009-0519, CVE-2009-0520, CVE-2009-0114, CVE-2009-0521).

The remote host is affected by the vulnerability described in GLSA-200903-23 (Adobe Flash Player: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Adobe Flash Player:
    The access scope of SystemsetClipboard() allows ActionScript     programs to execute the method without user interaction     (CVE-2008-3873).
    The access scope of FileReference.browse() and     FileReference.download() allows ActionScript programs to execute the     methods without user interaction (CVE-2008-4401).
    The Settings Manager controls can be disguised as normal graphical     elements. This so-called 'clickjacking' vulnerability was disclosed by     Robert Hansen of SecTheory, Jeremiah Grossman of WhiteHat Security,     Eduardo Vela, Matthew Mastracci of DotSpots, and Liu Die Yu of     TopsecTianRongXin (CVE-2008-4503).
    Adan Barth (UC Berkely) and Collin Jackson (Stanford University)     discovered a flaw occurring when interpreting HTTP response headers     (CVE-2008-4818).
    Nathan McFeters and Rob Carter of Ernst and Young's Advanced     Security Center are credited for finding an unspecified vulnerability     facilitating DNS rebinding attacks (CVE-2008-4819).
    When used in a Mozilla browser, Adobe Flash Player does not     properly interpret jar: URLs, according to a report by Gregory     Fleischer of pseudo-flaw.net (CVE-2008-4821).
    Alex 'kuza55' K. reported that Adobe Flash Player does not properly     interpret policy files (CVE-2008-4822).
    The vendor credits Stefano Di Paola of Minded Security for     reporting that an ActionScript attribute is not interpreted properly     (CVE-2008-4823).
    Riley Hassell and Josh Zelonis of iSEC Partners reported multiple     input validation errors (CVE-2008-4824).
    The aforementioned researchers also reported that ActionScript 2     does not verify a member element's size when performing several known     and other unspecified actions, that DefineConstantPool accepts an     untrusted input value for a 'constant count' and that character     elements are not validated when retrieved from a data structure,     possibly resulting in a NULL pointer dereference (CVE-2008-5361,     CVE-2008-5362, CVE-2008-5363).
    The vendor reported an unspecified arbitrary code execution     vulnerability (CVE-2008-5499).
    Liu Die Yu of TopsecTianRongXin reported an unspecified flaw in the     Settings Manager related to 'clickjacking' (CVE-2009-0114).
    The vendor credits Roee Hay from IBM Rational Application Security     for reporting an input validation error when processing SWF files     (CVE-2009-0519).
    Javier Vicente Vallejo reported via the iDefense VCP that Adobe     Flash does not remove object references properly, leading to a freed     memory dereference (CVE-2009-0520).
    Josh Bressers of Red Hat and Tavis Ormandy of the Google Security     Team reported an untrusted search path vulnerability     (CVE-2009-0521).
  Impact :

    A remote attacker could entice a user to open a specially crafted SWF     file, possibly resulting in the execution of arbitrary code with the     privileges of the user or a Denial of Service (crash). Furthermore a     remote attacker could gain access to sensitive information, disclose     memory contents by enticing a user to open a specially crafted PDF file     inside a Flash application, modify the victim's clipboard or render it     temporarily unusable, persuade a user into uploading or downloading     files, bypass security restrictions with the assistance of the user to     gain access to camera and microphone, conduct Cross-Site Scripting and     HTTP Header Splitting attacks, bypass the 'non-root domain policy' of     Flash, and gain escalated privileges.
  Workaround :

    There is no known workaround at this time.

ID	Name	Product	Family	Severity
63873	RHEL 3 / 4 : flash-plugin (RHSA-2009:0334)	Nessus	Red Hat Local Security Checks	high
63872	RHEL 5 : flash-plugin (RHSA-2009:0332)	Nessus	Red Hat Local Security Checks	high
51730	SuSE 10 Security Update : flash-player (ZYPP Patch Number 6020)	Nessus	SuSE Local Security Checks	high
41391	SuSE 11 Security Update : flash-player (SAT Patch Number 612)	Nessus	SuSE Local Security Checks	high
40216	openSUSE Security Update : flash-player (flash-player-560)	Nessus	SuSE Local Security Checks	high
39962	openSUSE Security Update : flash-player (flash-player-560)	Nessus	SuSE Local Security Checks	high
35904	GLSA-200903-23 : Adobe Flash Player: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
35747	openSUSE 10 Security Update : flash-player (flash-player-6022)	Nessus	SuSE Local Security Checks	high

Detections

Analytics

CVE-2009-0521

high

Tenable Plugins

high

high

high

high

high

high

critical

high