2 Replies Latest reply on Oct 9, 2012 1:12 AM by APJ1

    Lingo P-code definition

    APJ1

      There are now a number of reports of malicious code targetting Lingo scripts. To detect this I want to parse the p-code and validate commands which are known to have issues. I have done this for ActionScript where the p-code is readily available in the manual, however I cannot find a similar definition for Lingo Script.

      I am aware that there are patches for some if not all of the detected vulnerabilities (for example CVE-2010-3653) but I need to be able to protect un-patched systems as well.

        • 1. Re: Lingo P-code definition
          Sean_Wilson Adobe Community Professional

          Can you point us to some of these reports?

           

          As far as I'm aware the compiler for Lingo isn't published anywhere, so you won't find a definition (save by trial-and-error reverse engineering...)

          • 2. Re: Lingo P-code definition
            APJ1 Level 1

            The vulnerability that I am currently looking at is CVE-2010-3653, which although a bit dated seems to be currently in use. Other possibly related reports are CVE-2010-4186, CVE-2010-4187, CVE-2010-4188, and CVE-2010-4190. You can look at other reports using:

             

            http://web.nvd.nist.gov/view/vuln/search?execution=e2s1

             

            This is a search window and I entered 'adobe director' which will give you a list of CVE numbers and brief summaries. Then search on the complete CVE number in any search engine and you should find fuller descriptions.

             

            Note that the numbers quoted above may not be related directly to Lingo, as I have yet to identify all the blocks within a Dir file

             

            Unfortunately security by obscurity is not a good policy, The 'bad guys' simply have to fuzz a file until it gives them something useful, where the 'good guys' have to understand the whole format to offer protection.

             

            Thanks for your reply, it looks like it is trial and error then :-(