[Full-Disclosure] [sec-labs] Adobe Acrobat Reader <=5.0.7 Buffer Overflow Vulnerability + PoC code

From: sec-labs team (team_at_sec-labs.hack.pl)
Date: 07/01/03

  • Next message: Georgi Guninski: "Re: [Full-Disclosure] Microsoft Cries Wolf ( again )"
    To: full-disclosure@lists.netsys.com
    Date: Tue, 1 Jul 2003 15:10:11 +0000
    
    
    
    

         sec-labs team proudly presents:
         
         Buffer overflow vulnerability in Adobe Acrobat Reader 5.0.7 and earlier
         by mcbethh
         29/06/2003
         
       I. BACKGROUND
         
         quote from documentation:
         'The Acrobat Reader allows anyone to view, navigate, and print documents
         in the Adobe Portable Document Format (PDF).'
         
         However there is Acrobat Reader 6.0 for windows nad MacOS, version 5.0.7
         is last for unix.
         
       II. DESCRIPTION
         
         There is buffer overflow vulnerability in WWWLaunchNetscape function. It
         copies link address to 256 bytes (in 5.0.5 version) buffer until '\0' is
         found. If link is longer than 256 bytes return address is overwritten.
         Notice that user have to execute (click on it) our link to exploit this
         vulnerability. User also have to have netscape browser in preferences,
         but it is default setting.
         
       III. IMPACT
         
         If somebody click on a link from .pdf file specialy prepared by attacker,
         malicious code can be executed with his privileges.
         
       IV. PROOF OF CONCEPT
         
         Proof of concept exploit is attached. It doesn't contain shellcode nor
         valid return address. It just shows that return address can be overwriten
         with any value. Use gdb to see it, because acroread will not crash.
         
         

    -- 
    sec-labs team [http://sec-labs.hack.pl]
    
    

    
    

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html




  • Next message: Georgi Guninski: "Re: [Full-Disclosure] Microsoft Cries Wolf ( again )"