[Full-Disclosure] [sec-labs] Adobe Acrobat Reader <=5.0.7 Buffer Overflow Vulnerability + PoC code

From: sec-labs team (team_at_sec-labs.hack.pl)
Date: 07/01/03

  • Next message: Georgi Guninski: "Re: [Full-Disclosure] Microsoft Cries Wolf ( again )"
    To: full-disclosure@lists.netsys.com
    Date: Tue, 1 Jul 2003 15:10:11 +0000
    
    
    
    

         sec-labs team proudly presents:
         
         Buffer overflow vulnerability in Adobe Acrobat Reader 5.0.7 and earlier
         by mcbethh
         29/06/2003
         
       I. BACKGROUND
         
         quote from documentation:
         'The Acrobat Reader allows anyone to view, navigate, and print documents
         in the Adobe Portable Document Format (PDF).'
         
         However there is Acrobat Reader 6.0 for windows nad MacOS, version 5.0.7
         is last for unix.
         
       II. DESCRIPTION
         
         There is buffer overflow vulnerability in WWWLaunchNetscape function. It
         copies link address to 256 bytes (in 5.0.5 version) buffer until '\0' is
         found. If link is longer than 256 bytes return address is overwritten.
         Notice that user have to execute (click on it) our link to exploit this
         vulnerability. User also have to have netscape browser in preferences,
         but it is default setting.
         
       III. IMPACT
         
         If somebody click on a link from .pdf file specialy prepared by attacker,
         malicious code can be executed with his privileges.
         
       IV. PROOF OF CONCEPT
         
         Proof of concept exploit is attached. It doesn't contain shellcode nor
         valid return address. It just shows that return address can be overwriten
         with any value. Use gdb to see it, because acroread will not crash.
         
         

    -- 
    sec-labs team [http://sec-labs.hack.pl]
    
    

    
    

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html




  • Next message: Georgi Guninski: "Re: [Full-Disclosure] Microsoft Cries Wolf ( again )"

    Relevant Pages

    • [sec-labs] Adobe Acrobat Reader <=5.0.7 Buffer Overflow Vulnerability + PoC code
      ... Buffer overflow vulnerability in Adobe Acrobat Reader 5.0.7 and earlier ... 'The Acrobat Reader allows anyone to view, navigate, and print documents ... There is buffer overflow vulnerability in WWWLaunchNetscape function. ...
      (Bugtraq)
    • Re: PDF question
      ... depending on how you have the Option in *Adobe* Acrobat Reader ... Party Browser Extensions" Set in Internet Explorer, ... >> in Adobe Acrobat Reader itself) but also in Internet Explorer & also ... It Sets itslef to Run at Boot Up, ...
      (uk.people.silversurfers)
    • RE: How to use PDF file for online help from VB.Net windows app
      ... To provide help with a PDF file, you can try to lauch the PDF file with the ... Adobe Acrobat Reader. ... Microsoft Online Community Support ...
      (microsoft.public.dotnet.languages.vb)
    • Re: IE6 not opening PDF files
      ... >>> to open it in Adobe Acrobat Reader 6? ... >>> Did you check the preferences in Adobe Acrobat Reader 6 to see if it is ... >>> have to download and open the local .pdf file. ... Or perhaps you used some utility that disabled its BHO. ...
      (microsoft.public.windows.inetexplorer.ie6.browser)