Re: [Full-disclosure] 0-day PDF exploit



Yes, you are right, the adobe's fault is allowing to call "mailto" URI without user's validate(they checked other URIs such as "http" but not "mailto"), but the "remote code execute" is due to MS's fault, I am not prefer or hate any vendor and anyone, but the initial disclosure misleaded me to believe there is a PDF file format vul because "the vulnerability affecting both Adobe Reader and Foxit Reader". Thanks for your infos again.



welcome to my blog:
http://ruder.cdut.net





From: eric@xxxxxxxxxx
To: "cocoruder ." <frankruder@xxxxxxxxxxx>
CC: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] 0-day PDF exploit
Date: Wed, 17 Oct 2007 03:07:16 -0700

Why everybody said it is a zero day about PDF? it's just a fault in
IE7, or just want to make a big media hit? real PDF zero day will
exists in the PDF's file format, or some Adobe's expanded functions.

Actually, it's about PDF *and* IE7. Both are at fault, and if either one of them was doing the right thing, the exploit would fail.

The first fault is Adobe's. Because it's their code that first acquires the input from the attacker, it's their job IMHO to validate it properly, but they don't. Instead, they turn around and tell Windows to open the bogus URI.

The second fault is IE7's. The protocol handler used to fail gracefully by rejecting this kind of malformed URI, but now it doesn't. The new behavior is to turn around and call ShellExecute() with data taken from the URI.

I prefer to think of it this way: Adobe's code has been doing the wrong thing for years, and they've gotten lucky. But now, a new bug in IE7 has come along which makes the old bug in Adobe's code exploitable.

- Eric



_________________________________________________________________
与联机的朋友进行交流,请使用 MSN Messenger: http://messenger.msn.com/cn

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: [Full-disclosure] 0-day PDF exploit
    ... IE7, or just want to make a big media hit? ... The first fault is Adobe's. ... Windows to open the bogus URI. ... Hosted and sponsored by Secunia - http://secunia.com/ ...
    (Full-Disclosure)
  • Re: Sharapova a lousy lay?
    ... "Limp and no very quiet". ... Could of course be his fault:) ... It could also be of course that Uri had her circumcised at ...
    (rec.sport.tennis)
  • Re: Sharapova a lousy lay?
    ... "Limp and no very quiet". ... Could of course be his fault:) ... It could also be of course that Uri had her circumcised at puberty. ...
    (rec.sport.tennis)
  • Re: Sharapova a lousy lay?
    ... "Limp and no very quiet". ... Could of course be his fault:) ... It could also be of course that Uri had her circumcised at puberty. ...
    (rec.sport.tennis)
  • Re: Action field of addressing (wsa:Action) is case sensitive ?
    ... This is a known bug that is fixed and will be in the next release. ... > if I put the URI on the proxy to be same as that of one in my method i.e ... > but even if it is specified in specifications why it should be like ...
    (microsoft.public.dotnet.framework.webservices.enhancements)