[UNIX] Adobe Acrobat Reader (UNIX) Shell Metacharacter Code Execution Vulnerability

From: SecuriTeam (support_at_securiteam.com)
Date: 08/15/04

  • Next message: SecuriTeam: "[NEWS] Clearswift MAILsweeper Multiple Encoding/Compression Issues" 
    To: list@securiteam.com
Date: 15 Aug 2004 14:52:21 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Adobe Acrobat Reader (UNIX) Shell Metacharacter Code Execution
    Vulnerability
    ------------------------------------------------------------------------

    SUMMARY

    " <http://www.adobe.com/products/acrobat/readermain.html> Adobe Reader is
    free software that lets you view and print Adobe Portable Document Format
    (PDF) files on a variety of devices and operating systems."

    An input validation error in the uudecode feature of Adobe Acrobat Reader
    allows an attacker to execute arbitrary code.

    DETAILS

    Vulnerable Systems:
     * Adobe Reader versions up to 5.0.6 for Unix, inclusive

    Immune Systems:
     * Adobe Reader version 5.0.9

    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0630>
    CAN-2004-0630

    Uuencoding is a scheme that converts 8 bit data into a 6-bit format,
    suitable for transmission via Email. The Unix and Linux versions of Adobe
    Acrobat Reader 5.0 automatically attempt to convert uuencoded documents
    back into their original format. The vulnerability specifically exists in
    the failure of Acrobat Reader to check for the back tick shell
    metacharacter in the filename before executing a command with a shell.
    This allows a maliciously constructed filename to execute arbitrary
    programs.

    Successful exploitation allows attackers to execute arbitrary code under
    the privileges of the user who opened the malicious document with a
    vulnerable version of Adobe Acrobat Reader.

    Vendor Status:
    As with the uudecode filename buffer overflow vulnerability, Adobe has
    been contacted and have silently fixed this vulnerability without publicly
    announcing the vulnerability and alerting potential users of their
    software. There are also no details of a security fix so an unsuspecting
    user will never know about the potential security compromise. As with the
    filename buffer overflow vulnerability, it is unclear when exactly this
    issue has been addressed by Adobe. However, users are encouraged to
    upgrade to the latest version that is found to be immune.

    Disclosure Timeline
     * 03/30/2004 Initial vendor notification
     * 04/05/2004 iDEFENSE clients notified
     * 04/06/2004 Initial vendor response
     * 05/19/2004 Date stamp on patched binary
     * 08/12/2004 Public disclosure

    ADDITIONAL INFORMATION

    The information has been provided by
    <mailto:idlabs-advisories@idefense.com> iDEFENSE Security Labs.
    The original article can be found at:
    <http://idefense.com/application/poi/display?id=124&type=vulnerabilities>
    http://idefense.com/application/poi/display?id=124&type=vulnerabilities

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NEWS] Clearswift MAILsweeper Multiple Encoding/Compression Issues"

    Relevant Pages