[NT] Adobe Acrobat/Acrobat Reader ActiveX Control Buffer Overflow Vulnerability
From: SecuriTeam (support_at_securiteam.com)
Date: 08/17/04
- Previous message: SecuriTeam: "[NT] BlackIce Server Protect Unprivileged User Attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 17 Aug 2004 17:36:39 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Adobe Acrobat/Acrobat Reader ActiveX Control Buffer Overflow Vulnerability
------------------------------------------------------------------------
SUMMARY
Adobe Acrobat/Acrobat Reader are programs for creating and/or viewing
documents in Adobe Portable Document Format (PDF). More information is
available at http://www.adobe.com/products/acrobat/.
Adobe Acrobat/Acrobat Reader suffers from a buffer overflow vulnerability
which allows remote attackers to execute arbitrary code.
DETAILS
Vulnerable Systems:
* Adobe Acrobat 5.0.5
* Adobe Acrobat 6.0.2
Technical Details:
Exploitation of a buffer overflow vulnerability in the ActiveX component
packaged with Adobe Systems Inc.'s Acrobat/Acrobat Reader allows remote
attackers to execute arbitrary code.
The problem specifically exists upon retrieving a link of the following
form:
GET /any_existing_dir/any_existing_pdf.pdf%00[long string] HTTP/1.1
[long string] is a malicious crafted long string containing acceptable URI
characters. The request must be made to a web server that truncates the
request at the null byte (%00), otherwise an invalid file name is
specified and a "file not found" page will be returned. Example web
servers that truncate the requested URI include Microsoft IIS and Netscape
Enterprise. Though the requested URI is truncated for the purposes of
locating the file the long string is still passed to the Adobe ActiveX
component responsible for rendering the page. This in turn triggers a
buffer overflow within RTLHeapFree() allowing for an attacker to overwrite
an arbitrary word in memory. The responsible instructions from
RTLHeapFree() are shown here:
0x77F83AE5 MOV EAX,[EDI+8]
0x77F83AE8 MOV ECX,[EDI+C]
...
0x77F83AED MOV [ECX],EAX
The register EDI contains a pointer to a user-supplied string. The
attacker therefore has control over both the ECX and EAX registers used in
the shown MOV instruction.
Analysis:
Successful exploitation allows remote attackers to utilize the arbitrary
word overwrite to redirect the flow of control and eventually take control
of the affected system. Code execution will occur under the context of the
user that instantiated the vulnerable version of Adobe Acrobat.
An attacker does not need to establish a malicious web site as
exploitation can occur by adding malicious content to the end of any
embedded link and referencing any Microsoft IIS or Netscape Enterprise web
server. Clicking on a direct malicious link is also not required as it may
be embedded within an IMAGE tag, an IFRAME or an auto-loading script.
Successful exploitation requires that a payload be written such that
certain areas of the input are URI acceptable. This includes initial
injected instructions as well as certain overwritten addresses. This
increases the complexity of successful exploitation. While not trivial,
exploitation is definitely possible.
Workaround:
Change Adobe Acrobat/Acrobat Reader settings to prevent PDF files from
automatically opening when accessed via a web browser. When prompted,
first save the file to disk before opening thereby closing the
exploitation vector described.
This can be accomplished using the following steps:
1. Open Adobe Acrobat/Acrobat Reader
2. Go to Edit --> Preferences
3. Uncheck the "Display PDF in browser" setting
4. Click OK
Vendor Status:
iDEFENSE brought this vulnerability to the attention of the vendor
according to the publicized timeline. However, the vendor appears to have
attempted to silently fix this vulnerability without coordinating public
disclosure of the issue. Moreover, the vendor does not appear to have
publicly posted details of the security fix to inform clients of the risks
posed by unpatched versions of the software.
Adobe has stated that the vulnerability was patched in Adobe Acrobat
Reader 6.0.2. However, iDEFENSE has tested proof of concept exploit code
that will cause the latest version of Adobe Acrobat Reader (6.0.2) to
crash. Adobe has not provided details on the status of a fix for Adobe
Acrobat.
CVE Information
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2004-0629 to this issue. This is a candidate for inclusion in the
CVE list (http://cve.mitre.org), which standardizes names for security
problems.
ADDITIONAL INFORMATION
The information has been provided by <mailto:the_insider@mail.com> Rafel
Ivgi.
The original article can be found at:
<http://www.idefense.com/application/poi/display?id=126&type=vulnerabilities> http://www.idefense.com/application/poi/display?id=126&type=vulnerabilities
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] BlackIce Server Protect Unprivileged User Attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [NEWS] OpenSSH Challenge-Response Buffer Overflow (Update)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... the platforms on which this vulnerability
may be exploited. ... their platforms invulnerable to exploitation. ... Mandrake
Secure Linux: ... (Securiteam) - [NT] Microsoft Windows VML Element Integer Overflow
... Get your security news from a reliable source. ... Microsoft Windows VML
Element Integer Overflow ... Remote exploitation of an integer overflow vulnerability
in the Vector ... (Securiteam) - [NT] Remote PGP Outlook Encryption Plug-in Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... A vulnerability in the
NAI PGP Outlook plug-in can be exploited to ... exploitation, an attacker controlled
buffer address is the first item on ... (Securiteam) - RE: ISS Security Rip: Microsoft ASN.1 (Half a sploit)
... "Due to the nature of this vulnerability, reliable and successful remote ...
Subject: ISS Security Brief: Microsoft ASN.1 Integer Manipulation Vulnerabilities ... The
vulnerability could be exploited by remote attackers to cause a Denial ... to the nature
of this vulnerability, reliable and successful remote exploitation ... (Bugtraq) - [UNIX] Adobe Acrobat Creates World Writable ~/AdobeFnt.lst Files
... Adobe Acrobat Creates World Writable ~/AdobeFnt.lst Files ... The following
security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web
site: http://www.securiteam.com ... #not properly secured, complain and exit ...
#we should have properly secure "$HOME/$kludgedir" at this point, ... (Securiteam)
