iDEFENSE Security Advisory 12.14.04 - Adobe Acrobat Reader 5.0.9 mailListIsPdf() Buffer Overflow Vulnerability

From: customer service mailbox (customerservice_at_idefense.com)
Date: 12/14/04

  • Next message: Mandrake Linux Security Team: "MDKSA-2004:148 - Updated iproute2 packages fix temporary file vulnerability" 
    Date: Tue, 14 Dec 2004 10:39:02 -0500
To: <bugtraq@securityfocus.com>, <vulnwatch@vulnwatch.org>

    Adobe Acrobat Reader 5.0.9 mailListIsPdf() Buffer Overflow Vulnerability

    iDEFENSE Security Advisory 12.14.04
    www.idefense.com/application/poi/display?id=161&type=vulnerabilities
    December 14, 2004

    I. BACKGROUND

    Adobe Acrobat Reader is a program for viewing Portable Document Format
    (PDF) documents. More information is available at the following site:

        http://www.adobe.com/products/acrobat/readermain.html

    II. DESCRIPTION

    Remote exploitation of a buffer overflow in version 5.09 of Adobe
    Acrobat Reader for Unix could allow for execution of arbitrary code.

    The vulnerability specifically exists in a the function mailListIsPdf().

    This function checks if the input file is an email message containing
    a PDF. It unsafely copies user supplied data using strcat into a fixed
    sized buffer.

    III. ANALYSIS

    Successful exploitation allows an attacker to execute arbitrary code
    under the privileges of the local user. Remote exploitation is possible
    by sending a specially crafted e-mail and attaching either the
    maliciously crafted PDF document or a link to it.

    IV. DETECTION

    iDEFENSE has confirmed the existence of this vulnerability in Adobe
    Acrobat Reader version 5.0.9 for Unix. Previous versions of Adobe
    Acrobat Reader 5 for Unix are suspected also to be vulnerable.

    V. WORKAROUND

    User awareness is the best defense against this class of attack.
    Users should be aware of the existence of such attacks and proceed with
    caution when following links from suspicious and/or unsolicited e-mail.

    Additionally, you may wish to apply the following unofficial patch from
    iDEFENSE Labs to the acroread shell script. The acroread shell script
    calls the appropriate binary for the platform. The patch adds a check
    that ensures that files passed as arguments to acroread are in fact PDF
    documents. This patch will not protect against files opened from within
    the Acrobat Reader GUI.

    The bin/ directory of the application contains an 'acroread' shell
    script while the Reader/ directory contains a binary with the same name.
    The command 'file acroread', when executed in the same directory as the
    shell script, should return the line:

    acroread: a /bin/sh script text executable

    This result indicates the existence of the appropriate file that the
    patch below can be applied to.

    acroread.patch:

    --- acroread.orig 2004-10-13 17:25:57.000000000 -0400
    +++ acroread 2004-10-13 17:55:43.000000000 -0400
    @@ -309,6 +309,16 @@
     fi
     
     if [ -f "$ACRO_EXEC_CMD" ] ; then
    + for CHECK in ${1+"$@"};
    + do
    + [ -f "$CHECK" ] && {
    + file "$CHECK" | grep "PDF document" || \
    + {
    + echo "$CHECK" exists, but is not a PDF document.
    + exit 1;
    + }
    + }
    + done
       exec "$ACRO_EXEC_CMD" ${1+"$@"}
     else
       echo "ERROR: Cannot find $ACRO_EXEC_CMD"

    VI. VENDOR RESPONSE

    This vulnerability is fixed in Adobe Acrobat Reader 5.0.10 for Unix.
    Further details of the vulnerability are available in the following
    knowledgebase article:

       http://www.adobe.com/support/techdocs/331153.html

    VII. CVE INFORMATION

    The Common Vulnerabilities and Exposures (CVE) project has assigned the
    name CAN-2004-1152 to this issue. This is a candidate for inclusion
    in the CVE list (http://cve.mitre.org), which standardizes names for
    security problems.

    VIII. DISCLOSURE TIMELINE

    10/14/2004 Initial vendor notification
    10/15/2004 Initial vendor response
    12/14/2004 Coordinated public disclosure

    IX. CREDIT

    This vulnerability was discovered by Greg MacManus, iDEFENSE Labs.

    Get paid for vulnerability research
    http://www.idefense.com/poi/teams/vcp.jsp

    X. LEGAL NOTICES

    Copyright (c) 2004 iDEFENSE, Inc.

    Permission is granted for the redistribution of this alert
    electronically. It may not be edited in any way without the express
    written consent of iDEFENSE. If you wish to reprint the whole or any
    part of this alert in any other medium other than electronically, please
    email customerservice@idefense.com for permission.

    Disclaimer: The information in the advisory is believed to be accurate
    at the time of publishing based on currently available information. Use
    of the information constitutes acceptance for use in an AS IS condition.
    There are no warranties with regard to this information. Neither the
    author nor the publisher accepts any liability for any direct, indirect,
    or consequential loss or damage arising from use of, or reliance on,
    this information.

  • Next message: Mandrake Linux Security Team: "MDKSA-2004:148 - Updated iproute2 packages fix temporary file vulnerability"