Local file detection found through Adobe Reader ActiveX control

• Previous message: dcrab: "Multiple Sql injection and XSS in CartWIZ ASP Cart"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <bugtraq@securityfocus.com>
Date: Sat, 23 Apr 2005 10:51:50 -0700

Hyperdose Security Advisory

Name: Local file detection found through Adobe Reader ActiveX control
Systems Affected: Adobe Reader 7.0 and earlier
Severity: Low
Author: Robert Fly - robfly@hyperdose.com
Advisory URL: http://www.hyperdose.com/advisories/H2005-06.txt

--Adobe Description--
From Adobe.com, "Adobe helps people and businesses communicate better
through its world-leading digital imaging, design, and document technology
platforms for consumers, creative professionals, and enterprises.".

--Bug Details--
Adobe Reader contains a Safe for Scripting method with the definition of
VARIANT_BOOL LoadFile([in] BSTR fileName). A malicious user can take
advantage of this if they can get their victim to navigate to their
malicious website. On the website, the attacker can call the LoadFile
method, passing in a local file name on their victim's computer. Using this
method, the attacker is able to determine file existence on their victim's
machine. Through this method it is not possible to extract the content of
the file.

This attack would be useful as a stepping stone to further attacks. Knowing
the existence of a local file an attacker can gain knowledge as to the
software and likely versions of software the individual is using.

NOTE: This bug was discovered by NISCC in parallel prior to the fix release.

--Fix Information--
Upgrade info and further details from Adobe can be found here:
http://www.adobe.com/support/techdocs/331465.html
This fix was originally posted on 4/1/05.

--About Hyperdose--
Hyperdose Security was founded to provide companies with application
security knowledge through all parts of an application's security
development lifecycle. We specialize in all phases of software development
ranging from security design and architectural reviews, security code
reviews and penetration testing.

web www.hyperdose.com
email robfly@hyperdose.com

• Previous message: dcrab: "Multiple Sql injection and XSS in CartWIZ ASP Cart"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [NT] Adobe Reader 6.0 Filename Handler Buffer Overflow Vulnerability ... Get your security news from a reliable source. ... Adobe Reader is "a program used to display ... A vendor security advisory was not ... 03/11/2004 Initial vendor response ... (Securiteam) [NT] Adobe Reader Security Provider Unsafe Libary Path Vulnerability ... Get your security news from a reliable source. ... Adobe Reader Security Provider Unsafe Libary Path Vulnerability ... Provider" libraries that contains the directory the application was ... (Securiteam) [UNIX] Adobe Acrobat Reader (UNIX) Uudecode Filename Buffer Overflow Vulnerability ... Get your security news from a reliable source. ... free software that lets you view and print Adobe Portable Document Format ... The UNIX version of Adobe Reader is vulnerable ... The vulnerability specifically exists in that Acrobat Reader fails to ... (Securiteam) [Full-disclosure] [ GLSA 200605-04 ] phpWebSite: Local file inclusion ... Title: phpWebSite: Local file inclusion ... execution of arbitrary code. ... phpWebSite provides a complete web site content management system. ... Security is a primary focus of Gentoo Linux and ensuring the ... (Full-Disclosure) [Full-disclosure] [ GLSA 200508-11 ] Adobe Reader: Buffer Overflow ... Adobe Reader is vulnerable to a buffer overflow which could potentially ... Adobe Reader is a utility used to view PDF files. ... Security is a primary focus of Gentoo Linux and ensuring the ... (Full-Disclosure)