SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Adobe Acrobat/Reader Vendors:   Adobe Systems Incorporated
Adobe Acrobat Reader Buffer Overflow in WWWLaunchNetscape() May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1007089
SecurityTracker URL:  http://securitytracker.com/id/1007089
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 1 2003
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 5.0.7 and prior versions
Description:   A buffer overflow vulnerability was reported in Adobe Acrobat Reader. A remote user may be able to cause arbitrary code to be executed when a target user clicks on an embedded link.

sec-labs team reported that Acrobat Reader contains a buffer overflow in the WWWLaunchNetscape() function. A remote user can create a specially crafted link within a PDF file. If a target user clicks on the specially crafted embedded link and the target user has the Netscape browser set as the default web browser, the overflow can be triggered. Arbitrary code will then be executed with the privileges of the target user.

A demonstration exploit is provided in the Source Message [it is Base64 encoded].

Impact:   A remote user can cause arbitrary code to be executed on the target user's system with the privileges of the target user when the target user clicks on a link within a malicious PDF file.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.adobe.com/products/acrobat/main.html (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] [sec-labs] Adobe Acrobat Reader <=5.0.7 Buffer Overflow


--=.,9XPc,Y/fqrh04
Content-Type: multipart/mixed;
 boundary="Multipart_Tue__1_Jul_2003_15:10:11_+0000_08246a20"


--Multipart_Tue__1_Jul_2003_15:10:11_+0000_08246a20
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit



     sec-labs team proudly presents:
     
     Buffer overflow vulnerability in Adobe Acrobat Reader 5.0.7 and earlier
     by mcbethh
     29/06/2003
     
   I. BACKGROUND
     
     quote from documentation: 
     'The Acrobat Reader allows anyone to view, navigate, and print documents 
     in the Adobe Portable Document Format (PDF).'
     
     However there is Acrobat Reader 6.0 for windows nad MacOS, version 5.0.7
     is last for unix.
     
   II. DESCRIPTION
     
     There is buffer overflow vulnerability in WWWLaunchNetscape function. It
     copies link address to 256 bytes (in 5.0.5 version) buffer until '\0' is
     found. If link is longer than 256 bytes return address is overwritten. 
     Notice that user have to execute (click on it) our link to exploit this 
     vulnerability. User also have to have netscape browser in preferences, 
     but it is default setting. 
     
   III. IMPACT
     
     If somebody click on a link from .pdf file specialy prepared by attacker,
     malicious code can be executed with his privileges.
     
   IV. PROOF OF CONCEPT
     
     Proof of concept exploit is attached. It doesn't contain shellcode nor
     valid return address. It just shows that return address can be overwriten
     with any value. Use gdb to see it, because acroread will not crash. 
     
     

-- 
sec-labs team [http://sec-labs.hack.pl]



--Multipart_Tue__1_Jul_2003_15:10:11_+0000_08246a20
Content-Type: application/octet-stream;
 name="seclabs-poc-adobe-acrobat-reader-29-06-2003.tar.bz2"
Content-Disposition: attachment;
 filename="seclabs-poc-adobe-acrobat-reader-29-06-2003.tar.bz2"
Content-Transfer-Encoding: base64

QlpoOTFBWSZTWQLp8bAAAOh/rMiQAgB45//ZOA3XxH/v3+oABAEAAAEACFADPeBQAAHNGTEwATEY
EaYEGIwTJgEYc0ZMTABMRgRpgQYjBMmARhzRkxMAExGBGmBBiMEyYBGDJTKPUAANMjQAAA0ANAAB
VITRNMhMieJo0JpppBiempk0M1MT0an6o+domzg3+EBjNAgpEJIIW6IZdKKRxSOSkWWAzDYTgKR0
uZI4mhreKS8+D8NySMjjSSVYxKMHzTfSKul61XgSScy9oSyM7Q29mdV9WC5cokq8U3IqtUWnyet8
1ptfQtZDlaVjB/lv3vZZ2WTpKarsfZofRYqotRzv1N4cFGZV1Ni5V4JFEnY7fd7T0MItfZ3Nqwm3
OGnh2P0S9MpSlJKSUpSl14tUel1rHequjILmRMj1QNFoGBscBCKyWAAJoRRVFCwFhwsfCBRQrBYV
RVdOKx0Wd6i6JVkKpRf/GTPRbBnjcGTCkl2RkugrF8Th2uVzpNzed6JtCLYan1dywj4xJZIWElrt
HBJWOg7nkuOxJ7Y7XvUc72R717uNTFR4Od8GuIeLCH4cSR7mhqXB72qHseSMjkbm5lbl7euXsESf
FQ5iqcNTKca5xOVgk2JuJtWRYxeK0qVWoqYM7kRcxfyzI5jgvLYmysWMPFoUWDWkzqMzrZ3BcsVT
cZsTNajTDexVJQ72ttcSM7U87FeoqztTBNVmaE1FrOjYk2LFjkWM7FvcSxGVQ8x1MFWRV5jFe9EZ
WVFrQuLk01FhxqNBJYSRJqPVDIbYjQEkXGC50qNKxNlUdrFnfh2PBa7mWFkn3lE5J4szLGJ1pDna
mlesNTldCjjbFhSDJHMzMyTM2sWt5JmERlZE41movdCpgWptKsVUTMTZSUpHUxYw0ptyjFJyr01E
2B5P+L0YupaxeUb3CNi50pmk3OI1pHB6+9Khnbzztx4rGx1rlXmLVrMk9K1KA/8XckU4UJAC6fGw

--Multipart_Tue__1_Jul_2003_15:10:11_+0000_08246a20--

--=.,9XPc,Y/fqrh04
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)

iD8DBQE/AaRZZ4yD+a7QMvgRAt8kAJ9UIbnSYNp7CxamS3JvIN5M66GgNwCgoHW8
qcctIcWFT0kEns8p0c3S+D0=
=1wIe
-----END PGP SIGNATURE-----

--=.,9XPc,Y/fqrh04--
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC