SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Adobe Acrobat/Reader Vendors:   Adobe Systems Incorporated
Adobe Acrobat Buffer Overflow in 'pdf.ocx' Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1010952
SecurityTracker URL:  http://securitytracker.com/id/1010952
CVE Reference:   CVE-2004-0629   (Links to External Site)
Date:  Aug 13 2004
Impact:   Execution of arbitrary code via network, User access via network
Vendor Confirmed:  Yes  
Version(s): 6.0.2 and prior versions
Description:   iDEFENSE reported a buffer overflow vulnerability in an ActiveX component of Adobe Acrobat. A remote user can execute arbitrary code on the target user's system.

It is reported that a remote user can create a PDF file with a specially crafted embedded HTTP link so that when the file is opened, the buffer overflow will be triggered.

A demonstration exploit request format is provided:

GET /any_existing_dir/any_existing_pdf.pdf%00[long string] HTTP/1.1

If the request is made to a web server (e.g., IIS, Netscape Enterprise Server) that truncates the request at the null byte (%00), the ActiveX component will overflow a buffer within the RTLHeapFree() function. Arbitrary code can be executed with the privileges of the target user.

The vendor was reportedly notified on April 14, 2004.

Rafel Ivgi is credited with discovering this flaw.

The original advisory is available at:

http://www.idefense.com/application/poi/display?id=126&type=vulnerabilities

Impact:   A remote user can execute arbitrary code on the target system with the privileges of the target user.
Solution:   iDEFENSE reported that you can modify the Adobe Acrobat settings to prevent PDF files from being automatically opened when accessed via a web browser (under Edit, Preferences, uncheck "Display PDF in browser")

iDEFENSE also reported that Adobe may have attempted to silently fix this flaw in version 6.0.2, but was unsuccessful.

Vendor URL:  www.adobe.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  iDEFENSE Security Advisory 08.13.04: Adobe Acrobat/Acrobat Reader


Adobe Acrobat/Acrobat Reader ActiveX Control Buffer Overflow
Vulnerability

iDEFENSE Security Advisory 08.13.04
www.idefense.com/application/poi/display?id=126&type=vulnerabilities
August 13, 2004

I. BACKGROUND

Adobe Acrobat/Acrobat Reader are programs for creating and/or viewing
documents in Adobe Portable Document Format (PDF). More information is
available at http://www.adobe.com/products/acrobat/.

II. DESCRIPTION

Exploitation of a buffer overflow vulnerability in the ActiveX component
packaged with Adobe Systems Inc.'s Acrobat/Acrobat Reader allows remote
attackers to execute arbitrary code.

The problem specifically exists upon retrieving a link of the following
form:

    GET /any_existing_dir/any_existing_pdf.pdf%00[long string] HTTP/1.1

Where [long string] is a malicious crafted long string containing
acceptable URI characters. The request must be made to a web server that
truncates the request at the null byte (%00), otherwise an invalid file
name is specified and a "file not found" page will be returned. Example
web servers that truncate the requested URI include Microsoft IIS and
Netscape Enterprise. Though the requested URI is truncated for the
purposes of locating the file the long string is still passed to the
Adobe ActiveX component responsible for rendering the page. This in turn
triggers a buffer overflow within RTLHeapFree() allowing for an attacker
to overwrite an arbitrary word in memory. The responsible instructions
from RTLHeapFree() are shown here:

    0x77F83AE5 MOV EAX,[EDI+8]
    0x77F83AE8 MOV ECX,[EDI+C]
    ...
    0x77F83AED MOV [ECX],EAX

The register EDI contains a pointer to a user-supplied string. The
attacker therefore has control over both the ECX and EAX registers used
in the shown MOV instruction.

III. ANALYSIS

Successful exploitation allows remote attackers to utilize the arbitrary
word overwrite to redirect the flow of control and eventually take
control of the affected system. Code execution will occur under the
context of the user that instantiated the vulnerable version of Adobe
Acrobat.

An attacker does not need to establish a malicious web site as
exploitation can occur by adding malicious content to the end of any
embedded link and referencing any Microsoft IIS or Netscape Enterprise
web server. Clicking on a direct malicious link is also not required as
it may be embedded within an IMAGE tag, an IFRAME or an auto-loading
script.

Successful exploitation requires that a payload be written such that
certain areas of the input are URI acceptable. This includes initial
injected instructions as well as certain overwritten addresses. This 
increases the complexity of successful exploitation. While not trivial, 
exploitation is definitely plausible.

IV. DETECTION

iDEFENSE has confirmed the existence of this vulnerability in Adobe
Acrobat 5.0.5, specifically, pdf.ocx version 5.0.5.452. It is suspected
that all current versions of Adobe Acrobat/Acrobat Reader are affected
by this vulnerability.

V. WORKAROUND

Change Adobe Acrobat/Acrobat Reader settings to prevent PDF files from
automatically opening when accessed via a web browser. When prompted,
first save the file to disk before opening thereby closing the
exploitation vector described.

This can be accomplished using the following steps:

1. Open Adobe Acrobat/Acrobat Reader 
2. Go to Edit --> Preferences
3. Uncheck the "Display PDF in browser" setting
4. Click OK

VI. VENDOR RESPONSE

iDEFENSE brought this vulnerability to the attention of the vendor
according to the publicized timeline. However, the vendor appears to
have attempted to silently fix this vulnerability without coordinating
public disclosure of the issue. Moreover, the vendor does not appear to
have publicly posted details of the security fix to inform clients of
the risks posed by unpatched versions of the software.

Adobe has stated that the vulnerability was patched in Adobe Acrobat
Reader 6.0.2. However, iDEFENSE has tested proof of concept exploit code
that will cause the latest version of Adobe Acrobat Reader (6.0.2) to
crash. Adobe has not provided details on the status of a fix for Adobe
Acrobat.

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2004-0629 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

04/19/2004   Initial vendor notification
04/19/2004   iDEFENSE clients notified
04/19/2004   Initial vendor response
06/07/2004   Approximate release date of Adobe Acrobat Reader 6.0.2 
08/13/2004   Public disclosure

IX. CREDIT

Rafel Ivgi (the_insider[at]mail.com) is credited with this discovery.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright (c) 2004 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC