Home page logo
/

bugtraq logo Bugtraq mailing list archives

VULNERABLE (3rd party) components in Adobe Reader 11.0.03, and dangling reference to Acrobat.exe
From: "Stefan Kanthak" <stefan.kanthak () nexgo de>
Date: Wed, 10 Jul 2013 17:21:48 +0200

Hi @ll,

the current Adobe Reader 11.0.03 installs the following VULNERABLE (3rd party)
components:

1. Adobe Flash Player Plugin 11.5.502.110

| X:\>filever.exe /S "%ProgramFiles%\Adobe\npswf*.dll"
|        x:\program files\adobe\reader 11.0\reader\npswf*.dll
| --a-- W32i   DLL ENU    11.5.502.110 shp 14,588,632 05-11-2013 npswf32.dll

   Cf. <http://www.adobe.com/support/security/bulletins/apsb13-17.html>,
   <http://www.adobe.com/support/security/bulletins/apsb13-16.html>,
   <http://www.adobe.com/support/security/bulletins/apsb13-14.html>,
   <http://www.adobe.com/support/security/bulletins/apsb13-11.html>
   <http://www.adobe.com/support/security/bulletins/apsb13-09.html>,
   <http://www.adobe.com/support/security/bulletins/apsb13-08.html>,
   <http://www.adobe.com/support/security/bulletins/apsb13-05.html>,
   <http://www.adobe.com/support/security/bulletins/apsb13-04.html>,
   <http://www.adobe.com/support/security/bulletins/apsb13-01.html>
   and <http://www.adobe.com/support/security/bulletins/apsb12-27.html>

   The wise guys at Adobe missed 10 security updates of their own product!


2. MSVC++ 2008 runtime libraries 9.0.21022.8

| X:\>filever.exe /S "%SystemRoot%\WinSxS\msvc?90.dll"
|        x:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvc?90.dll
| --a-- W32i   DLL ENU     9.0.21022.8 shp    224,768 11-06-2007 msvcm90.dll
| --a-- W32i   DLL ENU     9.0.21022.8 shp    568,832 11-07-2007 msvcp90.dll
| --a-- W32i   DLL ENU     9.0.21022.8 shp    655,872 11-07-2007 msvcr90.dll

   These DLLs have been updated several times since 2007-11-07, cf.
   <http://support.microsoft.com/kb/973551> and
   <http://support.microsoft.com/kb/973552> alias
   <http://www.microsoft.com/technet/security/bulletin/ms09-035>
   as well as <http://support.microsoft.com/kb/2467174> and
   <http://support.microsoft.com/kb/2538243> alias
   <http://www.microsoft.com/technet/security/bulletin/ms11-025>

   JFTR: Adobe Reader XI was released 2012-09-24, more than one year after
         MS11-025!


3. MSVC++ 2010 runtime libraries 10.0.40219.1

| X:\>filever.exe /S "%SystemRoot%\System32\msvc?100.dll"
|        x:\windows\system32\msvcp100.dll
| --a-- W32i   DLL ENU    10.0.40219.1 shp    421,200 02-19-2011 msvcp100.dll
|        x:\windowsp\system32\msvcr100.dll
| --a-- W32i   DLL ENU    10.0.40219.1 shp    773,968 02-19-2011 msvcr100.dll

   Cf. <http://support.microsoft.com/kb/24671743> and
   <http://support.microsoft.com/kb/2565063> alias
   <http://www.microsoft.com/technet/security/bulletin/ms11-025>

   JFTR: Adobe Reader XI was released 2012-09-24, more than one year after
         MS11-025!


Unfortunately, the wise guys at Adobe don't know the platform on which their
product runs and include the MSVC++ 2008 and 2010 runtimes via MSI merge module.

Due to a well-known idiosyncrasy of Windows Update Agent M$FT components
installed via MSI merge module are NOT detected and thus not updated by M$FT ...
although M$FT advises their users to do so!

From the FAQ section of
<http://www.microsoft.com/technet/security/bulletin/ms11-025>

| In the case where a system has no MFC applications currently installed but
| does have the vulnerable Visual Studio or Visual C++ runtimes installed,
| Microsoft recommends that users install this update as a defense-in-depth
| measure, in case of an attack vector being introduced or becoming known at
| a later time.


4. Additionally, the following dangling references to Acrobat.exe are created:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.acrobatsecuritysettings\OpenWithList\Acrobat.exe]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.pdfxml\OpenWithList\Acrobat.exe]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AcroExch.Document.11\protocol\StdFileEditing\server]
@="\"Acrobat.exe\""

The latter allows the execution of a rogue program named "Acrobat.exe" from
CWD via OLE in the security context of the logged on user.

Cf. <http://technet.microsoft.com/security/advisory/2269637>


5. On Window XP the following superfluous registry entries are created:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low 
Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}]
"Policy"=dword:00000003
"AppPath"="X:\\Program Files\\Adobe\\Reader 11.0\\Reader\\"
"AppName"="AcroBroker.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low 
Rights\ElevationPolicy\{358E6F10-DE8A-4602-8424-179CA217F8EE}]
"Policy"=dword:00000003
"AppPath"="X:\\Program Files\\Adobe\\Reader 11.0\\Reader"
"AppName"="AcroRd32Info.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low 
Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}]
"Policy"=dword:00000003
"AppPath"="X:\\Program Files\\Common Files\\Adobe\\ARM\\1.0\\"
"AppName"="AdobeARM.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low 
Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}]
"Policy"=dword:00000003
"AppName"="AdobeCollabSync.exe"
"AppPath"="X:\\Program Files\\Adobe\\Reader 11.0\\Reader"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low 
Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578}]
"Policy"=dword:00000003
"AppPath"="X:\\Program Files\\Adobe\\Reader 11.0\\Reader"
"AppName"="AcroRd32.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low 
Rights\ElevationPolicy\{A2397324-4D73-4870-A795-995C56F49FBD}]
"Policy"=dword:00000001
"AppPath"="X:\\Program Files\\Adobe\\Reader 11.0\\Reader"
"AppName"="arh.exe"


If the wise guys at Adobe know the platform on which their product runs
a little better they'd probably know that "Low Rights\Elevation Policy"
is supported on Windows Vista and later only.


Stefan Kanthak

PS: the "PDF Preview Handlers" which are installed unconditionally on
    Windows XP are superfluous too (at least when Outlook 2007 is not
    installed).
    Cf. <http://msdn.microsoft.com/library/cc144143.aspx>

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.pdf\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}]
@="{49400A7C-81A8-4F52-8CCE-D54739EE87EC}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{49400A7C-81A8-4F52-8CCE-D54739EE87EC}]
"AppID"="{5D238751-7E51-4F24-9E7D-93C58881B20B}"
"DisplayName"="@\"X:\\Program Files\\Adobe\\Reader 11.0\\Reader\\pdfprevhndlrshim.exe\",-101"
@="Adobe PDF Preview Handler"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{49400A7C-81A8-4F52-8CCE-D54739EE87EC}\LocalServer32]
@="\"X:\\Program Files\\Adobe\\Reader 11.0\\Reader\\pdfprevhndlrshim.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{49400A7C-81A8-4F52-8CCE-D54739EE87EC}\ProgID]
@="PDFPrevHndlrShim.PDFPrevHndlrShim.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{49400A7C-81A8-4F52-8CCE-D54739EE87EC}\Programmable]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{49400A7C-81A8-4F52-8CCE-D54739EE87EC}\TypeLib]
@="{A58FB5B3-CF96-4C63-B0D2-232A1AEA1A1B}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{49400A7C-81A8-4F52-8CCE-D54739EE87EC}\VersionIndependentProgID]
@="PDFPrevHndlrShim.PDFPrevHndlrShim"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}]
"AppID"="{6d2b5079-2f0b-48dd-ab7f-97cec514d30b}"
@="Adobe PDF Preview Handler for Vista"
"DisplayName"="@X:\\Program Files\\Adobe\\Reader 11.0\\Reader\\pdfprevhndlr.dll,-101"
"DisableLowILProcessIsolation"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\InprocServer32]
@="X:\\Program Files\\Adobe\\Reader 11.0\\Reader\\pdfprevhndlr.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\ProgID]
@="PDFPrevHndlr.PDFPreviewHandler.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\TypeLib]
@="{0F6D3808-7974-4B1A-94C2-3200767EACE8}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\VersionIndependentProgID]
@="PDFPrevHndlr.PDFPreviewHandler"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PDFPrevHndlr.PDFPreviewHandler]
@="Adobe PDF Preview Handler for Vista"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PDFPrevHndlr.PDFPreviewHandler\CLSID]
@="{DC6EFB56-9CFA-464D-8880-44885D7DC193}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PDFPrevHndlr.PDFPreviewHandler\CurVer]
@="PDFPrevHndlr.PDFPreviewHandler.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PDFPrevHndlr.PDFPreviewHandler.1]
@="Adobe PDF Preview Handler for Vista"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PDFPrevHndlr.PDFPreviewHandler.1\CLSID]
@="{DC6EFB56-9CFA-464D-8880-44885D7DC193}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PDFPrevHndlrShim.PDFPrevHndlrShim]
@="Adobe PDF Preview Handler"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PDFPrevHndlrShim.PDFPrevHndlrShim\CLSID]
@="{49400A7C-81A8-4F52-8CCE-D54739EE87EC}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PDFPrevHndlrShim.PDFPrevHndlrShim\CurVer]
@="PDFPrevHndlrShim.PDFPrevHndlrShim.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PDFPrevHndlrShim.PDFPrevHndlrShim.1]
@="Adobe PDF Preview Handler"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PDFPrevHndlrShim.PDFPrevHndlrShim.1\CLSID]
@="{49400A7C-81A8-4F52-8CCE-D54739EE87EC}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PreviewHandlers]
"{49400A7C-81A8-4F52-8CCE-D54739EE87EC}"="Adobe PDF Preview Handler"
"{DC6EFB56-9CFA-464D-8880-44885D7DC193}"="Adobe PDF Preview Handler for Vista"


  By Date           By Thread  

Current thread:
  • VULNERABLE (3rd party) components in Adobe Reader 11.0.03, and dangling reference to Acrobat.exe Stefan Kanthak (Jul 10)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]