RE: iDEFENSE Security Advisory 08.13.04: Adobe Acrobat/Acrobat Reader ActiveX Control Buffer Overflow Vulnerability

[Stephen Agar <Stephen.Agar () bmhcc org>]

When it is stated near the bottom that: 

"However, iDEFENSE has tested proof of concept exploit code that will cause
the latest version of Adobe Acrobat Reader (6.0.2) to crash."

Does this mean that the vulnerability isn't fixed at all, or are they just
saying that the "remote code execution" was fixed, but another bug causing
Acrobat to crash has popped up?

--stephen

> -----Original Message-----
> From: full-disclosure-admin () lists netsys com 
> [mailto:full-disclosure-admin () lists netsys com] On Behalf Of 
> customer service mailbox
> Sent: Monday, August 16, 2004 10:24 AM
> To: full-disclosure () lists netsys com
> Subject: [Full-disclosure] iDEFENSE Security Advisory 
> 08.13.04: Adobe Acrobat/Acrobat Reader ActiveX Control Buffer 
> Overflow Vulnerability
>
> Adobe Acrobat/Acrobat Reader ActiveX Control Buffer Overflow 
> Vulnerability
>
> iDEFENSE Security Advisory 08.13.04
> www.idefense.com/application/poi/display?id=126&type=vulnerabilities
> August 13, 2004
>
> I. BACKGROUND
>
> Adobe Acrobat/Acrobat Reader are programs for creating and/or 
> viewing documents in Adobe Portable Document Format (PDF). 
> More information is available at 
> http://www.adobe.com/products/acrobat/.
>
> II. DESCRIPTION
>
> Exploitation of a buffer overflow vulnerability in the 
> ActiveX component packaged with Adobe Systems Inc.'s 
> Acrobat/Acrobat Reader allows remote attackers to execute 
> arbitrary code.
>
> The problem specifically exists upon retrieving a link of the 
> following
> form:
>
>     GET /any_existing_dir/any_existing_pdf.pdf%00[long 
> string] HTTP/1.1
>
> Where [long string] is a malicious crafted long string 
> containing acceptable URI characters. The request must be 
> made to a web server that truncates the request at the null 
> byte (%00), otherwise an invalid file name is specified and a 
> "file not found" page will be returned. Example web servers 
> that truncate the requested URI include Microsoft IIS and 
> Netscape Enterprise. Though the requested URI is truncated 
> for the purposes of locating the file the long string is 
> still passed to the Adobe ActiveX component responsible for 
> rendering the page. This in turn triggers a buffer overflow 
> within RTLHeapFree() allowing for an attacker to overwrite an 
> arbitrary word in memory. The responsible instructions from 
> RTLHeapFree() are shown here:
>
>     0x77F83AE5 MOV EAX,[EDI+8]
>     0x77F83AE8 MOV ECX,[EDI+C]
>     ...
>     0x77F83AED MOV [ECX],EAX
>
> The register EDI contains a pointer to a user-supplied 
> string. The attacker therefore has control over both the ECX 
> and EAX registers used in the shown MOV instruction.
>
> III. ANALYSIS
>
> Successful exploitation allows remote attackers to utilize 
> the arbitrary word overwrite to redirect the flow of control 
> and eventually take control of the affected system. Code 
> execution will occur under the context of the user that 
> instantiated the vulnerable version of Adobe Acrobat.
>
> An attacker does not need to establish a malicious web site 
> as exploitation can occur by adding malicious content to the 
> end of any embedded link and referencing any Microsoft IIS or 
> Netscape Enterprise web server. Clicking on a direct 
> malicious link is also not required as it may be embedded 
> within an IMAGE tag, an IFRAME or an auto-loading script.
>
> Successful exploitation requires that a payload be written 
> such that certain areas of the input are URI acceptable. This 
> includes initial injected instructions as well as certain 
> overwritten addresses. This increases the complexity of 
> successful exploitation. While not trivial, exploitation is 
> definitely plausible.
>
> IV. DETECTION
>
> iDEFENSE has confirmed the existence of this vulnerability in 
> Adobe Acrobat 5.0.5, specifically, pdf.ocx version 5.0.5.452. 
> It is suspected that all current versions of Adobe 
> Acrobat/Acrobat Reader are affected by this vulnerability.
>
> V. WORKAROUND
>
> Change Adobe Acrobat/Acrobat Reader settings to prevent PDF 
> files from automatically opening when accessed via a web 
> browser. When prompted, first save the file to disk before 
> opening thereby closing the exploitation vector described.
>
> This can be accomplished using the following steps:
>
> 1. Open Adobe Acrobat/Acrobat Reader
> 2. Go to Edit --> Preferences
> 3. Uncheck the "Display PDF in browser" setting 4. Click OK
>
> VI. VENDOR RESPONSE
>
> iDEFENSE brought this vulnerability to the attention of the 
> vendor according to the publicized timeline. However, the 
> vendor appears to have attempted to silently fix this 
> vulnerability without coordinating public disclosure of the 
> issue. Moreover, the vendor does not appear to have publicly 
> posted details of the security fix to inform clients of the 
> risks posed by unpatched versions of the software.
>
> Adobe has stated that the vulnerability was patched in Adobe 
> Acrobat Reader 6.0.2. However, iDEFENSE has tested proof of 
> concept exploit code that will cause the latest version of 
> Adobe Acrobat Reader (6.0.2) to crash. Adobe has not provided 
> details on the status of a fix for Adobe Acrobat.
>
> VII. CVE INFORMATION
>
> The Common Vulnerabilities and Exposures (CVE) project has 
> assigned the name CAN-2004-0629 to this issue. This is a 
> candidate for inclusion in the CVE list 
> (http://cve.mitre.org), which standardizes names for security 
> problems.
>
> VIII. DISCLOSURE TIMELINE
>
> 04/19/2004   Initial vendor notification
> 04/19/2004   iDEFENSE clients notified
> 04/19/2004   Initial vendor response
> 06/07/2004   Approximate release date of Adobe Acrobat Reader 6.0.2 
> 08/13/2004   Public disclosure
>
> IX. CREDIT
>
> Rafel Ivgi (the_insider[at]mail.com) is credited with this discovery.
>
> Get paid for vulnerability research
> http://www.idefense.com/poi/teams/vcp.jsp
>
> X. LEGAL NOTICES
>
> Copyright (c) 2004 iDEFENSE, Inc.
>
> Permission is granted for the redistribution of this alert 
> electronically. It may not be edited in any way without the 
> express written consent of iDEFENSE. If you wish to reprint 
> the whole or any part of this alert in any other medium other 
> than electronically, please email 
> customerservice () idefense com for permission.
>
> Disclaimer: The information in the advisory is believed to be 
> accurate at the time of publishing based on currently 
> available information. Use of the information constitutes 
> acceptance for use in an AS IS condition.
> There are no warranties with regard to this information. 
> Neither the author nor the publisher accepts any liability 
> for any direct, indirect, or consequential loss or damage 
> arising from use of, or reliance on, this information.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html