SPS Advisory #39
Adobe Acrobat Series PDF File Buffer Overflow

UNYUN <shadowpenguin@backsection.net>
Shadow Penguin Security (http://shadowpenguin.backsection.net)
-------------------------------------------------------------

[Date]

July 26, 2000

[vulnerable]

Acrobat Reader 3.0J for Windows95/98/NT/2000
Acrobat Reader 4.0J for Windows95/98/NT/2000
Acrobat Reader 4.05J for Windows95/98/NT/2000
Acrobat 3.0J for Windows95/98/NT/2000
Acrobat 4.0J for Windows95/98/NT/2000
Acrobat 4.05J for Windows95/98/NT/2000
Adobe Acrobat Business Tools for Windows95/98/NT/2000
Adobe Acrobat FillIn for Windows95/98/NT/2000

[not vulnerable]

Adobe Acrobat/reader/FillIn/BuinessTools 4.05c

[Overview]

 We found the exploitable buffer overflow problem in Acrobat series for
windows. Acrobat overflows when reading the PDF file which has long
Registry or Ordering. They are one of the font CDI system information,
you can see them in the PDF file which is generated by Acrobat. This
buffer overflow overwrites the local buffer, EIP can be controled and
can execute prepared code written in the font CDI system information.
This overflow contains the possibility of the virus and trojans
infection, sytsem destruction, intrusion, and so on.

[Detailed information]

The problem in the handling of /Registry and /Ordering string. We can
control EIP by handling of /Ordering, we describe about this problem on
the handling of /Ordering.

Generally, the country name is written in /Ordering. Following string is
generated by Japanese Acrobat.

/Ordering(Japanese1)

If the long country name is specified as follows,

/Ordering(DDDDDD... long 'D')

you will see the following GPF dialog box (it is the case in Acrobat
3.0J)

------------------------------------------------
ACROEX32 Page fault
Module : ACROEX32.EXE, Address : 0167:004e00f2
Registers:
EAX=88888888 CS=0167 EIP=004e00f2 EFLGS=00010a86
EBX=00e38788 SS=016f ESP=007ee3b4 EBP=007ee518
ECX=007ee4b0 DS=016f ESI=00fe393b FS=0edf
EDX=00000006 ES=016f EDI=007ee3c4 GS=0000
Bytes at CS:EIP:
c6 44 05 98 00 e8 54 17 05 00 66 89 85 14 ff ff
------------------------------------------------

The page fault has been occurred by the following code.
(You can see them in GPF dialog box)

c6 44 05 98 00

This is "mov byte ptr [ebp+eax-68h],0".
EAX is 0x88888888, this value is the total of two values which are
stored in the specific offset in the buffer. They are stored in offset
83,91, EAX is set to 0xffffffff if 0x80808080 and 0x7f7f7f7f are stored
in each address. The memory area of ebp-1-68h is writable, The page
fault has not been occurred and the instructions are executed until RET
if EAX is -1. RET is stored in offset 102.

In Acrobat 4.0/4.05, EAX is able to set by the values which are in the
offset 66,78, EIP is able to set by the value which is stored in offset
74(We could code an exploit which explotis 3.0 and 4.0/4.05 both).

NULL, '(',')' are not be able to use. They are termination character for
/Ordering and /Resitry.

[Fix]

The patches for this problem has already been released
on 26 July at adobe site.

http://www.adobe.com/misc/pdfsecurity.html

[Caution]

We will change this information without any notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatever arising out of or in
connection with the use or spread of this information. Any use of this
information is only for personal experiment.

[Comments ?]

If you have something comments, please send to following address..
UNYUN <shadowpenguin@backsection.net>
http://shadowpenguin.backsection.net

-----
UNYUN
% The Shadow Penguin Security [ http://shadowpenguin.backsection.net ]
   shadowpenguin@backsection.net (webmaster)
% eEye Digital Security Team [ http://www.eEye.com ]
   unyun@eEye.com