TITLE:
Adobe Document/Graphics Server File URI Resource Access

SECUNIA ADVISORY ID:
SA19229

VERIFY ADVISORY:
http://secunia.com/advisories/19229/

CRITICAL:
Moderately critical

IMPACT:
Manipulation of data, Exposure of sensitive information, System
access

WHERE:
>From local network

SOFTWARE:
Adobe Graphics Server 2.x
http://secunia.com/product/5397/
Adobe Document Server 5.x
http://secunia.com/product/8714/
Adobe Document Server 6.x
http://secunia.com/product/1224/

DESCRIPTION:
Secunia Research has discovered a vulnerability in Adobe Document
Server and Adobe Graphics Server, which can be exploited by malicious
people to gain knowledge of potentially sensitive information,
overwrite arbitrary files, or compromise a vulnerable system.

The vulnerability is caused due to the "loadContent", "saveContent",
and "saveOptimized" ADS (Adobe Document Server) commands allowing
graphics or PDF files to be retrieved from or saved to arbitrary
locations on the server using File URIs via the AlterCast web service
running on port 8019. Files can be saved with arbitrary extensions.
This can be exploited by sending a specially-crafted SOAP request to
write a graphics file (with HTA extension) containing malicious
JavaScript as metadata to e.g. the server's "All Users" startup
folder.  This file will be executed the next time any user logs in.

Successful exploitation requires that the service is configured to
run with SYSTEM privileges (default) or with privileges of a normal
user that has been granted interactive logon rights.

The vulnerability has been confirmed in Document Server 6.0 (p026)
and Graphics Server 2.1 (d013). Other versions may also be affected.

SOLUTION:
The vendor has published additional hardening steps to prevent
exploitation of the vulnerability (see vendor advisory for details).

PROVIDED AND/OR DISCOVERED BY:
Tan Chew Keong, Secunia Research.

ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2005-28/

Adobe:
http://www.adobe.com/support/techdocs/332989.html

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------