exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

EEYE-adm21x.txt

EEYE-adm21x.txt
Posted Dec 7, 2006
Authored by Derek Soeder | Site research.eeye.com

eEye Digital Security has discovered a stack buffer overflow in Adobe Download Manager, a utility typically installed for the purpose of downloading Adobe software such as Adobe (Acrobat) Reader. By opening a malicious AOM file, a user's system may be compromised by arbitrary code within the file, which executes with the privileges of that user. Adobe Download Manager versions 2.1.x and below are affected.

tags | advisory, overflow, arbitrary
SHA-256 | 5fe805f75d967bc79ae983d8de02831c3dd55807784e321a24b62a1b32608e17

EEYE-adm21x.txt

Change Mirror Download
eEye Research - http://research.eeye.com

Adobe Download Manager AOM Stack Buffer Overflow Vulnerability

Release Date:
December 5, 2006

Date Reported:
November 10, 2006

Severity:
High (Code Execution)

Systems Affected:
Adobe Download Manager 2.1.x and earlier

Overview:
eEye Digital Security has discovered a stack buffer overflow in Adobe
Download Manager, a utility typically installed for the purpose of
downloading Adobe software such as Adobe (Acrobat) Reader. By opening a
malicious AOM file, a user's system may be compromised by arbitrary code
within the file, which executes with the privileges of that user.

A web-based attack conducted through Internet Explorer may succeed
without the use of ActiveX or scripting, and without any additional user
interaction other than viewing a web page, if the web server indicates a
Content-Type of "application/aom" when serving up the malicious AOM
file. In such a case, an ".aom" file extension is not required.

Technical Details:
AdobeDownloadManager.exe is responsible for extracting download
instructions from AOM files, which are essentially XML with an appended
CRC32 in decimal, and committing the instructions to the file
"%APPDATA%\dm.ini" for later processing. For instance, opening the
following AOM file:

<?aom encoding="UTF-8"?>
<AdobeDownloadManager>
<AOM>
<DownloadRecord>
<url>WelcomeToMyHumbleAdobe</url>
</DownloadRecord>
</AOM>
</AdobeDownloadManager>3871966612

Will generate the following lines in "dm.ini":

[STARTUP]
Status=IncompleteDownload
[WelcomeToMyHumbleAdobe]
StoreID=0
TransactionID=0

When launched, whether or not it is supplied with an AOM file,
AdobeDownloadManager.exe reads the entries from "dm.ini" and handles
each described download according to its properties. It begins by
reading a list of section names into a 400h-byte buffer using
GetPrivateProfileStringA, then copies each section name into a 108h-byte
stack buffer using strncpy with a length limit equal to the length of
the section name string. The result is a relatively straightforward
stack buffer overflow, with the only complication being the character
restrictions.

It should be possible to uninstall Adobe Download Manager, or at least
unassociate the AOM file extension and "application/aom" Content-Type in
the registry, to defend against this vulnerability. Hopefully users who
have been forced to install Adobe Download Manager realized its
superfluousness and have already uninstalled it.

Protection:
Retina - Network Security Scanner has been updated to identify this
vulnerability.
Blink - Unified Client Security has proactively protected from this
vulnerability since its discovery.

Vendor Status:
Adobe has released a patch for this vulnerability which is available at
http://www.adobe.com/products/acrobat/acrrmanager.html.
The vendor bulletin is available at:
http://www.adobe.com/support/security/bulletins/apsb06-19.html.

Credit:
Derek Soeder

Related Links:
Retina - Network Security Scanner - Free Trial:
http://www.eeye.com/html/products/retina/download/index.html
Blink - Unified Client Security Personal - Free For Home Use:
http://www.eeye.com/html/products/blink/personal/download/index.html
Blink - Unified Client Security Professional - Free Trial:
http://www.eeye.com/html/products/blink/download/index.html

Greetings:
Spooky action at a distance. Whoever else found that kernel race
condition. Runner-up: Automatically Downloads Malware. (Thanks
Daniel!)

Copyright (c) 1998-2006 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please email
alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are no warranties, implied or express, with regard to this
information. In no event shall the author be liable for any direct or
indirect damages whatsoever arising out of or in connection with the use
or spread of this information. Any use of this information is at the
user's own risk.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close