Twenty Year Anniversary

adobe-acrobat-adv.txt

adobe-acrobat-adv.txt
Posted Jan 13, 2007
Authored by Piotr Bania | Site piotrbania.com

Adobe Reader versions 7.0.8 and below suffer from a remote heap memory corruption vulnerability.

tags | advisory, remote
advisories | CVE-2006-5857
MD5 | 1037cb02ed27fe35c586c2d03d97daa1

adobe-acrobat-adv.txt

Change Mirror Download


Adobe Reader Remote Heap Memory Corruption - Subroutine Pointer Overwrite
by Piotr Bania <bania.piotr@gmail.com>
http://www.piotrbania.com



Orginal url: http://www.piotrbania.com/all/adv/adobe-acrobat-adv.txt

Severity: Critical - Possible remote code execution.

CVE ID: CVE-2006-5857


Time line: 03/09/2006 - Advisory sent to ADOBE PSIRT
03/09/2006 - Initial Vendor Response
11/09/2006 - Vendor confirms the vulnerability.
09/01/2007 - Security Bulletin ready, advisory
released.


Software affected: Adobe Reader 7.0.8 and earlier - all platforms.

Tested on:
* Adobe Reader 7.0.8 and 7.0.3 (Windows)
* Adobe Reader 7.0.8 on (LINUX )



I. BACKGROUND

Adobe Reader is the most popular program for viewing documents in
Adobe Portable Document Format (PDF). More information at:
http://www.adobe.com/products/acrobat/.



II. DESCRIPTION


The problem exists when the Adobe product is trying to render
a specially crafted PDF file.


Take a look a this code snipet:

----// SNIP SNIP //-------------------------------------------------
0:000> u 08009d3f
CoolType+0x9d3f:
08009d3f 83e904 sub ecx,0x4
08009d42 890da07a1d08 mov [CoolType!CTCleanup+0xb393b 081d7aa0)],ecx
08009d48 ffb49070feffff push dword ptr [eax+edx*4-0x190]
08009d4f 8b09 mov ecx,[ecx]
08009d51 51 push ecx
08009d52 ff506c call dword ptr [eax+0x6c] ; (*)
08009d55 59 pop ecx
08009d56 59 pop ecx
----// SNIP SNIP //-------------------------------------------------


Instruction at 0x08009d52 call the location which address is stored at
[eax+0x6c]. Value of the eax points somewhere inside the allocated
heap memory block, as shown here:

----// SNIP SNIP //-------------------------------------------------
...
K: 199 -> [*] HeapAlloc(0x3E0000,0x0,0x4(4))=0x16F6FF8 end at: 0x16F6FFC
K: 200 -> [*] HeapAlloc(0x3E0000,0x0,0x4F4(1268))=0x16F6958 end at:
0x16F6E4C
K: 201 -> [*] HeapAlloc(0x3E0000,0x0,0xFE30(65072))=0x16F6E58 end at:
0x1706C88
K: 202 -> [*] HeapAlloc(0x3E0000,0x0,0x304(772))=0x1706C90 end at: 0x1706F94
K: 203 -> [*] HeapAlloc(0x3E0000,0x0,0xFE24(65060))=0x1706FA0 end at:
0x1716DC4 <- THIS ONE
----// SNIP SNIP //-------------------------------------------------

[EAX+0x6c] points to 0x222C offset from begining of the last heap memory
block.


When specially badly created PDF file is being render, there exist a
possibility to cause a memory corruption, which leads to the overwrite
of the subroutine address stored at [eax+0x6c].


Here's the debugger snipet, after calling overwritten [eax+0x6c] (note
the heap base block is different then previously mentioned, its just
another independent session):

----// SNIP SNIP //-------------------------------------------------
(25a0.2170): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=016f4320 ebx=00000000 ecx=baadf00d edx=00000069 esi=016f4ab9
edi=016f14b4 eip=baadf00d esp=0012deec ebp=0012df80 iopl=0
nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
efl=00010202
*** ERROR: Symbol file could not be found. Defaulted to export symbols
for C:\Program Files\Adobe\Acrobat 7.0\Reader\CoolType.dll -

baadf00d ?? ???
----// SNIP SNIP //-------------------------------------------------
The attacker can control EIP register, this may lead to a potencial code
exection in context of current user.


III. IMPACT

Successful exploitation may allow the attacker to run arbitrary code in
context of user running Adobe Reader.


IV. VENDOR RESPONSE

All pathes are available, via auto-update or
http://www.adobe.com/go/getreader/


V. POC CODE

Due to severity of this vulnerability i will not disclose any POC codes.


best regards,
pb


--
--------------------------------------------------------------------
Piotr Bania - <bania.piotr@gmail.com> - 0xCD, 0x19
Fingerprint: 413E 51C7 912E 3D4E A62A BFA4 1FF6 689F BE43 AC33
http://www.piotrbania.com - Key ID: 0xBE43AC33
--------------------------------------------------------------------

- "The more I learn about men, the more I love dogs."



Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

June 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    14 Files
  • 2
    Jun 2nd
    1 Files
  • 3
    Jun 3rd
    3 Files
  • 4
    Jun 4th
    18 Files
  • 5
    Jun 5th
    21 Files
  • 6
    Jun 6th
    9 Files
  • 7
    Jun 7th
    16 Files
  • 8
    Jun 8th
    18 Files
  • 9
    Jun 9th
    5 Files
  • 10
    Jun 10th
    2 Files
  • 11
    Jun 11th
    21 Files
  • 12
    Jun 12th
    34 Files
  • 13
    Jun 13th
    15 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    4 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close