A design error vulnerability exists in Adobe Reader and Adobe Acrobat Professional. A remote attacker who successfully exploit this vulnerability can control the printer without user's permission. Affected software versions include Adobe Reader 8.1.1 and below and Adobe Acrobat Professional 8.1.1 and below. This is an updated advisory.
2cbd1fa58213bb05a1302dcd79477d4bf94dbb3a84581019cd11a86426875dff
[UPDATE]Adobe Reader/Acrobat Remote PDF Print Silently Vulnerability
by cocoruder(frankruder@hotmail.com)
http://ruder.cdut.net, updated on 2008.05.06
Summary:
A design error vulnerability exists in Adobe Reader and Adobe
Acrobat Professional. A remote attacker who successfully exploit this
vulnerability can control the printer without user's permission.
Affected Software Versions:
Adobe Reader 8.1.1 and earlier versions
Adobe Acrobat Professional, 3D and Standard 8.1.1 and earlier versions
Details:
This vulnerablity due to the design error of the javascript
fucntion "DOC.print()", following are the annotates of the function in
Adobe's Javascript API Reference(named "js_api_reference.pdf"):
--START--
(Acrobat 7.0) Non-interactive printing can only be executed during
batch, console, and menu events. Printing is made non-interactive by
setting bUI to false or by setting the interactive property to silent,
for example:
var pp = this.getPrintParams();
pp.interactive = pp.constants.interactionLevel.silent;
Outside of batch, console, and menu events, the values of bUI and of
interactive are ignored and a print dialog box will always be
presented.
--END--
But Adobe has not realized it in the current version, so we can
call the printer silently without user's permission. The attacker can
build a vicious PDF document, once the victim view the document with
Adobe Acrobat Professional or Adobe Reader, it will waste a lot of the
victim's printer resources. For example, attacker can build a PDF
document including the following scripts:
var pp = this.getPrintParams();
pp.interactive = pp.constants.interactionLevel.silent;
for (var i=0;i<10000;i++)
{
this.print(pp);
}
It will print this document 1000 times without user's permission.
Solution:
Adobe has released an advisory for this vulnerability and a patch
for Adobe Acrobat/Reader 8 but not for Adobe Acrobat/Reader 7 which
are available on:
http://www.adobe.com/support/security/advisories/apsa08-01.html
Right now Adobe released the final advisory and patch which are
available on:
http://www.adobe.com/support/security/bulletins/apsb08-13.html
Fortinet advisory can be found at:
http://www.fortiguardcenter.com
CVE Information:
CVE-2008-0655
Disclosure Timeline:
2007.11.01 Vendor notified
2007.11.02 Vendor responded
2008.02.07 Initial coordinated disclosure
2008.05.06 Final coordinated disclosure
--EOF--