iDefense Security Advisory 11.04.08
http://labs.idefense.com/intelligence/vulnerabilities/
Nov 04, 2008

I. BACKGROUND

The getPlus Download Manager is a software management tool. It is used
to download, install, and update other software through the browser.
The getPlus Download Manager consists of an ActiveX control that is
used to prompt users to install other vendor's software. Adobe uses
this control for web based installations of Adobe Reader. If a client
installed Adobe Reader through the Adobe website, they will have the
control on their system. For more information see the vendor's site at
the following URL.

http://www.adobe.com/support/security/bulletins/apsb08-19.html

II. DESCRIPTION

Remote exploitation of a stack based buffer overflow vulnerability in
NOS Microsystems Ltd.'s getPlus Download Manager, potentially used by
multiple vendors, could allow an attacker to execute arbitrary code
with the privileges of the current user.

III. ANALYSIS

Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the user viewing the web page. Exploitation
requires that attackers social engineer victims into viewing a
malicious web page. After the user visits the malicious web page, no
further user interaction is needed if the user already has the control
installed.

If the user visiting the web page does not already have the getPlus
control installed, they will be prompted to install it.

This control could potentially be used by a number of different software
vendors. The exploitability of this vulnerability is likely to be
dependent on the way that the given vendor uses the control. In the
case of Adobe Reader, the installation file that triggers the
vulnerability needs to be located on a site ending in adobe.com.
Normally, such a condition would make exploitation significantly more
difficult. However, in this case, by using the http://bugs.adobe.com
site, an attacker can place arbitrary text files onto the site. These
files are supposed to contain information relevant to bug reports, but
this functionality could be abused by an attacker for the purpose of
exploitation.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in getPlus
gp.ocx version 1.2.2.50, which is used in web based installations of
Adobe Reader 8.1. Previous versions may also be affected. In order to
determine if this version of the control is installed, the Registry
Editor can be used to attempt to browse to the registry key:

HKEY_CLASSES_ROOT\CLSID\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}

If that key exists, then the control is installed.

V. WORKAROUND

Setting the kill bit for this control will mitigate the threat of web
based attacks which could be conducted through Internet Explorer. The
CLSID for the vulnerable control is

CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7

VI. VENDOR RESPONSE

Adobe reports that the input validation issue in the Download Manager
used by Adobe Reader has been resolved. Adobe has released an update
which addresses this issue. For more information, consult their
advisory at the following URL.

http://www.adobe.com/support/security/bulletins/apsb08-19.html

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-4817 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

02/05/2008  Initial Vendor Notification
02/06/2008  Initial Vendor Reply
10/31/2008  Additional Vendor Feedback
11/04/2008  Coordinated Public Disclosure

IX. CREDIT

This vulnerability was reported to iDefense by Peter Vreugdenhil.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2008 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
  There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.