exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

iDEFENSE Security Advisory 2008-11-04.1

iDEFENSE Security Advisory 2008-11-04.1
Posted Nov 5, 2008
Authored by iDefense Labs, Peter Vreugdenhil | Site idefense.com

iDefense Security Advisory 11.04.08 - Remote exploitation of a stack based buffer overflow vulnerability in NOS Microsystems Ltd.'s getPlus Download Manager, potentially used by multiple vendors, could allow an attacker to execute arbitrary code with the privileges of the current user. iDefense has confirmed the existence of this vulnerability in getPlus gp.ocx version 1.2.2.50, which is used in web based installations of Adobe Reader 8.1. Previous versions may also be affected.

tags | advisory, remote, web, overflow, arbitrary
advisories | CVE-2008-4817
SHA-256 | f82cd5bb85b3a959d2c8d724ce4105aa767646e05a45b9d840a37588554309e9

iDEFENSE Security Advisory 2008-11-04.1

Change Mirror Download
iDefense Security Advisory 11.04.08
http://labs.idefense.com/intelligence/vulnerabilities/
Nov 04, 2008

I. BACKGROUND

The getPlus Download Manager is a software management tool. It is used
to download, install, and update other software through the browser.
The getPlus Download Manager consists of an ActiveX control that is
used to prompt users to install other vendor's software. Adobe uses
this control for web based installations of Adobe Reader. If a client
installed Adobe Reader through the Adobe website, they will have the
control on their system. For more information see the vendor's site at
the following URL.

http://www.adobe.com/support/security/bulletins/apsb08-19.html

II. DESCRIPTION

Remote exploitation of a stack based buffer overflow vulnerability in
NOS Microsystems Ltd.'s getPlus Download Manager, potentially used by
multiple vendors, could allow an attacker to execute arbitrary code
with the privileges of the current user.

III. ANALYSIS

Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the user viewing the web page. Exploitation
requires that attackers social engineer victims into viewing a
malicious web page. After the user visits the malicious web page, no
further user interaction is needed if the user already has the control
installed.

If the user visiting the web page does not already have the getPlus
control installed, they will be prompted to install it.

This control could potentially be used by a number of different software
vendors. The exploitability of this vulnerability is likely to be
dependent on the way that the given vendor uses the control. In the
case of Adobe Reader, the installation file that triggers the
vulnerability needs to be located on a site ending in adobe.com.
Normally, such a condition would make exploitation significantly more
difficult. However, in this case, by using the http://bugs.adobe.com
site, an attacker can place arbitrary text files onto the site. These
files are supposed to contain information relevant to bug reports, but
this functionality could be abused by an attacker for the purpose of
exploitation.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in getPlus
gp.ocx version 1.2.2.50, which is used in web based installations of
Adobe Reader 8.1. Previous versions may also be affected. In order to
determine if this version of the control is installed, the Registry
Editor can be used to attempt to browse to the registry key:

HKEY_CLASSES_ROOT\CLSID\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}

If that key exists, then the control is installed.

V. WORKAROUND

Setting the kill bit for this control will mitigate the threat of web
based attacks which could be conducted through Internet Explorer. The
CLSID for the vulnerable control is

CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7

VI. VENDOR RESPONSE

Adobe reports that the input validation issue in the Download Manager
used by Adobe Reader has been resolved. Adobe has released an update
which addresses this issue. For more information, consult their
advisory at the following URL.

http://www.adobe.com/support/security/bulletins/apsb08-19.html

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-4817 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

02/05/2008 Initial Vendor Notification
02/06/2008 Initial Vendor Reply
10/31/2008 Additional Vendor Feedback
11/04/2008 Coordinated Public Disclosure

IX. CREDIT

This vulnerability was reported to iDefense by Peter Vreugdenhil.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2008 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    34 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close