exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

iDEFENSE Security Advisory 2010-01-12.1

iDEFENSE Security Advisory 2010-01-12.1
Posted Jan 14, 2010
Authored by iDefense Labs, Code Audit Labs | Site idefense.com

iDefense Security Advisory 01.12.10 - Remote exploitation of a memory corruption vulnerability in multiple versions of Adobe Systems Inc.'s Reader and Acrobat PDF reader and processor could allow an attacker to execute arbitrary code with the privileges of the current user. The vulnerability occurs when processing the Jp2c stream of a JpxDecode encoded data stream within a PDF file. During the processing of a JPC_MS_RGN marker, an integer sign extension may cause a bounds check to be bypassed. This results in an exploitable memory corruption vulnerability. iDefense has confirmed the existence of this vulnerability in latest version of Adobe Reader, at the time of testing, version 9.1.0. Previous versions may also be affected. Adobe has stated that all 9.2 and below versions, as well as all 8.1.7 and below versions are vulnerable.

tags | advisory, remote, arbitrary
advisories | CVE-2009-3955
SHA-256 | 139823d91661e5fccdd9d31846177997f1dc0fdf3d4259d9e33d6b309d80589c

iDEFENSE Security Advisory 2010-01-12.1

Change Mirror Download
iDefense Security Advisory 01.12.10
http://labs.idefense.com/intelligence/vulnerabilities/
Jan 12, 2010

I. BACKGROUND

Adobe Reader and Acrobat are Portable Document Format (PDF) reader and
processors. For more information, please visit following pages:

http://www.adobe.com/products/reader/
http://www.adobe.com/products/acrobat/

II. DESCRIPTION

Remote exploitation of a memory corruption vulnerability in multiple
versions of Adobe Systems Inc.'s Reader and Acrobat PDF reader and
processor could allow an attacker to execute arbitrary code with the
privileges of the current user.

The vulnerability occurs when processing the Jp2c stream of a JpxDecode
encoded data stream within a PDF file. During the processing of a
JPC_MS_RGN marker, an integer sign extension may cause a bounds check
to be bypassed. This results in an exploitable memory corruption
vulnerability.

III. ANALYSIS

Exploitation of this vulnerability allows an attacker to execute
arbitrary code with the privileges of the user opening the file. The
attacker will have to create a malicious PDF file and convince the
victim to open it. This can be accomplished by embedding the PDF file
into an IFrame inside of a Web page, which will result in automatic
exploitation once the page is viewed. The file could also be e-mailed
as an attachment or placed on a file share. In these cases, a user
would have to manually open the file to trigger exploitation. If
preview is enabled in Windows Explorer, Acrobat will try to generate a
preview for PDF files when a folder containing PDF files is accessed,
thus triggering the exploitation.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in latest
version of Adobe Reader, at the time of testing, version 9.1.0.
Previous versions may also be affected.

Adobe has stated that all 9.2 and below versions, as well as all 8.1.7
and below versions are vulnerable.

V. WORKAROUND

None of the following workarounds will prevent exploitation, but they
can reduce potential attack vectors and make exploitation more
difficult.

Prevent PDF documents from being opened automatically by the Web browser
Disable JavaScript
Disable PDFShell extension by removing or renaming the Acrord32info.exe file

VI. VENDOR RESPONSE

Adobe has released a patch which addresses this issue. Information about
downloadable vendor updates can be found by clicking on the URLs shown.

http://www.adobe.com/support/security/bulletins/apsb10-02.html

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2009-3955 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

08/06/2009 Initial Contact
08/06/2009 Initial Response
09/16/2009 Vendor requested POC. iDefense sent POC.
09/17/2009 Vendor response.
01/12/2010 Coordinated public disclosure.

IX. CREDIT

This vulnerability was reported to iDefense by Code Audit Labs
http://www.vulnhunt.com.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2010 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close