exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Adobe Reader 9.3.4 Multiple Memory Corruption Issues

Adobe Reader 9.3.4 Multiple Memory Corruption Issues
Posted Oct 8, 2010
Authored by Brett Gervasoni | Site senseofsecurity.com.au

Adobe Reader version 9.3.4 is vulnerable to multiple memory corruption vulnerabilities. By sending specially crafted PDF files it is possible to cause memory corruption in the 3difr and AcroRd32.dll modules. Both issues trigger a null pointer condition which results in an access violation. The issue in AcroRd32.dll is triggered when Adobe Reader is closed.

tags | advisory, vulnerability
advisories | CVE-2010-3630
SHA-256 | 8cc088f240fc45c266a250afb545cea36a5bbe247a4e721a59aa2a79ae7d9a37

Adobe Reader 9.3.4 Multiple Memory Corruption Issues

Change Mirror Download
Adobe Reader 9.3.4 Multiple Memory Corruption - Security Advisory - SOS-10-003

Release Date. 6-Oct-2010
Last Update. -
Vendor Notification Date. 26-Jul-2010
Product. Adobe Reader
Adobe Acrobat
Platform. Microsoft Windows
Affected versions. 9.3.4 verified and
possibly others.
Severity Rating. Medium
Impact. Denial of service, potentially
code execution.
Attack Vector. Local system
Solution Status. Upgrade to 9.4 (as advised by
Adobe)
CVE reference. CVE-2010-3630

Details.
Adobe Reader is a popular freeware PDF viewer. Version 9.3.4 of
the application is vulnerable to multiple memory corruption
vulnerabilities. By sending specially crafted PDF files it is
possible to cause memory corruption in the 3difr and
AcroRd32.dll modules. Both issues trigger a null pointer
condition which results in an access violation. The issue in
AcroRd32.dll is triggered when Adobe Reader is closed.

Function sub_60AF56 in AcroRd32.dll access violates when
attempting to read data pointed to by the ESI register. Part
disassembly of the function is shown below:

push ebp
mov ebp, esp
sub esp, 1Ch
and [ebp+var_4], 0
push ebx
push esi
mov esi, ecx
mov ebx, [esi+23Ch] <-- crash

Function sub_1000EEE0 in 3difr also access violates when
attempting to read data pointed to by the ECX register. Part
disassembly of the function is shown below:

mov ecx, [eax+4]
mov eax, [edx+4]
mov dx, [eax]
cmp dx, [ecx] <-- crash
jnz short loc_1000EF87

It may be possible to exploit these vulnerabilities to execute
arbitrary code under the context of the user running Adobe
Reader.

Proof of Concept.
Proof of concept PDF files are available to Sense of Security
customers upon request.

Solution.
A patch is available from Adobe and is included in the next
release (9.4).

Discovered by.
Brett Gervasoni from Sense of Security Labs.

About us.
Sense of Security is a leading provider of information
security and risk management solutions. Our team has expert
skills in assessment and assurance, strategy and architecture,
and deployment through to ongoing management. We are
Australia's premier application penetration testing firm and
trusted IT security advisor to many of the countries largest
organisations.

Sense of Security Pty Ltd
Level 8, 66 King St
Sydney NSW 2000
AUSTRALIA

T: +61 (0)2 9290 4444
F: +61 (0)2 9290 4455
W: http://www.senseofsecurity.com.au/consulting/penetration-testing
E: info@senseofsecurity.com.au
Twitter: @ITsecurityAU

The latest version of this advisory can be found at:
http://www.senseofsecurity.com.au/advisories/SOS-10-003.pdf
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    0 Files
  • 5
    Mar 5th
    0 Files
  • 6
    Mar 6th
    0 Files
  • 7
    Mar 7th
    0 Files
  • 8
    Mar 8th
    0 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    0 Files
  • 12
    Mar 12th
    0 Files
  • 13
    Mar 13th
    0 Files
  • 14
    Mar 14th
    0 Files
  • 15
    Mar 15th
    0 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    0 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close