SPS Advisory #39 Adobe Acrobat Series PDF File Buffer Overflow UNYUN Shadow Penguin Security (http://shadowpenguin.backsection.net) ------------------------------------------------------------- [Date] July 26, 2000 [vulnerable] Acrobat Reader 3.0J for Windows95/98/NT/2000 Acrobat Reader 4.0J for Windows95/98/NT/2000 Acrobat Reader 4.05J for Windows95/98/NT/2000 Acrobat 3.0J for Windows95/98/NT/2000 Acrobat 4.0J for Windows95/98/NT/2000 Acrobat 4.05J for Windows95/98/NT/2000 Adobe Acrobat Business Tools for Windows95/98/NT/2000 Adobe Acrobat FillIn for Windows95/98/NT/2000 [not vulnerable] Adobe Acrobat/reader/FillIn/BuinessTools 4.05c [Overview] We found the exploitable buffer overflow problem in Acrobat series for windows. Acrobat overflows when reading the PDF file which has long Registry or Ordering. They are one of the font CDI system information, you can see them in the PDF file which is generated by Acrobat. This buffer overflow overwrites the local buffer, EIP can be controled and can execute prepared code written in the font CDI system information. This overflow contains the possibility of the virus and trojans infection, sytsem destruction, intrusion, and so on. [Detailed information] The problem in the handling of /Registry and /Ordering string. We can control EIP by handling of /Ordering, we describe about this problem on the handling of /Ordering. Generally, the country name is written in /Ordering. Following string is generated by Japanese Acrobat. /Ordering(Japanese1) If the long country name is specified as follows, /Ordering(DDDDDD... long 'D') you will see the following GPF dialog box (it is the case in Acrobat 3.0J) ------------------------------------------------ ACROEX32 Page fault Module : ACROEX32.EXE, Address : 0167:004e00f2 Registers: EAX=88888888 CS=0167 EIP=004e00f2 EFLGS=00010a86 EBX=00e38788 SS=016f ESP=007ee3b4 EBP=007ee518 ECX=007ee4b0 DS=016f ESI=00fe393b FS=0edf EDX=00000006 ES=016f EDI=007ee3c4 GS=0000 Bytes at CS:EIP: c6 44 05 98 00 e8 54 17 05 00 66 89 85 14 ff ff ------------------------------------------------ The page fault has been occurred by the following code. (You can see them in GPF dialog box) c6 44 05 98 00 This is "mov byte ptr [ebp+eax-68h],0". EAX is 0x88888888, this value is the total of two values which are stored in the specific offset in the buffer. They are stored in offset 83,91, EAX is set to 0xffffffff if 0x80808080 and 0x7f7f7f7f are stored in each address. The memory area of ebp-1-68h is writable, The page fault has not been occurred and the instructions are executed until RET if EAX is -1. RET is stored in offset 102. In Acrobat 4.0/4.05, EAX is able to set by the values which are in the offset 66,78, EIP is able to set by the value which is stored in offset 74(We could code an exploit which explotis 3.0 and 4.0/4.05 both). NULL, '(',')' are not be able to use. They are termination character for /Ordering and /Resitry. [Fix] The patches for this problem has already been released on 26 July at adobe site. http://www.adobe.com/misc/pdfsecurity.html [Caution] We will change this information without any notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatever arising out of or in connection with the use or spread of this information. Any use of this information is only for personal experiment. [Comments ?] If you have something comments, please send to following address.. UNYUN http://shadowpenguin.backsection.net ----- UNYUN % The Shadow Penguin Security [ http://shadowpenguin.backsection.net ] shadowpenguin@backsection.net (webmaster) % eEye Digital Security Team [ http://www.eEye.com ] unyun@eEye.com